diff options
author | Robert Yang <liezhi.yang@windriver.com> | 2023-09-04 14:49:01 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2023-09-07 08:22:43 -0700 |
commit | 3ed51f2d3b3f46207d89e5528d9b82307a1915fb (patch) | |
tree | 8f9d78699d0700a7f03a5a5006cdfb0df7bc32b7 /meta-networking/recipes-protocols/frr/frr | |
parent | c061390201bf160a992d565acd6ac8d6a0a4d242 (diff) | |
download | meta-openembedded-3ed51f2d3b3f46207d89e5528d9b82307a1915fb.tar.gz |
frr: Fix CVE-2023-41358 and CVE-2023-41360
Backport patches to fix CVE-2023-41358 and CVE-2023-41360.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-41358
https://nvd.nist.gov/vuln/detail/CVE-2023-41360
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-networking/recipes-protocols/frr/frr')
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch | 106 | ||||
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch | 35 |
2 files changed, 141 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch new file mode 100644 index 000000000..59633ef69 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | From 9efd9a47db4f13ebf88c2ffe14301d7441bcb40d Mon Sep 17 00:00:00 2001 | ||
2 | From: Donatas Abraitis <donatas@opensourcerouting.org> | ||
3 | Date: Tue, 22 Aug 2023 22:52:04 +0300 | ||
4 | Subject: [PATCH 1/2] bgpd: Do not process NLRIs if the attribute length is | ||
5 | zero | ||
6 | |||
7 | ``` | ||
8 | 3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 | ||
9 | 4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246 | ||
10 | 5 <signal handler called> | ||
11 | 6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400) | ||
12 | at bgpd/bgp_routemap.c:2258 | ||
13 | 7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30, | ||
14 | match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690 | ||
15 | 8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770, | ||
16 | afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130) | ||
17 | at bgpd/bgp_route.c:1772 | ||
18 | 9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0, | ||
19 | attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0, | ||
20 | num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374 | ||
21 | 10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0) | ||
22 | at bgpd/bgp_route.c:6249 | ||
23 | 11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, | ||
24 | packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339 | ||
25 | 12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024 | ||
26 | 13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933 | ||
27 | 14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995 | ||
28 | 15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213 | ||
29 | 16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505 | ||
30 | ``` | ||
31 | |||
32 | With the configuration: | ||
33 | |||
34 | ``` | ||
35 | frr version 9.1-dev-MyOwnFRRVersion | ||
36 | frr defaults traditional | ||
37 | hostname ip-172-31-13-140 | ||
38 | log file /tmp/debug.log | ||
39 | log syslog | ||
40 | service integrated-vtysh-config | ||
41 | ! | ||
42 | debug bgp keepalives | ||
43 | debug bgp neighbor-events | ||
44 | debug bgp updates in | ||
45 | debug bgp updates out | ||
46 | ! | ||
47 | router bgp 100 | ||
48 | bgp router-id 9.9.9.9 | ||
49 | no bgp ebgp-requires-policy | ||
50 | bgp bestpath aigp | ||
51 | neighbor 172.31.2.47 remote-as 200 | ||
52 | ! | ||
53 | address-family ipv4 unicast | ||
54 | neighbor 172.31.2.47 default-originate | ||
55 | neighbor 172.31.2.47 route-map RM_IN in | ||
56 | exit-address-family | ||
57 | exit | ||
58 | ! | ||
59 | route-map RM_IN permit 10 | ||
60 | set as-path prepend 200 | ||
61 | exit | ||
62 | ! | ||
63 | ``` | ||
64 | |||
65 | The issue is that we try to process NLRIs even if the attribute length is 0. | ||
66 | |||
67 | Later bgp_update() will handle route-maps and a crash occurs because all the | ||
68 | attributes are NULL, including aspath, where we dereference. | ||
69 | |||
70 | According to the RFC 4271: | ||
71 | |||
72 | A value of 0 indicates that neither the Network Layer | ||
73 | Reachability Information field nor the Path Attribute field is | ||
74 | present in this UPDATE message. | ||
75 | |||
76 | But with a fuzzed UPDATE message this can be faked. I think it's reasonable | ||
77 | to skip processing NLRIs if both update_len and attribute_len are 0. | ||
78 | |||
79 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
80 | Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> | ||
81 | |||
82 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/28ccc24d38df1d51ed8a563507e5d6f6171fdd38] | ||
83 | |||
84 | CVE: CVE-2023-41358 | ||
85 | |||
86 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | ||
87 | --- | ||
88 | bgpd/bgp_packet.c | 2 +- | ||
89 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
90 | |||
91 | diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c | ||
92 | index ec54943f3..3c2e73c59 100644 | ||
93 | --- a/bgpd/bgp_packet.c | ||
94 | +++ b/bgpd/bgp_packet.c | ||
95 | @@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) | ||
96 | /* Network Layer Reachability Information. */ | ||
97 | update_len = end - stream_pnt(s); | ||
98 | |||
99 | - if (update_len) { | ||
100 | + if (update_len && attribute_len) { | ||
101 | /* Set NLRI portion to structure. */ | ||
102 | nlris[NLRI_UPDATE].afi = AFI_IP; | ||
103 | nlris[NLRI_UPDATE].safi = SAFI_UNICAST; | ||
104 | -- | ||
105 | 2.35.5 | ||
106 | |||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch new file mode 100644 index 000000000..8ee3985b4 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41360.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 9ecacf2176d2bac4b90e17d49facb8712c1b467a Mon Sep 17 00:00:00 2001 | ||
2 | From: Donatas Abraitis <donatas@opensourcerouting.org> | ||
3 | Date: Sun, 20 Aug 2023 22:15:27 +0300 | ||
4 | Subject: [PATCH 2/2] bgpd: Don't read the first byte of ORF header if we are | ||
5 | ahead of stream | ||
6 | |||
7 | Reported-by: Iggy Frankovic iggyfran@amazon.com | ||
8 | Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/9b855a692e68e0d16467e190b466b4ecb6853702] | ||
11 | |||
12 | CVE: CVE-2023-41360 | ||
13 | |||
14 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | ||
15 | --- | ||
16 | bgpd/bgp_packet.c | 3 ++- | ||
17 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c | ||
20 | index 3c2e73c59..f1d0e54c0 100644 | ||
21 | --- a/bgpd/bgp_packet.c | ||
22 | +++ b/bgpd/bgp_packet.c | ||
23 | @@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) | ||
24 | * and 7 bytes of ORF Address-filter entry from | ||
25 | * the stream | ||
26 | */ | ||
27 | - if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { | ||
28 | + if (p_pnt < p_end && | ||
29 | + *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { | ||
30 | if (bgp_debug_neighbor_events(peer)) | ||
31 | zlog_debug( | ||
32 | "%pBP rcvd Remove-All pfxlist ORF request", | ||
33 | -- | ||
34 | 2.35.5 | ||
35 | |||