!196 [sync] PR-191: fix CVE-2022-2639
From: @openeuler-sync-bot Reviewed-by: @robertxw Signed-off-by: @robertxw
This commit is contained in:
openeuler-ci-bot
Gitee
commit
99620bcd09
36
backport-CVE-2022-2639.patch
Normal file
36
backport-CVE-2022-2639.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paolo Valerio <pvalerio@redhat.com>
|
||||||
|
Date: Fri, 15 Apr 2022 10:08:41 +0200
|
||||||
|
Subject: [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
|
||||||
|
|
||||||
|
Given a sufficiently large number of actions, while copying and
|
||||||
|
reserving memory for a new action of a new flow, if next_offset is
|
||||||
|
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
|
||||||
|
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
|
||||||
|
bytes increasing actions_len by req_size. This can then lead to an OOB
|
||||||
|
write access, especially when further actions need to be copied.
|
||||||
|
|
||||||
|
Fix it by rearranging the flow action size check.
|
||||||
|
|
||||||
|
Conflict:NA
|
||||||
|
Reference:https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8
|
||||||
|
---
|
||||||
|
datapath/flow_netlink.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c
|
||||||
|
index 0f7ab53..1f04072 100644
|
||||||
|
--- a/datapath/flow_netlink.c
|
||||||
|
+++ b/datapath/flow_netlink.c
|
||||||
|
@@ -2322,7 +2322,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
|
||||||
|
new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
|
||||||
|
|
||||||
|
if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
|
||||||
|
- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
|
||||||
|
+ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
|
||||||
|
OVS_NLERR(log, "Flow action size exceeds max %u",
|
||||||
|
MAX_ACTIONS_BUFSIZE);
|
||||||
|
return ERR_PTR(-EMSGSIZE);
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@ -9,7 +9,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch
|
|||||||
URL: http://www.openvswitch.org/
|
URL: http://www.openvswitch.org/
|
||||||
Version: 2.12.4
|
Version: 2.12.4
|
||||||
License: ASL 2.0 and ISC
|
License: ASL 2.0 and ISC
|
||||||
Release: 7
|
Release: 8
|
||||||
Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
|
Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
|
||||||
Buildroot: /tmp/openvswitch-rpm
|
Buildroot: /tmp/openvswitch-rpm
|
||||||
Patch0000: 0000-openvswitch-add-stack-protector-strong.patch
|
Patch0000: 0000-openvswitch-add-stack-protector-strong.patch
|
||||||
@ -22,6 +22,7 @@ Patch6002: backport-CVE-2023-5366.patch
|
|||||||
Patch6003: backport-0001-CVE-2023-3966.patch
|
Patch6003: backport-0001-CVE-2023-3966.patch
|
||||||
Patch6004: backport-0002-CVE-2023-3966.patch
|
Patch6004: backport-0002-CVE-2023-3966.patch
|
||||||
Patch6005: backport-0003-CVE-2023-3966.patch
|
Patch6005: backport-0003-CVE-2023-3966.patch
|
||||||
|
Patch6006: backport-CVE-2022-2639.patch
|
||||||
|
|
||||||
Patch9000: fix-selinux-err.patch
|
Patch9000: fix-selinux-err.patch
|
||||||
|
|
||||||
@ -298,6 +299,12 @@ exit 0
|
|||||||
%doc README.rst NEWS rhel/README.RHEL.rst
|
%doc README.rst NEWS rhel/README.RHEL.rst
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 29 2024 yanglu <yanglu72@h-partners.com> - 2.12.4-8
|
||||||
|
- Type:CVE
|
||||||
|
- Id:CVE-2022-2639
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:fix CVE-2022-2639
|
||||||
|
|
||||||
* Tue Feb 20 2024 zhangpan <zhangpan103@h-pattners.com> - 2.12.4-7
|
* Tue Feb 20 2024 zhangpan <zhangpan103@h-pattners.com> - 2.12.4-7
|
||||||
- fix CVE-2023-3966
|
- fix CVE-2023-3966
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user