openvswitch: fix CVE-2020-35498 limitation in the OVS packet parsingdunfell

Upstream-Status: Backport https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2024-05-09 17:48:24 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2024-05-13 22:33:28 -0400
commit: 77af3345cb99ae08b04a354b37c4afebd8b36981 (patch)
tree: 4dd8bd36d7496d824490ea01591511bae895f609
parent: 35c723774ee06b3c1831f00a2cbf25cbeae132e1 (diff)
download: meta-virtualization-77af3345cb99ae08b04a354b37c4afebd8b36981.tar.gz
2 files changed, 152 insertions, 0 deletions
diff --git a/recipes-networking/openvswitch/openvswitch-git/CVE-2020-35498.patch b/recipes-networking/openvswitch/openvswitch-git/CVE-2020-35498.patch
new file mode 100644
index 00000000..5093f077
--- /dev/null
+++ b/recipes-networking/openvswitch/openvswitch-git/CVE-2020-35498.patch
@@ -0,0 +1,151 @@
+rom 0625dc79aec73b966f206e55655a2816696246d0 Mon Sep 17 00:00:00 2001
+From: Flavio Leitner <fbl@sysclose.org>
+Date: Mon, 26 Oct 2020 16:03:19 -0300
+Subject: [PATCH] flow: Support extra padding length.
+Although not required, padding can be optionally added until
+the packet length is MTU bytes. A packet with extra padding
+currently fails sanity checks.
+Vulnerability: CVE-2020-35498
+Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.")
+Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se>
+Acked-by: Ilya Maximets <i.maximets@ovn.org>
+Signed-off-by: Flavio Leitner <fbl@sysclose.org>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Upstream-Status: Backport [https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0]
+CVE: CVE-2020-35498
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/conntrack.c     |  2 +-
+ lib/dp-packet.h     | 10 +++++-----
+ lib/flow.c          |  6 +++---
+ tests/classifier.at | 36 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 9 deletions(-)
+diff --git a/lib/conntrack.c b/lib/conntrack.c
+index ff5a89457..0f486d74c 100644
+--- a/lib/conntrack.c
+++ b/lib/conntrack.c
+@@ -813,7 +813,7 @@ static void
+ reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
+ {
+     char *tail = dp_packet_tail(pkt);
+-    uint8_t pad = dp_packet_l2_pad_size(pkt);
+    uint16_t pad = dp_packet_l2_pad_size(pkt);
+     struct conn_key inner_key;
+     const char *inner_l4 = NULL;
+     uint16_t orig_l3_ofs = pkt->l3_ofs;
+diff --git a/lib/dp-packet.h b/lib/dp-packet.h
+index 9f8991faa..45655af46 100644
+--- a/lib/dp-packet.h
+++ b/lib/dp-packet.h
+@@ -81,7 +81,7 @@ struct dp_packet {
+ 
+     /* All the following elements of this struct are copied in a single call
+      * of memcpy in dp_packet_clone_with_headroom. */
+-    uint8_t l2_pad_size;           /* Detected l2 padding size.
+    uint16_t l2_pad_size;          /* Detected l2 padding size.
+                                     * Padding is non-pullable. */
+     uint16_t l2_5_ofs;             /* MPLS label stack offset, or UINT16_MAX */
+     uint16_t l3_ofs;               /* Network-level header offset,
+@@ -118,8 +118,8 @@ void *dp_packet_resize_l2(struct dp_packet *, int increment);
+ void *dp_packet_resize_l2_5(struct dp_packet *, int increment);
+ static inline void *dp_packet_eth(const struct dp_packet *);
+ static inline void dp_packet_reset_offsets(struct dp_packet *);
+-static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *);
+-static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t);
+static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *);
+static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t);
+ static inline void *dp_packet_l2_5(const struct dp_packet *);
+ static inline void dp_packet_set_l2_5(struct dp_packet *, void *);
+ static inline void *dp_packet_l3(const struct dp_packet *);
+@@ -327,14 +327,14 @@ dp_packet_reset_offsets(struct dp_packet *b)
+     b->l4_ofs = UINT16_MAX;
+ }
+ 
+-static inline uint8_t
+static inline uint16_t
+ dp_packet_l2_pad_size(const struct dp_packet *b)
+ {
+     return b->l2_pad_size;
+ }
+ 
+ static inline void
+-dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size)
+dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size)
+ {
+     ovs_assert(pad_size <= dp_packet_size(b));
+     b->l2_pad_size = pad_size;
+diff --git a/lib/flow.c b/lib/flow.c
+index 45bb96b54..353d5cd3e 100644
+--- a/lib/flow.c
+++ b/lib/flow.c
+@@ -655,7 +655,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size,
+ 
+     tot_len = ntohs(nh->ip_tot_len);
+     if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len ||
+-                size - tot_len > UINT8_MAX)) {
+                size - tot_len > UINT16_MAX)) {
+         return false;
+     }
+ 
+@@ -693,8 +693,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
+     if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
+         return false;
+     }
+-    /* Jumbo Payload option not supported yet. */
+-    if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT8_MAX)) {
+
+    if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) {
+         return false;
+     }
+ 
+diff --git a/tests/classifier.at b/tests/classifier.at
+index 88818618b..cdcd72c15 100644
+--- a/tests/classifier.at
+++ b/tests/classifier.at
+@@ -304,3 +304,39 @@ ovs-ofctl: "conjunction" actions may be used along with "note" but not any other
+ ])
+ OVS_VSWITCHD_STOP
+ AT_CLEANUP
+
+# Flow classifier a packet with excess of padding.
+AT_SETUP([flow classifier - packet with extra padding])
+OVS_VSWITCHD_START
+add_of_ports br0 1 2
+AT_DATA([flows.txt], [dnl
+priority=5,ip,ip_dst=1.1.1.1,actions=1
+priority=5,ip,ip_dst=1.1.1.2,actions=2
+priority=0,actions=drop
+])
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
+AT_CHECK([tail -2 stdout], [0],
+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+# normal packet plus 255 bytes of padding (8bit padding).
+# 255 * 2 = 510
+padding=$(printf '%*s' 510 | tr ' ' '0')
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], [stdout])
+AT_CHECK([tail -2 stdout], [0],
+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+# normal packet plus padding up to 65535 bytes of length (16bit limit).
+# 65535 - 43 = 65492
+# 65492 * 2 = 130984
+padding=$(printf '%*s' 130984 | tr ' ' '0')
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], [stdout])
+AT_CHECK([tail -2 stdout], [0],
+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+OVS_VSWITCHD_STOP
+AT_CLEANUP
+-- 
+2.25.1
diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index 56a9c25f..c1cc23c0 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -32,6 +32,7 @@ SRC_URI = "file://openvswitch-switch \
           file://systemd-update-tool-paths.patch \
           file://systemd-create-runtime-dirs.patch \
           file://CVE-2021-3905.patch \
+           file://CVE-2020-35498.patch \
           "
 LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
author	Hitendra Prajapati <hprajapati@mvista.com>	2024-05-09 17:48:24 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2024-05-13 22:33:28 -0400
commit	77af3345cb99ae08b04a354b37c4afebd8b36981 (patch)
tree	4dd8bd36d7496d824490ea01591511bae895f609
parent	35c723774ee06b3c1831f00a2cbf25cbeae132e1 (diff)
download	meta-virtualization-77af3345cb99ae08b04a354b37c4afebd8b36981.tar.gz

diff --git a/recipes-networking/openvswitch/openvswitch-git/CVE-2020-35498.patch b/recipes-networking/openvswitch/openvswitch-git/CVE-2020-35498.patch new file mode 100644 index 00000000..5093f077 --- /dev/null +++ b/recipes-networking/openvswitch/openvswitch-git/CVE-2020-35498.patch
@@ -0,0 +1,151 @@
		1	rom 0625dc79aec73b966f206e55655a2816696246d0 Mon Sep 17 00:00:00 2001
		2	From: Flavio Leitner <fbl@sysclose.org>
		3	Date: Mon, 26 Oct 2020 16:03:19 -0300
		4	Subject: [PATCH] flow: Support extra padding length.
		5
		6	Although not required, padding can be optionally added until
		7	the packet length is MTU bytes. A packet with extra padding
		8	currently fails sanity checks.
		9
		10	Vulnerability: CVE-2020-35498
		11	Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.")
		12	Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se>
		13	Acked-by: Ilya Maximets <i.maximets@ovn.org>
		14	Signed-off-by: Flavio Leitner <fbl@sysclose.org>
		15	Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
		16
		17	Upstream-Status: Backport [https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0]
		18	CVE: CVE-2020-35498
		19	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		20	---
		21	lib/conntrack.c \| 2 +-
		22	lib/dp-packet.h \| 10 +++++-----
		23	lib/flow.c \| 6 +++---
		24	tests/classifier.at \| 36 ++++++++++++++++++++++++++++++++++++
		25	4 files changed, 45 insertions(+), 9 deletions(-)
		26
		27	diff --git a/lib/conntrack.c b/lib/conntrack.c
		28	index ff5a89457..0f486d74c 100644
		29	--- a/lib/conntrack.c
		30	+++ b/lib/conntrack.c
		31	@@ -813,7 +813,7 @@ static void
		32	reverse_nat_packet(struct dp_packet pkt, const struct conn conn)
		33	{
		34	char *tail = dp_packet_tail(pkt);
		35	- uint8_t pad = dp_packet_l2_pad_size(pkt);
		36	+ uint16_t pad = dp_packet_l2_pad_size(pkt);
		37	struct conn_key inner_key;
		38	const char *inner_l4 = NULL;
		39	uint16_t orig_l3_ofs = pkt->l3_ofs;
		40	diff --git a/lib/dp-packet.h b/lib/dp-packet.h
		41	index 9f8991faa..45655af46 100644
		42	--- a/lib/dp-packet.h
		43	+++ b/lib/dp-packet.h
		44	@@ -81,7 +81,7 @@ struct dp_packet {
		45
		46	/* All the following elements of this struct are copied in a single call
		47	* of memcpy in dp_packet_clone_with_headroom. */
		48	- uint8_t l2_pad_size; /* Detected l2 padding size.
		49	+ uint16_t l2_pad_size; /* Detected l2 padding size.
		50	* Padding is non-pullable. */
		51	uint16_t l2_5_ofs; /* MPLS label stack offset, or UINT16_MAX */
		52	uint16_t l3_ofs; /* Network-level header offset,
		53	@@ -118,8 +118,8 @@ void dp_packet_resize_l2(struct dp_packet , int increment);
		54	void dp_packet_resize_l2_5(struct dp_packet , int increment);
		55	static inline void dp_packet_eth(const struct dp_packet );
		56	static inline void dp_packet_reset_offsets(struct dp_packet *);
		57	-static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *);
		58	-static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t);
		59	+static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *);
		60	+static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t);
		61	static inline void dp_packet_l2_5(const struct dp_packet );
		62	static inline void dp_packet_set_l2_5(struct dp_packet , void );
		63	static inline void dp_packet_l3(const struct dp_packet );
		64	@@ -327,14 +327,14 @@ dp_packet_reset_offsets(struct dp_packet *b)
		65	b->l4_ofs = UINT16_MAX;
		66	}
		67
		68	-static inline uint8_t
		69	+static inline uint16_t
		70	dp_packet_l2_pad_size(const struct dp_packet *b)
		71	{
		72	return b->l2_pad_size;
		73	}
		74
		75	static inline void
		76	-dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size)
		77	+dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size)
		78	{
		79	ovs_assert(pad_size <= dp_packet_size(b));
		80	b->l2_pad_size = pad_size;
		81	diff --git a/lib/flow.c b/lib/flow.c
		82	index 45bb96b54..353d5cd3e 100644
		83	--- a/lib/flow.c
		84	+++ b/lib/flow.c
		85	@@ -655,7 +655,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size,
		86
		87	tot_len = ntohs(nh->ip_tot_len);
		88	if (OVS_UNLIKELY(tot_len > size \|\| ip_len > tot_len \|\|
		89	- size - tot_len > UINT8_MAX)) {
		90	+ size - tot_len > UINT16_MAX)) {
		91	return false;
		92	}
		93
		94	@@ -693,8 +693,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
		95	if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
		96	return false;
		97	}
		98	- /* Jumbo Payload option not supported yet. */
		99	- if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT8_MAX)) {
		100	+
		101	+ if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) {
		102	return false;
		103	}
		104
		105	diff --git a/tests/classifier.at b/tests/classifier.at
		106	index 88818618b..cdcd72c15 100644
		107	--- a/tests/classifier.at
		108	+++ b/tests/classifier.at
		109	@@ -304,3 +304,39 @@ ovs-ofctl: "conjunction" actions may be used along with "note" but not any other
		110	])
		111	OVS_VSWITCHD_STOP
		112	AT_CLEANUP
		113	+
		114	+# Flow classifier a packet with excess of padding.
		115	+AT_SETUP([flow classifier - packet with extra padding])
		116	+OVS_VSWITCHD_START
		117	+add_of_ports br0 1 2
		118	+AT_DATA([flows.txt], [dnl
		119	+priority=5,ip,ip_dst=1.1.1.1,actions=1
		120	+priority=5,ip,ip_dst=1.1.1.2,actions=2
		121	+priority=0,actions=drop
		122	+])
		123	+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
		124	+packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a
		125	+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
		126	+AT_CHECK([tail -2 stdout], [0],
		127	+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
		128	+Datapath actions: 2
		129	+])
		130	+# normal packet plus 255 bytes of padding (8bit padding).
		131	+# 255 * 2 = 510
		132	+padding=$(printf '%*s' 510 \| tr ' ' '0')
		133	+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], [stdout])
		134	+AT_CHECK([tail -2 stdout], [0],
		135	+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
		136	+Datapath actions: 2
		137	+])
		138	+# normal packet plus padding up to 65535 bytes of length (16bit limit).
		139	+# 65535 - 43 = 65492
		140	+# 65492 * 2 = 130984
		141	+padding=$(printf '%*s' 130984 \| tr ' ' '0')
		142	+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], [stdout])
		143	+AT_CHECK([tail -2 stdout], [0],
		144	+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
		145	+Datapath actions: 2
		146	+])
		147	+OVS_VSWITCHD_STOP
		148	+AT_CLEANUP
		149	--
		150	2.25.1
		151


diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index 56a9c25f..c1cc23c0 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -32,6 +32,7 @@ SRC_URI = "file://openvswitch-switch \
32	file://systemd-update-tool-paths.patch \	32	file://systemd-update-tool-paths.patch \
33	file://systemd-create-runtime-dirs.patch \	33	file://systemd-create-runtime-dirs.patch \
34	file://CVE-2021-3905.patch \	34	file://CVE-2021-3905.patch \
		35	file://CVE-2020-35498.patch \
35	"	36	"
36		37
37	LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"	38	LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"