main/openvswitch: security fix (CVE-2016-2074). Fixes #5337

author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-04-06 14:08:09 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-04-06 14:08:09 +0000
commit: 7bb4959e4f2e177f4ab1279aa2667318067cf853 (patch)
tree: 14d07f29277b8908ce2ad181957c675488ea832f
parent: bd21f0c34fd699ed29fabb46e98b0ad0a522d5db (diff)
2 files changed, 86 insertions, 4 deletions
diff --git a/main/openvswitch/APKBUILD b/main/openvswitch/APKBUILD
index d772ae6bc41..82f4853a5db 100644
--- a/main/openvswitch/APKBUILD
+++ b/main/openvswitch/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
 pkgname=openvswitch
 pkgver=2.4.0
-pkgrel=1
+pkgrel=2
 pkgdesc="A production quality, multilayer virtual switch"
 url="http://openvswitch.org/"
 arch="all"
@@ -17,10 +17,12 @@ source="http://openvswitch.org/releases/$pkgname-$pkgver.tar.gz
 	ovs-vswitchd.initd
 	ovs-vswitchd.confd
 	ovs-modules.initd
+
 	musl-if_packet.patch
 	0001-ovs-thread-Set-stacksize-to-1M.patch
 	ifupdown-alpine.patch
 	readme.debian.patch
+	CVE-2016-2074.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -103,7 +105,8 @@ f10a8ac784654bec359bda52779f16fe  ovsdb-server.confd
 58bee4f4b4e632f2af74b91e27f68b5d  musl-if_packet.patch
 59fa9a6d293a25571562a5190ae559f2  0001-ovs-thread-Set-stacksize-to-1M.patch
 85d556990605747b2e5ddf782e2406db  ifupdown-alpine.patch
-7f8fe9a891992bebf476a58122dabd60  readme.debian.patch"
+7f8fe9a891992bebf476a58122dabd60  readme.debian.patch
+b021af33ee97ad33396faee9a73362db  CVE-2016-2074.patch"
 sha256sums="424c5a8dea1c5b153e8c1803bb041d0495e81379fb6f386dd58ee903a7681b9a  openvswitch-2.4.0.tar.gz
 737be74a4ce951cd49b9cd85696ff5cbdb54fa7ad52c831494fcf336487fc420  ovsdb-server.initd
 d0d8a6a7256f4cc47ab1b9f9f7657202388133bcfff3668e7c1d4adbcc572261  ovsdb-server.confd
@@ -113,7 +116,8 @@ cc189d5ca24708ff775a4de312df3f611c65714724b8901ec6527c9e3f22e14a  ovs-vswitchd.c
 ccd08d23963f3a3ac153df0746a117eea8544aa77f4adfa8f86dc5e22640a5f6  musl-if_packet.patch
 faf997814e89b0b5948c06050ef38051f0bc6b108958f76313263f77a724906c  0001-ovs-thread-Set-stacksize-to-1M.patch
 ac312e42b5d47137f860091ad041e7486107ba7956d37cd5a5c91893f7b8a3b3  ifupdown-alpine.patch
-942c34f14f6c6db92e2afe20c94fe6302bbb5e41eba2391713f908de101a5177  readme.debian.patch"
+942c34f14f6c6db92e2afe20c94fe6302bbb5e41eba2391713f908de101a5177  readme.debian.patch
+821e3eca2fcc929ba9ba6856f87ed084010a270999b838a5f838439aad516d17  CVE-2016-2074.patch"
 sha512sums="bd66bcb37beacb0d684001609c26d9dc487efde0ecb051004813b0f8a5999039207b012617195d82d56aefe9a1756615e2158e531a71e9b1e5e10345f0370bae  openvswitch-2.4.0.tar.gz
 097d4721a78fff749c534910d98543778474406bd61b469b88a0d981a2a380556444437ec44278cead6d8688c45a38b2acbf1551acb9ab38d048f413728e3b88  ovsdb-server.initd
 b1588d076bbfc7ef2dd46fce8e46186f40cbbc4667697f7ac13ddc68e34568fdab315fde47838de7f6d32916853190336cfe3735f672ad7cb624ae14dbff55a5  ovsdb-server.confd
@@ -123,4 +127,5 @@ b1588d076bbfc7ef2dd46fce8e46186f40cbbc4667697f7ac13ddc68e34568fdab315fde47838de7
 c5f137bce28bf80c1e5a6ca18722dae9a5ecff03d20bf92642270951bbbb499e5fb05a08163442720e866d135fcd7426b88add0b42ed240d5f0c068aa9fcd9da  musl-if_packet.patch
 5fed04e68b58ab322154fa1cc4c4b63b08c22ed41f0b7713dbe8437f7cb4e9fd93c8aba524c2e5a46bba956da9439f5bfe5ba6fcdff2b98fa9bbcc748c5b64db  0001-ovs-thread-Set-stacksize-to-1M.patch
 0f2847986783f020f0708f2b185f10d1d34ead679bcae553a42df34a244c815e6e7346a2d73af69aff86258ecb3c855630a99ec28c6c7567bcfeacfb5379e5ee  ifupdown-alpine.patch
-346f11a81f1538513151ea328fcbf2cdfc3c864aa34ea522055bc70266b9b2b2e05bdc0691593a9a1e4ef360d89d465507623edbcd9f764e3707d852736c895c  readme.debian.patch"
+346f11a81f1538513151ea328fcbf2cdfc3c864aa34ea522055bc70266b9b2b2e05bdc0691593a9a1e4ef360d89d465507623edbcd9f764e3707d852736c895c  readme.debian.patch
+a35f50096984be9980c42926b41fb6671d1b6905c6953719cd2e0e01eb7e0ec23c02b5eef9959fbccc386a1a989ad93ff01fdd3acd7423bb33791bcca932b9a7  CVE-2016-2074.patch"
diff --git a/main/openvswitch/CVE-2016-2074.patch b/main/openvswitch/CVE-2016-2074.patch
new file mode 100644
index 00000000000..52fe7697712
--- /dev/null
+++ b/main/openvswitch/CVE-2016-2074.patch
@@ -0,0 +1,77 @@
+From: Ben Pfaff <blp at ovn.org>
+Date: Fri, 26 Feb 2016 15:00:13 -0800
+Subject: [PATCH branch-2.4] flow: Fix remote DoS for crafted MPLS packets with
+ debug logging enabled.
+
+A crafted MPLS packet yields a zero 'count' in this excerpt from
+miniflow_extract():
+
+        count = parse_mpls(&data, &size);
+        miniflow_push_words_32(mf, mpls_lse, mpls, count);
+
+In turn, miniflow_push_words_32() updated mf.map as follows:
+
+    MF.map |= ((UINT64_MAX >> (64 - DIV_ROUND_UP(N_WORDS, 2))) << ofs64);
+
+which expanded to:
+
+    mf.map |= (UINT64_MAX >> 64) << ofs64;
+
+Unforunately, C renders shifting a 64-bit constant by 64 bits undefined.
+On common x86 platforms, 'n << 64' is equal to 'n', so this behaves as:
+
+    mf.map |= UINT64_MAX << ofs64;
+
+In this particular case, ofs64 is 15, so this sets the most-significant 48
+bits of mf.map (a 63-bit bit-field) to 1.  Only the least-significant 28
+bits of mf.map should ever be set to 1, so this sets 35 bits to 1 that
+should never be.  Because of the structure of the data structure that
+mf.map is embedded within, this makes it possible later to overwrite 8*35
+== 280 bytes of data in the stack.  However, there is no obvious way to
+control the data used in the overwrite--it is memcpy'd from one place to
+another but the source data does not come from the network.  In the bug
+reporter's testing, this overwrite caused a userspace crash if debug
+logging was enabled, but not otherwise.
+
+This commit fixes the problem by avoiding the out-of-range shift.
+
+Vulnerability: CVE-2016-2074
+Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de>
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp at ovn.org>
+Acked-by: Jesse Gross <jesse at kernel.org>
+---
+ lib/flow.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/flow.c b/lib/flow.c
+index 5df23a9..03c175a 100644
+--- a/lib/flow.c
++++ b/lib/flow.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
++ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 Nicira, Inc.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -197,7 +197,7 @@ BUILD_MESSAGE("FLOW_WC_SEQ changed: miniflow_extract() will have runtime "
+ 
+ /* Data at 'valuep' may be unaligned. */
+ #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS)          \
+-{                                                               \
++if (N_WORDS) {                                                  \
+     int ofs64 = (OFS) / 8;                                      \
+                                                                         \
+     MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 8 == 0     \
+@@ -210,7 +210,7 @@ BUILD_MESSAGE("FLOW_WC_SEQ changed: miniflow_extract() will have runtime "
+ 
+ /* Push 32-bit words padded to 64-bits. */
+ #define miniflow_push_words_32_(MF, OFS, VALUEP, N_WORDS)               \
+-{                                                                       \
++if (N_WORDS) {                                                          \
+     int ofs64 = (OFS) / 8;                                              \
+                                                                         \
+     MINIFLOW_ASSERT(MF.data + DIV_ROUND_UP(N_WORDS, 2) <= MF.end        \
+-- 
+2.1.3
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-04-06 14:08:09 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-04-06 14:08:09 +0000
commit	7bb4959e4f2e177f4ab1279aa2667318067cf853 (patch)
tree	14d07f29277b8908ce2ad181957c675488ea832f
parent	bd21f0c34fd699ed29fabb46e98b0ad0a522d5db (diff)