Ubuntu
vde2 package

Bug vde_plug input handling can cause either frame loss/corruption or buffer overread by 1

Bug #629439 reported by halfdog
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vde2 (Ubuntu)
Fix Released
High
Unassigned
Declined for Hardy by Logan Rosen
Declined for Natty by Logan Rosen
Declined for Oneiric by Logan Rosen
Lucid
Won't Fix
High
Unassigned
Precise
Won't Fix
High
Unassigned

Bug Description

=======================================================
SRU Justification
Impact: data is discarded under certain conditions
Regression potential: the fix has been in Ubuntu releases since quantal
Test case: an exploit is at http://www.halfdog.net/Security/VdeNetBufferBug/
=======================================================

Binary package hint: vde2

The vde_plug (at least on ubuntu hardy) contains a bug, that is
triggered when a certain amount of encapsulated ether frame data
is sent to the plug in a specially timed manner. When the input
buffer is filled just with a single byte, vde_plug uses also the
first byte after the end of data, thus constructing an invalid
frame length. Depending on frame length, just one byte or the
complete buffer content is discarded, thus leading to lost single
byte or complete frame content. Code from vde_plug.c:

...
void splitpacket(const unsigned char *buf,int size,VDECONN *conn)
{
....
        while (size > 0) {
                rnx=(buf[0]<<8)+buf[1];
                size-=2;

More info, testcases, see http://www.halfdog.net/Security/VdeNetBufferBug/

Bug also reported upstream:
http://sourceforge.net/tracker/?func=detail&aid=3058721&group_id=95403&atid=611248

Affected version:
ii vde2 2.1.6+r154-1 Virtual Distributed Ethernet

System: Hardy 8.04

See original description
halfdog (halfdog)
description: updated
Serge Hallyn (serge-hallyn)
Changed in vde2 (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

The following seems analogous to commit -r445 in svn, which was intended to fix this bug.

If it looks all right, I'll push this fix for proposed SRU.

Ideally, the bug Description would contain a script which could be used to verify whether the bug is present. Is that at all possible? (My impression is that you've tried but not succeeded in writing one? Hope springs eternal...)

Changed in vde2 (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note the fix is included in quantal. So as soon as someone accepts the nominations for lucid through precise, the quantal status can be set to fix released.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Serge Hallyn (serge-hallyn)
description: updated
Changed in vde2 (Ubuntu Lucid):
importance: Undecided → High
Changed in vde2 (Ubuntu Precise):
importance: Undecided → High
Changed in vde2 (Ubuntu Lucid):
status: New → Confirmed
Changed in vde2 (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello halfdog, or anyone else affected,

Accepted vde2 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/vde2/2.2.3-3ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

summary: - Bug vde_plug input handling can cause ehter frame loss/corruption or
+ Bug vde_plug input handling can cause ether frame loss/corruption or
buffer overread by 1
Changed in vde2 (Ubuntu Precise):
status: Confirmed → Fix Committed
tags: added: verification-needed
Mathew Hodson (mhodson)
summary: - Bug vde_plug input handling can cause ether frame loss/corruption or
+ Bug vde_plug input handling can cause either frame loss/corruption or
buffer overread by 1
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Download full text (3.7 KiB)

I tested this in a precise container. precise-proposed didn't seem to behave any differently from precise. I think verification has failed.

In particular, with precise-proposed version, my tcpdump still showed:

tcpdump: listening on vdetesttap, link-type EN10MB (Ethernet), capture size 65535 bytes
18:50:45.256019 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1022: IP0 bad-hlen 0
18:50:45.256037 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1021: IP0 bad-hlen 0
18:50:45.256041 23:45:67:89:ab:08 > ff:ff:ff:ff:ff:01, 802.3, length 256: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Command], length 242
18:50:45.256045 41:41:41:41:41:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.255.254.2 tell 10.255.254.1, length 28
18:50:46.258158 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1022: IP0 bad-hlen 0
18:50:46.258167 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1021: IP0 bad-hlen 0
18:50:46.258171 23:45:67:89:ab:08 > ff:ff:ff:ff:ff:01, 802.3, length 256: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Command], length 242
18:50:46.258176 41:41:41:41:41:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.255.254.2 tell 10.255.254.1, length 28
18:50:46.887438 56:c0:aa:55:b0:cf > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::54c0:aaff:fe55:b0cf > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
          source link-address option (1), length 8 (1): 56:c0:aa:55:b0:cf
            0x0000: 56c0 aa55 b0cf
18:50:47.260185 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1022: IP0 bad-hlen 0
18:50:47.260202 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1021: IP0 bad-hlen 0
18:50:47.260205 23:45:67:89:ab:08 > ff:ff:ff:ff:ff:01, 802.3, length 256: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Command], length 242
18:50:47.260209 41:41:41:41:41:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.255.254.2 tell 10.255.254.1, length 28
18:50:48.262737 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1022: IP0 bad-hlen 0
18:50:48.262766 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1021: IP0 bad-hlen 0
18:50:48.262770 23:45:67:89:ab:08 > ff:ff:ff:ff:ff:01, 802.3, length 256: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Command], length 242
18:50:48.262774 41:41:41:41:41:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.255.254.2 tell 10.255.254.1, length 28
18:50:49.265264 01:23:45:67:89:ab > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1022: IP0 bad-hlen 0
18:50:49.26527...

Read more...

Revision history for this message
Brian Murray (brian-murray) wrote :

Hello halfdog, or anyone else affected,

Accepted vde2 into lucid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/vde2/2.2.3-3ubuntu1~10.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in vde2 (Ubuntu Lucid):
status: Confirmed → Fix Committed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [vde2/precise] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for precise for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in vde2 (Ubuntu Lucid):
status: Fix Committed → Won't Fix
Mathew Hodson (mhodson)
Changed in vde2 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Proposed package removed from archive

The version of vde2 in the proposed pocket of Precise that was purported to fix this bug report has been removed because the bugs that were to be fixed by the upload were not verified in a timely (105 days) fashion.

Changed in vde2 (Ubuntu Precise):
status: Fix Committed → Won't Fix
tags: removed: verification-needed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.