frr: Fix CVE-2023-41358 and CVE-2023-41360

Backport patches to fix CVE-2023-41358 and CVE-2023-41360. References: https://nvd.nist.gov/vuln/detail/CVE-2023-41358 https://nvd.nist.gov/vuln/detail/CVE-2023-41360 Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Robert Yang <liezhi.yang@windriver.com> 2023-09-04 14:49:01 +0800
committer: Khem Raj <raj.khem@gmail.com> 2023-09-07 08:22:43 -0700
commit: 3ed51f2d3b3f46207d89e5528d9b82307a1915fb (patch)
tree: 8f9d78699d0700a7f03a5a5006cdfb0df7bc32b7
parent: c061390201bf160a992d565acd6ac8d6a0a4d242 (diff)
download: meta-openembedded-3ed51f2d3b3f46207d89e5528d9b82307a1915fb.tar.gz
3 files changed, 143 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch
new file mode 100644
index 0000000000..59633ef699
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch
@@ -0,0 +1,106 @@
+From 9efd9a47db4f13ebf88c2ffe14301d7441bcb40d Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 22 Aug 2023 22:52:04 +0300
+Subject: [PATCH 1/2] bgpd: Do not process NLRIs if the attribute length is
+ zero
+```
+3  0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
+4  0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
+5  <signal handler called>
+6  0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
+    at bgpd/bgp_routemap.c:2258
+7  0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
+    match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
+8  0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
+    afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
+    at bgpd/bgp_route.c:1772
+9  0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
+    attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
+    num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
+10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
+    at bgpd/bgp_route.c:6249
+11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
+    packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
+12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
+13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
+14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
+15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
+16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
+```
+With the configuration:
+```
+frr version 9.1-dev-MyOwnFRRVersion
+frr defaults traditional
+hostname ip-172-31-13-140
+log file /tmp/debug.log
+log syslog
+service integrated-vtysh-config
+!
+debug bgp keepalives
+debug bgp neighbor-events
+debug bgp updates in
+debug bgp updates out
+!
+router bgp 100
+ bgp router-id 9.9.9.9
+ no bgp ebgp-requires-policy
+ bgp bestpath aigp
+ neighbor 172.31.2.47 remote-as 200
+ !
+ address-family ipv4 unicast
+  neighbor 172.31.2.47 default-originate
+  neighbor 172.31.2.47 route-map RM_IN in
+ exit-address-family
+exit
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+!
+```
+The issue is that we try to process NLRIs even if the attribute length is 0.
+Later bgp_update() will handle route-maps and a crash occurs because all the
+attributes are NULL, including aspath, where we dereference.
+According to the RFC 4271:
+A value of 0 indicates that neither the Network Layer
+         Reachability Information field nor the Path Attribute field is
+         present in this UPDATE message.
+But with a fuzzed UPDATE message this can be faked. I think it's reasonable
+to skip processing NLRIs if both update_len and attribute_len are 0.
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/28ccc24d38df1d51ed8a563507e5d6f6171fdd38]
+CVE: CVE-2023-41358
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ bgpd/bgp_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index ec54943f3..3c2e73c59 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+        /* Network Layer Reachability Information. */
+        update_len = end - stream_pnt(s);
+ 
+-       if (update_len) {
+       if (update_len && attribute_len) {
+                /* Set NLRI portion to structure. */
+                nlris[NLRI_UPDATE].afi = AFI_IP;
+                nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch
new file mode 100644
index 0000000000..8ee3985b42
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch
@@ -0,0 +1,35 @@
+From 9ecacf2176d2bac4b90e17d49facb8712c1b467a Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Sun, 20 Aug 2023 22:15:27 +0300
+Subject: [PATCH 2/2] bgpd: Don't read the first byte of ORF header if we are
+ ahead of stream
+Reported-by: Iggy Frankovic iggyfran@amazon.com
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/9b855a692e68e0d16467e190b466b4ecb6853702]
+CVE: CVE-2023-41360
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ bgpd/bgp_packet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 3c2e73c59..f1d0e54c0 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
+                                 * and 7 bytes of ORF Address-filter entry from
+                                 * the stream
+                                 */
+-                               if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+                               if (p_pnt < p_end &&
+                                   *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+                                        if (bgp_debug_neighbor_events(peer))
+                                                zlog_debug(
+                                                        "%pBP rcvd Remove-All pfxlist ORF request",
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
index f32b52f331..826b687806 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
           file://frr.pam \
           file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \
           file://CVE-2023-3748.patch \
+           file://CVE-2023-41358.patch \
+           file://CVE-2023-41360.patch \
           "
 SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"
author	Robert Yang <liezhi.yang@windriver.com>	2023-09-04 14:49:01 +0800
committer	Khem Raj <raj.khem@gmail.com>	2023-09-07 08:22:43 -0700
commit	3ed51f2d3b3f46207d89e5528d9b82307a1915fb (patch)
tree	8f9d78699d0700a7f03a5a5006cdfb0df7bc32b7
parent	c061390201bf160a992d565acd6ac8d6a0a4d242 (diff)
download	meta-openembedded-3ed51f2d3b3f46207d89e5528d9b82307a1915fb.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch new file mode 100644 index 0000000000..59633ef699 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch
@@ -0,0 +1,106 @@
		1	From 9efd9a47db4f13ebf88c2ffe14301d7441bcb40d Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Tue, 22 Aug 2023 22:52:04 +0300
		4	Subject: [PATCH 1/2] bgpd: Do not process NLRIs if the attribute length is
		5	zero
		6
		7	```
		8	3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
		9	4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
		10	5 <signal handler called>
		11	6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
		12	at bgpd/bgp_routemap.c:2258
		13	7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
		14	match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
		15	8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
		16	afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
		17	at bgpd/bgp_route.c:1772
		18	9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
		19	attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
		20	num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
		21	10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
		22	at bgpd/bgp_route.c:6249
		23	11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
		24	packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
		25	12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
		26	13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
		27	14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
		28	15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
		29	16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
		30	```
		31
		32	With the configuration:
		33
		34	```
		35	frr version 9.1-dev-MyOwnFRRVersion
		36	frr defaults traditional
		37	hostname ip-172-31-13-140
		38	log file /tmp/debug.log
		39	log syslog
		40	service integrated-vtysh-config
		41	!
		42	debug bgp keepalives
		43	debug bgp neighbor-events
		44	debug bgp updates in
		45	debug bgp updates out
		46	!
		47	router bgp 100
		48	bgp router-id 9.9.9.9
		49	no bgp ebgp-requires-policy
		50	bgp bestpath aigp
		51	neighbor 172.31.2.47 remote-as 200
		52	!
		53	address-family ipv4 unicast
		54	neighbor 172.31.2.47 default-originate
		55	neighbor 172.31.2.47 route-map RM_IN in
		56	exit-address-family
		57	exit
		58	!
		59	route-map RM_IN permit 10
		60	set as-path prepend 200
		61	exit
		62	!
		63	```
		64
		65	The issue is that we try to process NLRIs even if the attribute length is 0.
		66
		67	Later bgp_update() will handle route-maps and a crash occurs because all the
		68	attributes are NULL, including aspath, where we dereference.
		69
		70	According to the RFC 4271:
		71
		72	A value of 0 indicates that neither the Network Layer
		73	Reachability Information field nor the Path Attribute field is
		74	present in this UPDATE message.
		75
		76	But with a fuzzed UPDATE message this can be faked. I think it's reasonable
		77	to skip processing NLRIs if both update_len and attribute_len are 0.
		78
		79	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		80	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		81
		82	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/28ccc24d38df1d51ed8a563507e5d6f6171fdd38]
		83
		84	CVE: CVE-2023-41358
		85
		86	Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
		87	---
		88	bgpd/bgp_packet.c \| 2 +-
		89	1 file changed, 1 insertion(+), 1 deletion(-)
		90
		91	diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
		92	index ec54943f3..3c2e73c59 100644
		93	--- a/bgpd/bgp_packet.c
		94	+++ b/bgpd/bgp_packet.c
		95	@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
		96	/* Network Layer Reachability Information. */
		97	update_len = end - stream_pnt(s);
		98
		99	- if (update_len) {
		100	+ if (update_len && attribute_len) {
		101	/* Set NLRI portion to structure. */
		102	nlris[NLRI_UPDATE].afi = AFI_IP;
		103	nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
		104	--
		105	2.35.5
		106


diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch new file mode 100644 index 0000000000..8ee3985b42 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch
@@ -0,0 +1,35 @@
		1	From 9ecacf2176d2bac4b90e17d49facb8712c1b467a Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Sun, 20 Aug 2023 22:15:27 +0300
		4	Subject: [PATCH 2/2] bgpd: Don't read the first byte of ORF header if we are
		5	ahead of stream
		6
		7	Reported-by: Iggy Frankovic iggyfran@amazon.com
		8	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		9
		10	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/9b855a692e68e0d16467e190b466b4ecb6853702]
		11
		12	CVE: CVE-2023-41360
		13
		14	Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
		15	---
		16	bgpd/bgp_packet.c \| 3 ++-
		17	1 file changed, 2 insertions(+), 1 deletion(-)
		18
		19	diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
		20	index 3c2e73c59..f1d0e54c0 100644
		21	--- a/bgpd/bgp_packet.c
		22	+++ b/bgpd/bgp_packet.c
		23	@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
		24	* and 7 bytes of ORF Address-filter entry from
		25	* the stream
		26	*/
		27	- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
		28	+ if (p_pnt < p_end &&
		29	+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
		30	if (bgp_debug_neighbor_events(peer))
		31	zlog_debug(
		32	"%pBP rcvd Remove-All pfxlist ORF request",
		33	--
		34	2.35.5
		35


diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb index f32b52f331..826b687806 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
13	file://frr.pam \	13	file://frr.pam \
14	file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \	14	file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \
15	file://CVE-2023-3748.patch \	15	file://CVE-2023-3748.patch \
		16	file://CVE-2023-41358.patch \
		17	file://CVE-2023-41360.patch \
16	"	18	"
17		19
18	SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"	20	SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"