frr: fix CVE-2024-44070

An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-44070 Upstream patch: https://github.com/FRRouting/frr/commit/0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2024-09-17 11:27:02 +0000
committer: Armin Kuster <akuster808@gmail.com> 2024-10-13 11:13:14 -0400
commit: 4d0efedaa6bf85367738e6ca97a71f132a3d0ec5 (patch)
tree: 177da2d97801e1ba1dc57cebded67fcf3ba41019
parent: 5903ee551f466ec815431a3c93aac8bdf43f9cba (diff)
download: meta-openembedded-4d0efedaa6bf85367738e6ca97a71f132a3d0ec5.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch
new file mode 100644
index 0000000000..e58df44cc6
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch
@@ -0,0 +1,69 @@
+From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 31 Jul 2024 05:56:14 +0000
+Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
+ TLV value ```
+    0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/
+ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/
+bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
+    1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/
+frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4)
+(BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
+    2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/
+ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/
+bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
+    3 0xe0d12d7469cc  (linux-vdso.so.1+0x9cc) (BuildId:
+1a77697e9d723fe22246cfd7641b140c427b7e11)
+    4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/
+pthread_kill.c:43:17
+    5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
+    6 0xe0d12c83712c in abort stdlib/abort.c:79:7
+    7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/lib/zlog.c:789:2
+    8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/lib/stream.c:324:3
+    9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
+    10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
+    11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
+    12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
+    13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/
+frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
+```
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-44070
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ bgpd/bgp_attr.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 1e08a218e..ef45d5c46 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -2475,6 +2475,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+                                                  args->total);
+                }
+               if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+                       zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+                                sublength, STREAM_READABLE(BGP_INPUT(peer)));
+                       return bgp_attr_malformed(args,
+                                                 BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                                 args->total);
+               }
+
+                /* alloc and copy sub-tlv */
+                /* TBD make sure these are freed when attributes are released */
+                tlv = XCALLOC(MTYPE_ENCAP_TLV,
+--
+2.40.0
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 03b106131f..0823a7bf13 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2023-47234.patch \
           file://CVE-2023-47235.patch \
           file://frr.pam \
+           file://CVE-2024-44070.patch\
              "
 SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"
author	Divya Chellam <divya.chellam@windriver.com>	2024-09-17 11:27:02 +0000
committer	Armin Kuster <akuster808@gmail.com>	2024-10-13 11:13:14 -0400
commit	4d0efedaa6bf85367738e6ca97a71f132a3d0ec5 (patch)
tree	177da2d97801e1ba1dc57cebded67fcf3ba41019
parent	5903ee551f466ec815431a3c93aac8bdf43f9cba (diff)
download	meta-openembedded-4d0efedaa6bf85367738e6ca97a71f132a3d0ec5.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch new file mode 100644 index 0000000000..e58df44cc6 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch
@@ -0,0 +1,69 @@
		1	From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Wed, 31 Jul 2024 05:56:14 +0000
		4	Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
		5	TLV value ```
		6
		7	0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/
		8	ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/
		9	bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
		10	1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/
		11	frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4)
		12	(BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
		13	2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/
		14	ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/
		15	bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
		16	3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId:
		17	1a77697e9d723fe22246cfd7641b140c427b7e11)
		18	4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/
		19	pthread_kill.c:43:17
		20	5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
		21	6 0xe0d12c83712c in abort stdlib/abort.c:79:7
		22	7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/
		23	frr_public_private-libfuzzer/lib/zlog.c:789:2
		24	8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/
		25	frr_public_private-libfuzzer/lib/stream.c:324:3
		26	9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/
		27	frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
		28	10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/
		29	frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
		30	11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/
		31	frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
		32	12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/
		33	frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
		34	13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/
		35	frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
		36	```
		37
		38	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		39	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		40
		41	CVE: CVE-2024-44070
		42	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5]
		43
		44	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		45	---
		46	bgpd/bgp_attr.c \| 8 ++++++++
		47	1 file changed, 8 insertions(+)
		48
		49	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		50	index 1e08a218e..ef45d5c46 100644
		51	--- a/bgpd/bgp_attr.c
		52	+++ b/bgpd/bgp_attr.c
		53	@@ -2475,6 +2475,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
		54	args->total);
		55	}
		56
		57	+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
		58	+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
		59	+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
		60	+ return bgp_attr_malformed(args,
		61	+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		62	+ args->total);
		63	+ }
		64	+
		65	/* alloc and copy sub-tlv */
		66	/* TBD make sure these are freed when attributes are released */
		67	tlv = XCALLOC(MTYPE_ENCAP_TLV,
		68	--
		69	2.40.0


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 03b106131f..0823a7bf13 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
28	file://CVE-2023-47234.patch \	28	file://CVE-2023-47234.patch \
29	file://CVE-2023-47235.patch \	29	file://CVE-2023-47235.patch \
30	file://frr.pam \	30	file://frr.pam \
		31	file://CVE-2024-44070.patch\
31	"	32	"
32		33
33	SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"	34	SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"