fix CVE-2022-4338

(cherry picked from commit 916e5b3945d6d6c487c0f4c269c13d552dbd0fff)
2022-12-29 08:47:36 +00:00 · 2022-12-29 08:47:36 +00:00 · f327ebab80
commit f327ebab80
parent 459f5a6fb2
2 changed files with 85 additions and 1 deletions
--- a/backport-CVE-2022-4338.patch
+++ b/backport-CVE-2022-4338.patch
@ -0,0 +1,80 @@
+From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001
+From: Qian Chen <cq674350529@163.com>
+Date: Tue, 20 Dec 2022 09:36:08 -0500
+Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach.
+
+The OVS LLDP implementation includes support for AutoAttach standard, which
+the 'upstream' lldpd project does not include.  As part of adding this
+support, the message parsing for these TLVs did not include proper length
+checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the
+LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements.  The result is that a message
+without a proper boundary will cause an overread of memory, and lead to
+undefined results, including crashes or other unidentified behavior.
+
+The fix is to introduce proper bounds checking for these elements.  Introduce
+a unit test to ensure that we have some proper rejection in this code
+base in the future.
+
+Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
+Signed-off-by: Qian Chen <cq674350529@163.com>
+Co-authored-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+---
+ lib/lldp/lldp.c       |  2 ++
+ tests/ofproto-dpif.at | 19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
+index 18afbab..f668dc7 100644
+--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
+@@ -581,6 +581,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+ 
+                 switch(tlv_subtype) {
+                 case LLDP_TLV_AA_ELEMENT_SUBTYPE:
+                    CHECK_TLV_SIZE(50, "ELEMENT");
+                     PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
+ 
+                     aa_element_dword = PEEK_UINT32;
+@@ -627,6 +628,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+                     break;
+ 
+                 case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE:
+                    CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS");
+                     PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
+ 
+                     /* Subtract off tlv type and length (2Bytes) + OUI (3B) +
+diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
+index f9ffc9f..d4f27ed 100644
+--- a/tests/ofproto-dpif.at
+++ b/tests/ofproto-dpif.at
+@@ -29,6 +29,25 @@ AT_CHECK([ovs-appctl revalidator/wait])
+ OVS_VSWITCHD_STOP
+ AT_CLEANUP
+ 
+AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv])
+OVS_VSWITCHD_START()
+add_of_ports br0 1
+
+dnl Enable lldp
+AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true])
+
+dnl Send a malformed lldp packet
+packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl
+"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl
+"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl
+"4445414442454546fe0500040d0c010000"
+AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout])
+
+OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log])
+
+OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"])
+AT_CLEANUP
+
+ AT_SETUP([ofproto-dpif - active-backup bonding])
+ # Create br0 with interfaces p1, p2 and p7, creating bond0 with p1 and p2
+ #    and br1 with interfaces p3, p4 and p8.
+-- 
+2.33.0
+
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -6,12 +6,13 @@ Summary:        Production Quality, Multilayer Open Virtual Switch
 URL:            http://www.openvswitch.org/
 Version:        2.12.4
 License:        ASL 2.0 and ISC
-Release:        1
+Release:        2
 Source:         https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Buildroot:      /tmp/openvswitch-rpm
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
 Patch0002:      0002-Remove-unsupported-permission-names.patch
 Patch0003:      0003-Fallback-to-read-proc-net-dev-on-linux.patch
+Patch0004:	backport-CVE-2022-4338.patch

 Patch9000:      fix-selinux-err.patch

@ -284,6 +285,9 @@ exit 0
 %doc README.rst NEWS rhel/README.RHEL.rst

 %changelog
+* Thu Dec 29 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.4-2
+- fix CVE-2022-4338
+
 * Wed Sep 28 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.4-1
 - upgrade to 2.12.4