Re: [PATCH] openvswitch: fix CVE-2021-36980

["Bruce Ashfield" <bruce.ashfield@gmail.com>]

In message: [PATCH] openvswitch: fix CVE-2021-36980
on 10/09/2021 qiang.zhang@windriver.com wrote:

> From: Zqiang <qiang.zhang@windriver.com>
> 
> Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
> a use-after-free in decode_NXAST_RAW_ENCAP (called from
> ofpact_decode and ofpacts_decode) during the decoding of
> a RAW_ENCAP action.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2021-36980
> 
> Patches from:
> https://github.com/openvswitch/ovs/commit/65c61b0c23a0d474696d7b1cea522a5016a8aeb3
> 
> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
> ---
>  ...use-after-free-while-decoding-RAW_EN.patch | 97 +++++++++++++++++++
>  .../openvswitch/openvswitch_git.bb            |  1 +
>  2 files changed, 98 insertions(+)
>  create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> 
> diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> new file mode 100644
> index 00000000..3afd1bad
> --- /dev/null
> +++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> @@ -0,0 +1,97 @@
> +From 77cccc74deede443e8b9102299efc869a52b65b2 Mon Sep 17 00:00:00 2001
> +From: Ilya Maximets <i.maximets@ovn.org>
> +Date: Tue, 16 Feb 2021 23:27:30 +0100
> +Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
> +
> +While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
> +ofpbuf if there is no enough space left.  However, function
> +'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
> +structure leading to write-after-free and incorrect decoding.
> +
> +  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
> +  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
> +  WRITE of size 2 at 0x60600000011a thread T0
> +    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
> +    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
> +    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
> +    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
> +    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
> +    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
> +    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
> +    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
> +    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
> +    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
> +    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
> +    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
> +    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
> +    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
> +    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
> +    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
> +
> +Fix that by getting a new pointer before using.
> +
> +Credit to OSS-Fuzz.
> +
> +Fuzzer regression test will fail only with AddressSanitizer enabled.
> +
> +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
> +Fixes: f839892a206a ("OF support and translation of generic encap and decap")
> +Acked-by: William Tu <u9012063@gmail.com>
> +Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> +---
> + lib/ofp-actions.c                                       | 2 ++
> + tests/automake.mk                                       | 3 ++-
> + tests/fuzz-regression-list.at                           | 1 +
> + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
> + 4 files changed, 5 insertions(+), 1 deletion(-)
> + create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> +
> +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
> +index e2e829772..0342a228b 100644
> +--- a/lib/ofp-actions.c
> ++++ b/lib/ofp-actions.c
> +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
> + {
> +     struct ofpact_encap *encap;
> +     const struct ofp_ed_prop_header *ofp_prop;
> ++    const size_t encap_ofs = out->size;
> +     size_t props_len;
> +     uint16_t n_props = 0;
> +     int err;
> +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
> +         }
> +         n_props++;
> +     }
> ++    encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
> +     encap->n_props = n_props;
> +     out->header = &encap->ofpact;
> +     ofpact_finish_ENCAP(out, &encap);
> +diff --git a/tests/automake.mk b/tests/automake.mk
> +index 677b99a6b..fc80e027d 100644
> +--- a/tests/automake.mk
> ++++ b/tests/automake.mk
> +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
> + 	tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
> + 	tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
> + 	tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
> +-	tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
> ++	tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
> ++	tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
> + 	$(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
> +             basename=`echo $$name | sed 's,^.*/,,'`; \
> +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
> +index e3173fb88..2347c690e 100644
> +--- a/tests/fuzz-regression-list.at
> ++++ b/tests/fuzz-regression-list.at
> +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
> ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
> +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> +new file mode 100644
> +index 000000000..e69de29bb
> +-- 
> +2.17.1
> +
> diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
> index 1fa7fb2c..4f5454fe 100644
> --- a/recipes-networking/openvswitch/openvswitch_git.bb
> +++ b/recipes-networking/openvswitch/openvswitch_git.bb
> @@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
>              file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
>              file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
>              file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
> +            file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \

You generated this patch against somether other than meta-virtualization
master, since the patches in context of this patch, are not in the recipe.

The patch itself also should have an: Upstream-status: Backport, to help
when we uprev OVS next.

I've sorted out the patch context issue, and added the status. I started
a sanity build of OVS, and have staged this on master-next.

Bruce

>             "
>  
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
> -- 
> 2.17.1
>