fix CVE-2020-35498

2021-03-01 09:48:46 +08:00 · 2021-03-01 09:48:46 +08:00 · d882ff97bd
commit d882ff97bd
parent ded0001e80
3 changed files with 161 additions and 2 deletions
--- a/CVE-2020-35498-pre.patch
+++ b/CVE-2020-35498-pre.patch
@ -0,0 +1,53 @@
 From b7d0c1a5842d59d7413cb9c079fe25b1ad2b6602 Mon Sep 17 00:00:00 2001
 From: wang_yue111 <648774160@qq.com>
 Date: Fri, 26 Feb 2021 17:59:44 +0800
 Subject: [PATCH] conntrack: Fix 'reverse_nat_packet()' variable
 datatype.
 The datatype 'pad' in the function 'reverse_nat_packet()' was incorrectly
 declared as 'char' instead of 'uint8_t'. This can affect reverse natting
 of icmpX packets with padding > 127 bytes.  At the same time, add some
 comments regarding 'extract_l3_ipvX' usage in this function.  Found by
 inspection.
 Fixes: edd1bef468c0 ("dpdk: Add more ICMP Related NAT support.")
 Signed-off-by: Darrell Ball <dlu998@gmail.com>
 Signed-off-by: Ben Pfaff <blp@ovn.org>
 ---
 lib/conntrack.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/lib/conntrack.c b/lib/conntrack.c
 index e5266e5..59df332 100644
 --- a/lib/conntrack.c
 +++ b/lib/conntrack.c
@@ -688,7 +688,7 @@ static void
 reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
 {
     char *tail = dp_packet_tail(pkt);
 -    char pad = dp_packet_l2_pad_size(pkt);
 +    uint8_t pad = dp_packet_l2_pad_size(pkt);
     struct conn_key inner_key;
     const char *inner_l4 = NULL;
     uint16_t orig_l3_ofs = pkt->l3_ofs;
@@ -698,6 +698,8 @@ reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
         struct ip_header *nh = dp_packet_l3(pkt);
         struct icmp_header *icmp = dp_packet_l4(pkt);
         struct ip_header *inner_l3 = (struct ip_header *) (icmp + 1);
 +        /* This call is already verified to succeed during the code path from
 +         * 'conn_key_extract()' which calls 'extract_l4_icmp()'. */
         extract_l3_ipv4(&inner_key, inner_l3, tail - ((char *)inner_l3) - pad,
                         &inner_l4, false);
         pkt->l3_ofs += (char *) inner_l3 - (char *) nh;
@@ -719,6 +721,8 @@ reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
         struct icmp6_error_header *icmp6 = dp_packet_l4(pkt);
         struct ovs_16aligned_ip6_hdr *inner_l3_6 =
             (struct ovs_16aligned_ip6_hdr *) (icmp6 + 1);
 +        /* This call is already verified to succeed during the code path from
 +	  * 'conn_key_extract()' which calls 'extract_l4_icmp6()'. */
         extract_l3_ipv6(&inner_key, inner_l3_6,
                         tail - ((char *)inner_l3_6) - pad,
                         &inner_l4);
 -- 
 2.23.0
--- a/CVE-2020-35498.patch
+++ b/CVE-2020-35498.patch
@ -0,0 +1,100 @@
 From 45e941a17b605cc61e7c3ed8cffed5b3a5b608a6 Mon Sep 17 00:00:00 2001
 From: wang_yue111 <648774160@qq.com>
 Date: Fri, 26 Feb 2021 18:20:58 +0800
 Subject: [PATCH]  flow: Support extra padding length.
 Although not required, padding can be optionally added until
 the packet length is MTU bytes. A packet with extra padding
 currently fails sanity checks.
 Vulnerability: CVE-2020-35498
 Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.")
 Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se>
 Acked-by: Ilya Maximets <i.maximets@ovn.org>
 Signed-off-by: Flavio Leitner <fbl@sysclose.org>
 Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
 ---
 lib/conntrack.c     |  2 +-
 lib/dp-packet.h     | 10 +++++-----
 lib/flow.c          |  6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)
 diff --git a/lib/conntrack.c b/lib/conntrack.c
 index 47ebc8e..9a59ef6 100644
 --- a/lib/conntrack.c
 +++ b/lib/conntrack.c
@@ -688,7 +688,7 @@ static void
 reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
 {
     char *tail = dp_packet_tail(pkt);
 -    uint8_t pad = dp_packet_l2_pad_size(pkt);
 +    uint16_t pad = dp_packet_l2_pad_size(pkt);
     struct conn_key inner_key;
     const char *inner_l4 = NULL;
     uint16_t orig_l3_ofs = pkt->l3_ofs;
 diff --git a/lib/dp-packet.h b/lib/dp-packet.h
 index 14f0897..c607247 100644
 --- a/lib/dp-packet.h
 +++ b/lib/dp-packet.h
@@ -76,7 +76,7 @@ struct dp_packet {
     /* All the following elements of this struct are copied in a single call
      * of memcpy in dp_packet_clone_with_headroom. */
 -    uint8_t l2_pad_size;           /* Detected l2 padding size.
 +    uint16_t l2_pad_size;          /* Detected l2 padding size.
                                     * Padding is non-pullable. */
     uint16_t l2_5_ofs;             /* MPLS label stack offset, or UINT16_MAX */
     uint16_t l3_ofs;               /* Network-level header offset,
@@ -113,8 +113,8 @@ void *dp_packet_resize_l2(struct dp_packet *, int increment);
 void *dp_packet_resize_l2_5(struct dp_packet *, int increment);
 static inline void *dp_packet_eth(const struct dp_packet *);
 static inline void dp_packet_reset_offsets(struct dp_packet *);
 -static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *);
 -static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t);
 +static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *);
 +static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t);
 static inline void *dp_packet_l2_5(const struct dp_packet *);
 static inline void dp_packet_set_l2_5(struct dp_packet *, void *);
 static inline void *dp_packet_l3(const struct dp_packet *);
@@ -320,14 +320,14 @@ dp_packet_reset_offsets(struct dp_packet *b)
     b->l4_ofs = UINT16_MAX;
 }
 -static inline uint8_t
 +static inline uint16_t
 dp_packet_l2_pad_size(const struct dp_packet *b)
 {
     return b->l2_pad_size;
 }
 static inline void
 -dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size)
 +dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size)
 {
     ovs_assert(pad_size <= dp_packet_size(b));
     b->l2_pad_size = pad_size;
 diff --git a/lib/flow.c b/lib/flow.c
 index e54fd2e..354b441 100644
 --- a/lib/flow.c
 +++ b/lib/flow.c
@@ -660,7 +660,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size,
     tot_len = ntohs(nh->ip_tot_len);
     if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len ||
 -                size - tot_len > UINT8_MAX)) {
 +                size - tot_len > UINT16_MAX)) {
         return false;
     }
@@ -698,8 +698,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
     if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
         return false;
     }
 -    /* Jumbo Payload option not supported yet. */
 -    if (OVS_UNLIKELY(size - plen > UINT8_MAX)) {
 +
 +    if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) {
         return false;
     }
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -5,14 +5,17 @@ Name:           openvswitch
 Summary:        Production Quality, Multilayer Open Virtual Switch
 URL:            http://www.openvswitch.org/
 Version:        2.12.0
-License:        ASL 2.0
+License:        ASL 2.0 and ISC
-Release:        13
+Release:        14
 Source:         https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Buildroot:      /tmp/openvswitch-rpm
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
 Patch0001:      0001-fix-dict-change-during-iteration.patch
 Patch0002:      0002-Remove-unsupported-permission-names.patch
 Patch0003:      0003-Fallback-to-read-proc-net-dev-on-linux.patch
 Patch0004:      CVE-2020-35498-pre.patch
 Patch0005:      CVE-2020-35498.patch
 Requires:       logrotate hostname python >= 3.8 python3-six selinux-policy-targeted
 BuildRequires:  python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel
 BuildRequires:  python3-devel
@ -235,6 +238,9 @@ exit 0
 %doc README.rst NEWS rhel/README.RHEL.rst
 %changelog
 * Mon Mar 01 2021 wangyue <wangyue92@huawei.com> - 2.12.0-14
 - fix CVE-2020-35498
 * Sun Feb 07 2021 luosuwang <oenetdev@huawei.com> - 2.12.0-13
 - Add python3.Xdist(ovs)