author | Chad Mynhier <chad.mynhier@oracle.com> |
Wed, 12 Oct 2016 11:24:25 -0700 | |
changeset 7095 | 6469e6424607 |
parent 5730 | cca4aa297e68 |
permissions | -rw-r--r-- |
5730
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
1 |
This patch fixes CVE-2016-2074. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
2 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
3 |
Multiple versions of Open vSwitch are vulnerable to remote buffer |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
4 |
overflow attacks, in which crafted MPLS packets could overflow the |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
5 |
buffer reserved for MPLS labels in an OVS internal data structure. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
6 |
The MPLS packets that trigger the vulnerability and the potential for |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
7 |
exploitation vary depending on version: |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
8 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
9 |
- Open vSwitch 2.1.x and earlier are not vulnerable. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
10 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
11 |
- In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
12 |
exploited for arbitrary remote code execution. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
13 |
- In Open vSwitch 2.4.x, the MPLS buffer overflow does not |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
14 |
obviously lead to a remote code execution exploit, but testing |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
15 |
shows that it can allow a remote denial of service. See the |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
16 |
mitigation section for details. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
17 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
18 |
- Open vSwitch 2.5.x is not vulnerable. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
19 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
20 |
The Common Vulnerabilities and Exposures project (cve.mitre.org) has |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
21 |
assigned the identifier CVE-2016-2074 to this issue. |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
22 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
23 |
In OVS 2.3.x, this fix was applied by changeset: |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
24 |
f4137393ef2fd23a70d987ee9f89454e25db1700 |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
25 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
26 |
diff --git a/lib/flow.c b/lib/flow.c |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
27 |
index 9018b66..c565032 100644 |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
28 |
--- a/lib/flow.c |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
29 |
+++ b/lib/flow.c |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
30 |
@@ -159,7 +159,7 @@ struct mf_ctx { |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
31 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
32 |
/* Data at 'valuep' may be unaligned. */ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
33 |
#define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
34 |
-{ \ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
35 |
+if (N_WORDS) { \ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
36 |
int ofs32 = (OFS) / 4; \ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
37 |
\ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
38 |
MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \ |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
39 |
@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep) |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
40 |
break; |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
41 |
} |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
42 |
} |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
43 |
- return MAX(count, FLOW_MAX_MPLS_LABELS); |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
44 |
+ return MIN(count, FLOW_MAX_MPLS_LABELS); |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
45 |
} |
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
46 |
|
cca4aa297e68
22590644 OpenvSwitch should be updated to version 2.3.2
Mark Haywood <Mark.Haywood@Oracle.COM>
parents:
diff
changeset
|
47 |
static inline ovs_be16 |