packages/openvswitch
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-27827 and CVE-2015-8011

Browse Source
This commit is contained in:
wang_yue111 2021-03-30 16:49:18 +08:00
parent 794c002268
commit 62f6452a5a
3 changed files with 106 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CVE-2015-8011.patch Normal file
View File

@ -0,0 +1,55 @@
From bb5a9937fa8e04e71052fb50e23894448d19678f Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.im>
Date: Thu, 12 Nov 2020 19:54:52 -0500
Subject: [PATCH] lldp: fix a buffer overflow when handling management address
TLV
Upstream commit:
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
Author: Vincent Bernat <vincent@bernat.im>
Date: Sun, 4 Oct 2015 01:50:38 +0200
lldp: fix a buffer overflow when handling management address TLV
When a remote device was advertising a too large management address
while still respecting TLV boundaries, lldpd would crash due to a buffer
overflow. However, the buffer being a static one, this buffer overflow
is not exploitable if hardening was not disabled. This bug exists since
version 0.5.6.
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/335
Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
lib/lldp/lldp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index 593c5e1c34..628d0f863d 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
case LLDP_TLV_MGMT_ADDR:
CHECK_TLV_SIZE(1, "Management address");
addr_str_length = PEEK_UINT8;
+ if (addr_str_length > sizeof(addr_str_buffer)) {
+ VLOG_WARN("too large management address on %s",
+ hardware->h_ifname);
+ goto malformed;
+ }
CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
PEEK_BYTES(addr_str_buffer, addr_str_length);
addr_length = addr_str_length - 1;
@@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
break;
case LLDP_TLV_ORG:
- CHECK_TLV_SIZE(4, "Organisational");
+ CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational");
PEEK_BYTES(orgid, sizeof orgid);
tlv_subtype = PEEK_UINT8;
if (memcmp(dot1, orgid, sizeof orgid) == 0) {

45
CVE-2020-27827.patch Normal file
View File

@ -0,0 +1,45 @@
From 78e712c0b1dacc2f12d2a03d98f083d8672867f0 Mon Sep 17 00:00:00 2001
From: Aaron Conole <aconole@redhat.com>
Date: Wed, 13 Jan 2021 10:47:19 -0500
Subject: [PATCH] lldp: do not leak memory on multiple instances of TLVs
Upstream commit:
commit a8d3c90feca548fc0656d95b5d278713db86ff61
Date: Tue, 17 Nov 2020 09:28:17 -0500
lldp: avoid memory leak from bad packets
A packet that contains multiple instances of certain TLVs will cause
lldpd to continually allocate memory and leak the old memory. As an
example, multiple instances of system name TLV will cause old values
to be dropped by the decoding routine.
Reported-at: https://github.com/openvswitch/ovs/pull/337
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Vulnerability: CVE-2020-27827
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
lib/lldp/lldp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index e5755307fb..18afbab9a7 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
b = xzalloc(tlv_size + 1);
PEEK_BYTES(b, tlv_size);
if (tlv_type == LLDP_TLV_PORT_DESCR) {
+ free(port->p_descr);
port->p_descr = b;
} else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
+ free(chassis->c_name);
chassis->c_name = b;
} else {
+ free(chassis->c_descr);
chassis->c_descr = b;
}
break;

7
openvswitch.spec
View File

@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch
URL: http://www.openvswitch.org/ URL: http://www.openvswitch.org/
Version: 2.12.0 Version: 2.12.0
License: ASL 2.0 and ISC License: ASL 2.0 and ISC
Release: 14 Release: 15
Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
Buildroot: /tmp/openvswitch-rpm Buildroot: /tmp/openvswitch-rpm
Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0000: 0000-openvswitch-add-stack-protector-strong.patch
@ -15,6 +15,8 @@ Patch0002: 0002-Remove-unsupported-permission-names.patch
Patch0003: 0003-Fallback-to-read-proc-net-dev-on-linux.patch Patch0003: 0003-Fallback-to-read-proc-net-dev-on-linux.patch
Patch0004: CVE-2020-35498-pre.patch Patch0004: CVE-2020-35498-pre.patch
Patch0005: CVE-2020-35498.patch Patch0005: CVE-2020-35498.patch
Patch0006: CVE-2020-27827.patch
Patch0007: CVE-2015-8011.patch
Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted
BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel
@ -238,6 +240,9 @@ exit 0
%doc README.rst NEWS rhel/README.RHEL.rst %doc README.rst NEWS rhel/README.RHEL.rst
%changelog %changelog
* Tue Mar 30 2021 wangyue <wangyue92@huawei.com> - 2.12.0-15
- fix CVE-2020-27827 and CVE-2015-8011
* Mon Mar 01 2021 wangyue <wangyue92@huawei.com> - 2.12.0-14 * Mon Mar 01 2021 wangyue <wangyue92@huawei.com> - 2.12.0-14
- fix CVE-2020-35498 - fix CVE-2020-35498