Headline
CVE-2022-32166: flow: Avoid unsafe comparison of minimasks. · cloudbase/ovs@2ed6505
In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks” function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.
Permalink
Browse files
flow: Avoid unsafe comparison of minimasks.
The following, run inside the OVS sandbox, caused OVS to abort when Address Sanitizer was used:
ovs-vsctl add-br br-int
ovs-ofctl add-flow br-int "table=0,cookie=0x1234,priority=10000,icmp,actions=drop"
ovs-ofctl --strict del-flows br-int "table=0,cookie=0x1234/-1,priority=10000"
Sample report from Address Sanitizer:
==3029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000043260 at pc 0x7f6b09c2459b bp 0x7ffcb67e7540 sp 0x7ffcb67e6cf0 READ of size 40 at 0x603000043260 thread T0 #0 0x7f6b09c2459a (/lib/x86_64-linux-gnu/libasan.so.5+0xb859a) openvswitch#1 0x565110a748a5 in minimask_equal …/lib/flow.c:3510 openvswitch#2 0x565110a9ea41 in minimatch_equal …/lib/match.c:1821 openvswitch#3 0x56511091e864 in collect_rules_strict …/ofproto/ofproto.c:4516 #4 0x56511093d526 in delete_flow_start_strict …/ofproto/ofproto.c:5959 #5 0x56511093d526 in ofproto_flow_mod_start …/ofproto/ofproto.c:7949 openvswitch#6 0x56511093d77b in handle_flow_mod__ …/ofproto/ofproto.c:6122 #7 0x56511093db71 in handle_flow_mod …/ofproto/ofproto.c:6099 #8 0x5651109407f6 in handle_single_part_openflow …/ofproto/ofproto.c:8406 #9 0x5651109407f6 in handle_openflow …/ofproto/ofproto.c:8587 #10 0x5651109e40da in ofconn_run …/ofproto/connmgr.c:1318 #11 0x5651109e40da in connmgr_run …/ofproto/connmgr.c:355 #12 0x56511092b129 in ofproto_run …/ofproto/ofproto.c:1826 #13 0x5651108f23cd in bridge_run__ …/vswitchd/bridge.c:2965 #14 0x565110904887 in bridge_run …/vswitchd/bridge.c:3023 #15 0x5651108e659c in main …/vswitchd/ovs-vswitchd.c:127 openvswitch#16 0x7f6b093b709a in __libc_start_main …/csu/libc-start.c:308 #17 0x5651108e9009 in _start (/home/blp/nicira/ovs/_build/vswitchd/ovs-vswitchd+0x11d009)
This fixes the problem, which although largely theoretical could crop up with odd implementations of memcmp(), perhaps ones optimized in various “clever” ways. All in all, it seems best to avoid the theoretical problem.
Acked-by: Dumitru Ceara [email protected] Signed-off-by: Ben Pfaff [email protected]
- Loading branch information
Related news
Ubuntu Security Notice 5698-2 - USN-5698-1 fixed a vulnerability in Open. This update provides the corresponding update for Ubuntu 16.04 ESM. It was discovered that Open vSwitch incorrectly handled comparison of certain minimasks. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5698-1 - It was discovered that Open vSwitch incorrectly handled comparison of certain minimasks. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code.