[pve-devel] [PATCH ovs] Fix CVE-2016-2074

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Mar 31 09:48:09 CEST 2016


flow: Fix buffer overflow for crafted MPLS packets.
---
Seems to be in the userspace library part.

 pvepatches/CVE-2016-2074.patch | 54 ++++++++++++++++++++++++++++++++++++++++++
 pvepatches/series              |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 pvepatches/CVE-2016-2074.patch

diff --git a/pvepatches/CVE-2016-2074.patch b/pvepatches/CVE-2016-2074.patch
new file mode 100644
index 0000000..5cf703b
--- /dev/null
+++ b/pvepatches/CVE-2016-2074.patch
@@ -0,0 +1,54 @@
+From: Ben Pfaff <blp at ovn.org>
+Date: Mon, 7 Mar 2016 15:30:39 -0800
+Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets.
+
+A bug in MPLS parsing could cause a crafted MPLS packet to overflow the
+buffer reserved for MPLS labels in the OVS internal flow structure.  This
+fixes the problem.
+
+This commit also fixes a secondary problem where an MPLS packet with zero
+labels could cause an out-of-range shift that would overwrite memory.
+There is no obvious way to control the data used in the overwrite, so this
+is harder to exploit.
+
+Vulnerability: CVE-2016-2074
+Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de>
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp at ovn.org>
+Acked-by: Jesse Gross <jesse at kernel.org>
+---
+ lib/flow.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/flow.c b/lib/flow.c
+index 52a384e..61a66ec 100644
+--- a/lib/flow.c
++++ b/lib/flow.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
++ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -159,7 +159,7 @@ struct mf_ctx {
+ 
+ /* Data at 'valuep' may be unaligned. */
+ #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS)          \
+-{                                                               \
++if (N_WORDS) {                                                  \
+     int ofs32 = (OFS) / 4;                                      \
+                                                                         \
+     MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0     \
+@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep)
+             break;
+         }
+     }
+-    return MAX(count, FLOW_MAX_MPLS_LABELS);
++    return MIN(count, FLOW_MAX_MPLS_LABELS);
+ }
+ 
+ static inline ovs_be16
+-- 
+2.1.3
+
diff --git a/pvepatches/series b/pvepatches/series
index e810b29..d810d02 100644
--- a/pvepatches/series
+++ b/pvepatches/series
@@ -3,3 +3,4 @@ fix-init-script-patch
 fix-init-depends.patch
 install-systemd-services.patch
 use-systemctl-inside-ifupdown.patch
+CVE-2016-2074.patch
-- 
2.1.4





More information about the pve-devel mailing list