From 4f05fe1e7267072f805630162b209de4d979d4a0 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 25 Jan 2024 03:33:24 +0300 Subject: [PATCH] import frr-8.3.1-11.el9_3.2 --- SOURCES/0015-CVE-2023-47235.patch | 110 ++++++++++++++++++++++++++++++ SOURCES/0016-CVE-2023-47234.patch | 95 ++++++++++++++++++++++++++ SOURCES/0017-CVE-2023-38406.patch | 34 +++++++++ SOURCES/0018-CVE-2023-38407.patch | 54 +++++++++++++++ SPECS/frr.spec | 18 ++++- 5 files changed, 310 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0015-CVE-2023-47235.patch create mode 100644 SOURCES/0016-CVE-2023-47234.patch create mode 100644 SOURCES/0017-CVE-2023-38406.patch create mode 100644 SOURCES/0018-CVE-2023-38407.patch diff --git a/SOURCES/0015-CVE-2023-47235.patch b/SOURCES/0015-CVE-2023-47235.patch new file mode 100644 index 0000000..6d0504b --- /dev/null +++ b/SOURCES/0015-CVE-2023-47235.patch @@ -0,0 +1,110 @@ +From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 13 Dec 2023 16:59:46 +0100 +Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of + malformed attrs + +Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be +processed as a normal UPDATE without mandatory attributes, that could lead +to harmful behavior. In this case, a crash for route-maps with the configuration +such as: + +``` +router bgp 65001 + no bgp ebgp-requires-policy + neighbor 127.0.0.1 remote-as external + neighbor 127.0.0.1 passive + neighbor 127.0.0.1 ebgp-multihop + neighbor 127.0.0.1 disable-connected-check + neighbor 127.0.0.1 update-source 127.0.0.2 + neighbor 127.0.0.1 timers 3 90 + neighbor 127.0.0.1 timers connect 1 + ! + address-family ipv4 unicast + neighbor 127.0.0.1 addpath-tx-all-paths + neighbor 127.0.0.1 default-originate + neighbor 127.0.0.1 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +``` + +Send a malformed optional transitive attribute: + +``` +import socket +import time + +OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" +b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" +b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" +b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" +b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" +b"\x80\x00\x00\x00") + +KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") + +UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('127.0.0.2', 179)) +s.send(OPEN) +data = s.recv(1024) +s.send(KEEPALIVE) +data = s.recv(1024) +s.send(UPDATE) +data = s.recv(1024) +time.sleep(100) +s.close() +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis + +(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b) +--- + bgpd/bgp_attr.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index a121911..12a6953 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + uint8_t type = 0; + + /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an +- * empty UPDATE. */ ++ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, ++ * we will pass it to be processed as a normal UPDATE without mandatory ++ * attributes, that could lead to harmful behavior. ++ */ + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) +- return BGP_ATTR_PARSE_PROCEED; ++ return BGP_ATTR_PARSE_WITHDRAW; + + /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required + to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +@@ -3507,7 +3510,13 @@ done: + aspath_unintern(&as4_path); + + transit = bgp_attr_get_transit(attr); +- if (ret != BGP_ATTR_PARSE_ERROR) { ++ /* If we received an UPDATE with mandatory attributes, then ++ * the unrecognized transitive optional attribute of that ++ * path MUST be passed. Otherwise, it's an error, and from ++ * security perspective it might be very harmful if we continue ++ * here with the unrecognized attributes. ++ */ ++ if (ret == BGP_ATTR_PARSE_PROCEED) { + /* Finally intern unknown attribute. */ + if (transit) + bgp_attr_set_transit(attr, transit_intern(transit)); +-- +2.43.0 + diff --git a/SOURCES/0016-CVE-2023-47234.patch b/SOURCES/0016-CVE-2023-47234.patch new file mode 100644 index 0000000..0b83f69 --- /dev/null +++ b/SOURCES/0016-CVE-2023-47234.patch @@ -0,0 +1,95 @@ +From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 13 Dec 2023 18:25:48 +0100 +Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI + +If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if +no mandatory path attributes received. + +In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled +as a new data, but without mandatory attributes, it's a malformed packet. + +In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST +handle that. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +Signed-off-by: Christian Breunig + +(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf) +--- + bgpd/bgp_attr.c | 19 ++++++++++--------- + bgpd/bgp_attr.h | 1 + + bgpd/bgp_packet.c | 7 ++++++- + 3 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 12a6953..8b02f2c 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) + return BGP_ATTR_PARSE_WITHDRAW; + +- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required +- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +- are present, it should. Check for any other attribute being present +- instead. +- */ +- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && +- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) +- return BGP_ATTR_PARSE_PROCEED; +- + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) + type = BGP_ATTR_ORIGIN; + +@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) + type = BGP_ATTR_LOCAL_PREF; + ++ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required ++ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI ++ * are present, it should. Check for any other attribute being present ++ * instead. ++ */ ++ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && ++ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) ++ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY ++ : BGP_ATTR_PARSE_PROCEED; ++ + /* If any of the well-known mandatory attributes are not present + * in an UPDATE message, then "treat-as-withdraw" MUST be used. + */ +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 06f350b..b9dfec9 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret { + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, + BGP_ATTR_PARSE_EOR = -4, ++ BGP_ATTR_PARSE_MISSING_MANDATORY = -5, + }; + + struct bpacket_attr_vec_arr; +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index a5f065a..cdf0734 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len) { ++ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then ++ * NLRIs should be handled as a new data. Though, if we received ++ * NLRIs without mandatory attributes, they should be ignored. ++ */ ++ if (update_len && attribute_len && ++ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.43.0 + diff --git a/SOURCES/0017-CVE-2023-38406.patch b/SOURCES/0017-CVE-2023-38406.patch new file mode 100644 index 0000000..56c9296 --- /dev/null +++ b/SOURCES/0017-CVE-2023-38406.patch @@ -0,0 +1,34 @@ +From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 23 Feb 2023 13:29:32 -0500 +Subject: [PATCH] bgpd: Flowspec overflow issue + +According to the flowspec RFC 8955 a flowspec nlri is > +Specifying 0 as a length makes BGP get all warm on the inside. Which +in this case is not a good thing at all. Prevent warmth, stay cold +on the inside. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +--- + bgpd/bgp_flowspec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c +index 8d5ca5e77779..f9debe43cd45 100644 +--- a/bgpd/bgp_flowspec.c ++++ b/bgpd/bgp_flowspec.c +@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, + psize); + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } ++ ++ if (psize == 0) { ++ flog_err(EC_BGP_FLOWSPEC_PACKET, ++ "Flowspec NLRI length 0 which makes no sense"); ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; ++ } ++ + if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { + flog_err( + EC_BGP_FLOWSPEC_PACKET, diff --git a/SOURCES/0018-CVE-2023-38407.patch b/SOURCES/0018-CVE-2023-38407.patch new file mode 100644 index 0000000..dbd4e9e --- /dev/null +++ b/SOURCES/0018-CVE-2023-38407.patch @@ -0,0 +1,54 @@ +From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Fri, 3 Mar 2023 21:58:33 -0500 +Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing + +Fixes a couple crashes associated with attempting to read +beyond the end of the stream. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +--- + bgpd/bgp_label.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c +index 0cad119af101..c4a5277553ba 100644 +--- a/bgpd/bgp_label.c ++++ b/bgpd/bgp_label.c +@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, + uint8_t llen = 0; + uint8_t label_depth = 0; + ++ if (plen < BGP_LABEL_BYTES) ++ return 0; ++ + for (; data < lim; data += BGP_LABEL_BYTES) { + memcpy(label, data, BGP_LABEL_BYTES); + llen += BGP_LABEL_BYTES; +@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, + memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); + addpath_id = ntohl(addpath_id); + pnt += BGP_ADDPATH_ID_LEN; ++ ++ if (pnt >= lim) ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } + + /* Fetch prefix length. */ +@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, + + /* Fill in the labels */ + llen = bgp_nlri_get_labels(peer, pnt, psize, &label); ++ if (llen == 0) { ++ flog_err( ++ EC_BGP_UPDATE_RCV, ++ "%s [Error] Update packet error (wrong label length 0)", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, ++ BGP_NOTIFY_UPDATE_INVAL_NETWORK); ++ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; ++ } + p.prefixlen = prefixlen - BSIZE(llen); + + /* There needs to be at least one label */ diff --git a/SPECS/frr.spec b/SPECS/frr.spec index 384380e..2841a20 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.3.1 -Release: 11%{?checkout}%{?dist}.1 +Release: 11%{?checkout}%{?dist}.2 Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -77,6 +77,10 @@ Patch0011: 0011-CVE-2022-40318.patch Patch0012: 0012-bfd-not-working-in-vrf.patch Patch0013: 0013-CVE-2023-38802.patch Patch0014: 0014-max-ttl-reload.patch +Patch0015: 0015-CVE-2023-47235.patch +Patch0016: 0016-CVE-2023-47234.patch +Patch0017: 0017-CVE-2023-38406.patch +Patch0018: 0018-CVE-2023-38407.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -282,6 +286,18 @@ make check PYTHON=%{__python3} %endif %changelog +* Thu Dec 21 2023 Michal Ruprich - 8.3.1-11.2 +- Resolves: RHEL-17480 - Out of bounds read in bgpd/bgp_label.c + +* Thu Dec 21 2023 Michal Ruprich - 8.3.1-11.2 +- Resolves: RHEL-17474 - Flowspec overflow in bgpd/bgp_flowspec.c + +* Tue Dec 19 2023 Michal Ruprich - 8.3.1-11.2 +- Resolves: RHEL-17471 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message + +* Mon Dec 18 2023 Michal Ruprich - 8.3.1-11.2 +- Resolves: RHEL-17477 - crash from malformed EOR-containing BGP UPDATE message + * Wed Oct 11 2023 Michal Ruprich - 8.3.1-11.1 - Resolves: RHEL-11665 - eBGP multihop peer flapping due to delta miscalculation of new configuration