fix CVE-2020-27827 and CVE-2015-8011

2021-03-30 16:49:18 +08:00 · 2021-03-30 16:49:18 +08:00 · 62f6452a5a
commit 62f6452a5a
parent 794c002268
3 changed files with 106 additions and 1 deletions
--- a/CVE-2015-8011.patch
+++ b/CVE-2015-8011.patch
@ -0,0 +1,55 @@
+From bb5a9937fa8e04e71052fb50e23894448d19678f Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.im>
+Date: Thu, 12 Nov 2020 19:54:52 -0500
+Subject: [PATCH] lldp: fix a buffer overflow when handling management address
+ TLV
+
+Upstream commit:
+    commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
+    Author: Vincent Bernat <vincent@bernat.im>
+    Date: Sun, 4 Oct 2015 01:50:38 +0200
+
+    lldp: fix a buffer overflow when handling management address TLV
+
+    When a remote device was advertising a too large management address
+    while still respecting TLV boundaries, lldpd would crash due to a buffer
+    overflow. However, the buffer being a static one, this buffer overflow
+    is not exploitable if hardening was not disabled. This bug exists since
+    version 0.5.6.
+
+Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
+Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
+Reported-at: https://github.com/openvswitch/ovs/pull/335
+Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
+Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+---
+ lib/lldp/lldp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
+index 593c5e1c34..628d0f863d 100644
+--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
+@@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+         case LLDP_TLV_MGMT_ADDR:
+             CHECK_TLV_SIZE(1, "Management address");
+             addr_str_length = PEEK_UINT8;
+            if (addr_str_length > sizeof(addr_str_buffer)) {
+                VLOG_WARN("too large management address on %s",
+                          hardware->h_ifname);
+                goto malformed;
+            }
+             CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
+             PEEK_BYTES(addr_str_buffer, addr_str_length);
+             addr_length = addr_str_length - 1;
+@@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+             break;
+ 
+         case LLDP_TLV_ORG:
+-            CHECK_TLV_SIZE(4, "Organisational");
+            CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational");
+             PEEK_BYTES(orgid, sizeof orgid);
+             tlv_subtype = PEEK_UINT8;
+             if (memcmp(dot1, orgid, sizeof orgid) == 0) {
--- a/CVE-2020-27827.patch
+++ b/CVE-2020-27827.patch
@ -0,0 +1,45 @@
+From 78e712c0b1dacc2f12d2a03d98f083d8672867f0 Mon Sep 17 00:00:00 2001
+From: Aaron Conole <aconole@redhat.com>
+Date: Wed, 13 Jan 2021 10:47:19 -0500
+Subject: [PATCH] lldp: do not leak memory on multiple instances of TLVs
+
+Upstream commit:
+    commit a8d3c90feca548fc0656d95b5d278713db86ff61
+    Date: Tue, 17 Nov 2020 09:28:17 -0500
+
+    lldp: avoid memory leak from bad packets
+
+    A packet that contains multiple instances of certain TLVs will cause
+    lldpd to continually allocate memory and leak the old memory.  As an
+    example, multiple instances of system name TLV will cause old values
+    to be dropped by the decoding routine.
+
+    Reported-at: https://github.com/openvswitch/ovs/pull/337
+    Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
+    Signed-off-by: Aaron Conole <aconole@redhat.com>
+
+Vulnerability: CVE-2020-27827
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+---
+ lib/lldp/lldp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
+index e5755307fb..18afbab9a7 100644
+--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
+@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+             b = xzalloc(tlv_size + 1);
+             PEEK_BYTES(b, tlv_size);
+             if (tlv_type == LLDP_TLV_PORT_DESCR) {
+                free(port->p_descr);
+                 port->p_descr = b;
+             } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
+                free(chassis->c_name);
+                 chassis->c_name = b;
+             } else {
+                free(chassis->c_descr);
+                 chassis->c_descr = b;
+             }
+             break;
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -6,7 +6,7 @@ Summary:        Production Quality, Multilayer Open Virtual Switch
 URL:            http://www.openvswitch.org/
 Version:        2.12.0
 License:        ASL 2.0 and ISC
-Release:        14
+Release:        15
 Source:         https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Buildroot:      /tmp/openvswitch-rpm
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
@ -15,6 +15,8 @@ Patch0002:      0002-Remove-unsupported-permission-names.patch
 Patch0003:      0003-Fallback-to-read-proc-net-dev-on-linux.patch
 Patch0004:      CVE-2020-35498-pre.patch
 Patch0005:      CVE-2020-35498.patch
+Patch0006:      CVE-2020-27827.patch
+Patch0007:      CVE-2015-8011.patch

 Requires:       logrotate hostname python >= 3.8 python3-six selinux-policy-targeted
 BuildRequires:  python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel
@ -238,6 +240,9 @@ exit 0
 %doc README.rst NEWS rhel/README.RHEL.rst

 %changelog
+* Tue Mar 30 2021 wangyue <wangyue92@huawei.com> - 2.12.0-15
+- fix CVE-2020-27827 and CVE-2015-8011
+
 * Mon Mar 01 2021 wangyue <wangyue92@huawei.com> - 2.12.0-14
 - fix CVE-2020-35498