!196 [sync] PR-191: fix CVE-2022-2639

From: @openeuler-sync-bot Reviewed-by: @robertxw Signed-off-by: @robertxw
2024-03-30 01:56:30 +00:00 · 2024-03-30 01:56:30 +00:00 · 99620bcd09
commit 99620bcd09
parent 33c3977259 af152b83ab
2 changed files with 44 additions and 1 deletions
--- a/backport-CVE-2022-2639.patch
+++ b/backport-CVE-2022-2639.patch
@ -0,0 +1,36 @@
+From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001
+From: Paolo Valerio <pvalerio@redhat.com>
+Date: Fri, 15 Apr 2022 10:08:41 +0200
+Subject: [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
+
+Given a sufficiently large number of actions, while copying and
+reserving memory for a new action of a new flow, if next_offset is
+greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
+not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
+bytes increasing actions_len by req_size. This can then lead to an OOB
+write access, especially when further actions need to be copied.
+
+Fix it by rearranging the flow action size check.
+
+Conflict:NA
+Reference:https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8
+---
+ datapath/flow_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c
+index 0f7ab53..1f04072 100644
+--- a/datapath/flow_netlink.c
+++ b/datapath/flow_netlink.c
+@@ -2322,7 +2322,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
+ 	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
+ 
+ 	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
+-		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
+		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
+ 			OVS_NLERR(log, "Flow action size exceeds max %u",
+ 				  MAX_ACTIONS_BUFSIZE);
+ 			return ERR_PTR(-EMSGSIZE);
+-- 
+2.33.0
+
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -9,7 +9,7 @@ Summary:        Production Quality, Multilayer Open Virtual Switch
 URL:            http://www.openvswitch.org/
 Version:        2.12.4
 License:        ASL 2.0 and ISC
-Release:        7
+Release:        8
 Source:         https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Buildroot:      /tmp/openvswitch-rpm
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
@ -22,6 +22,7 @@ Patch6002:      backport-CVE-2023-5366.patch
 Patch6003:      backport-0001-CVE-2023-3966.patch
 Patch6004:      backport-0002-CVE-2023-3966.patch
 Patch6005:      backport-0003-CVE-2023-3966.patch
+Patch6006:      backport-CVE-2022-2639.patch

 Patch9000:      fix-selinux-err.patch

@ -298,6 +299,12 @@ exit 0
 %doc README.rst NEWS rhel/README.RHEL.rst

 %changelog
+* Fri Mar 29 2024 yanglu <yanglu72@h-partners.com> - 2.12.4-8
+- Type:CVE
+- Id:CVE-2022-2639
+- SUG:NA
+- DESC:fix CVE-2022-2639
+
 * Tue Feb 20 2024 zhangpan <zhangpan103@h-pattners.com> - 2.12.4-7
 - fix CVE-2023-3966