packages/openvswitch
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!93 fix CVE-2021-3905

Browse Source 
From: @qz_cx 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot 2022-07-12 07:33:12 +00:00 committed by Gitee
commit c6109fa736
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
CVE-2021-3905.patch Normal file
View File

@ -0,0 +1,63 @@
From a5e7296363137b4d77d1ae1ffb7bc2be5980bd9c Mon Sep 17 00:00:00 2001
From: qz_cx <wangqingzheng@kylinos.cn>
Date: Fri, 8 Jul 2022 13:59:53 +0800
Subject: [PATCH] ipf: release unhandled packets from the batch Since 640d4db
("ipf: Fix a use-after-free error, ...") the ipf framework unconditionally
allocates a new dp_packet to track individual fragments. This prevents a
use-after-free. However, an additional issue was present - even when the
packet buffer is cloned, if the ip fragment handling code keeps it, the
original buffer is leaked during the refill loop. Even in the original
processing code, the hardcoded dnsteal branches would always leak a packet
buffer from the refill loop.
This can be confirmed with valgrind:
==717566== 16,672 (4,480 direct, 12,192 indirect) bytes in 8 blocks are definitely lost in loss record 390 of 390
==717566== at 0x484086F: malloc (vg_replace_malloc.c:380)
==717566== by 0x537BFD: xmalloc__ (util.c:137)
==717566== by 0x537BFD: xmalloc (util.c:172)
==717566== by 0x46DDD4: dp_packet_new (dp-packet.c:153)
==717566== by 0x46DDD4: dp_packet_new_with_headroom (dp-packet.c:163)
==717566== by 0x550AA6: netdev_linux_batch_rxq_recv_sock.constprop.0 (netdev-linux.c:1262)
==717566== by 0x5512AF: netdev_linux_rxq_recv (netdev-linux.c:1511)
==717566== by 0x4AB7E0: netdev_rxq_recv (netdev.c:727)
==717566== by 0x47F00D: dp_netdev_process_rxq_port (dpif-netdev.c:4699)
==717566== by 0x47FD13: dpif_netdev_run (dpif-netdev.c:5957)
==717566== by 0x4331D2: type_run (ofproto-dpif.c:370)
==717566== by 0x41DFD8: ofproto_type_run (ofproto.c:1768)
==717566== by 0x40A7FB: bridge_run__ (bridge.c:3245)
==717566== by 0x411269: bridge_run (bridge.c:3310)
==717566== by 0x406E6C: main (ovs-vswitchd.c:127)
The fix is to delete the original packet when it isn't able to be
reinserted into the packet batch. Subsequent valgrind runs show that
the packets are not leaked from the batch any longer.
Fixes: 640d4db ("ipf: Fix a use-after-free error, and remove the 'do_not_steal' flag.")
Fixes: 4ea9669 ("Userspace datapath: Add fragmentation handling.")
Reported-by: Wan Junjie <wanjunjie@bytedance.com>
Reported-at: openvswitch/ovs-issues#226
Signed-off-by: Aaron Conole <aconole@redhat.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
Tested-by: Wan Junjie <wanjunjie@bytedance.com>
Signed-off-by: Alin-Gabriel Serdean <aserdean@ovn.org>
---
lib/ipf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/ipf.c b/lib/ipf.c
index 4cc0f2d..e8858d2 100644
--- a/lib/ipf.c
+++ b/lib/ipf.c
@@ -941,6 +941,8 @@ ipf_extract_frags_from_batch(struct ipf *ipf, struct dp_packet_batch *pb,
if (!ipf_handle_frag(ipf, pkt, dl_type, zone, now, hash_basis,
pb->do_not_steal)) {
dp_packet_batch_refill(pb, pkt, pb_idx);
+ } else {
+ dp_packet_delete(pkt);
}
ovs_mutex_unlock(&ipf->ipf_lock);
} else {
--
2.33.0

9
openvswitch.spec
View File

@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch
URL: http://www.openvswitch.org/
Version: 2.12.0
License: ASL 2.0 and ISC
Release: 20
Release: 21
Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
Buildroot: /tmp/openvswitch-rpm
Patch0000: 0000-openvswitch-add-stack-protector-strong.patch
@ -19,6 +19,7 @@ Patch0006: CVE-2020-27827.patch
Patch0007: CVE-2015-8011.patch
Patch0008: backport-CVE-2021-36980.patch
Patch0009: backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch
Patch0010: CVE-2021-3905.patch
Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted libsepol >= 3.1
BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel
@ -289,6 +290,12 @@ exit 0
%doc README.rst NEWS rhel/README.RHEL.rst
%changelog
* Fri Jul 8 2022 qz_cx <wangqingzheng@kylinos.cn> - 2.12.0-21
- Type:cve
- ID:CVE-2021-3905
- SUG:NA
- DESC: fix CVE-2021-3905
* Wed Apr 06 2022 chenjian <chenjian@kylinos.cn> - 2.12.0-20
- add backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch