Bug 1758601 (CVE-2019-14559)

Summary: CVE-2019-14559 edk2: memory leak in ArpOnFrameRcvdDpc
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, crobinso, kraxel, leidwang, lersek, pbonzini, philmd, security-response-team, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1801267, 1801268, 1801275, 1801276    
Bug Blocks: 1737084    

Description Riccardo Schirone 2019-10-04 15:16:56 UTC 
A memory leak was discovered in NetworkPkg/ArpDxe in function ArpOnFrameRcvdDpc(), because of an error condition that is not correctly handled and does not signal the recycleEvent signal before continuing the reception of packets. An attacker can use this flaw to cause memory exhaustion.
Comment 5 Riccardo Schirone 2020-02-10 14:31:45 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1801268]
Affects: fedora-all [bug 1801267]
Comment 8 Riccardo Schirone 2020-02-10 14:44:54 UTC 
Upstream bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=2031
Comment 9 Laszlo Ersek 2020-02-23 08:33:52 UTC 
The following upstream bugs are additionally associated with this CVE:
- https://bugzilla.tianocore.org/show_bug.cgi?id=2032
- https://bugzilla.tianocore.org/show_bug.cgi?id=1610
Comment 10 Laszlo Ersek 2020-02-23 08:36:46 UTC 
The following upstream bugs are additionally associated with this CVE:
- https://bugzilla.tianocore.org/show_bug.cgi?id=2174
Comment 11 Laszlo Ersek 2020-02-23 08:56:28 UTC 
Upstream tracker bug (depending on 1610, 2031, 2032, 2174):
- https://bugzilla.tianocore.org/show_bug.cgi?id=2550
Comment 12 Laszlo Ersek 2020-02-23 09:12:35 UTC 
Upstream status:

- TianoCore#1610: fixed by upstream commit 578bcdc2605e
  ("NetworkPkg/Ip4Dxe: Check the received package length
  (CVE-2019-14559).", 2020-02-19).

- TianoCore#2031: fixed by upstream commit 1d3215fd24f4
  ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)",
  2020-02-21).

- TianoCore#2032: no patch has been proposed yet; analysis seems stuck
  (as of <https://bugzilla.tianocore.org/show_bug.cgi?id=2032#c12>).

- TianoCore#2174: a patch has been attached to the upstream ticket, but
  not posted to edk2-devel for review; as of
  <https://bugzilla.tianocore.org/show_bug.cgi?id=2174#c6>.
Comment 13 Laszlo Ersek 2020-04-01 13:12:16 UTC 
(In reply to Laszlo Ersek from comment #12)
> Upstream status:
> 
> - TianoCore#1610: fixed by upstream commit 578bcdc2605e
>   ("NetworkPkg/Ip4Dxe: Check the received package length
>   (CVE-2019-14559).", 2020-02-19).
> 
> - TianoCore#2031: fixed by upstream commit 1d3215fd24f4
>   ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)",
>   2020-02-21).
> 
> - TianoCore#2032:

Fixed in upstream commit 65c73df44c61 ("ShellPkg: Fix 'ping' command Ip4 receive flow.", 2020-04-01).

> - TianoCore#2174:

A patch was upstreamed 9c20342eed70 ("NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.", 2020-03-30), but it caused a regression, which I subsequently reported. The fix for the regression (also tested OK by me) is pending subsys maintainer review.
Comment 14 Laszlo Ersek 2020-04-02 15:07:35 UTC 
All upstream dependencies (of TianoCore#2550) have been fixed:

- TianoCore#1610: fixed by upstream commit 578bcdc2605e
  ("NetworkPkg/Ip4Dxe: Check the received package length
  (CVE-2019-14559).", 2020-02-19).

- TianoCore#2031: fixed by upstream commit 1d3215fd24f4
  ("NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)",
  2020-02-21).

- TianoCore#2032: fixed in upstream commit 65c73df44c61 ("ShellPkg: Fix
  'ping' command Ip4 receive flow.", 2020-04-01).

- TianoCore#2174: fixed in upstream commit 9c20342eed70
  ("NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.",
  2020-03-30)

- TianoCore#2655 (regression from the TianoCore#2174 patch): fixed in
  commit 4deef2d865ef ("NetworkPkg/Ip6Dxe: Fix ASSERT logic in
  Ip6ProcessRouterAdvertise()", 2020-04-02).
Comment 15 leidwang@redhat.com 2020-06-29 02:48:01 UTC 
Hi Laszlo:

I am not sure if this bug only need I do the sanity test of ovmf,or need more test about it? could you provide me some suggestions.Many thanks!
Comment 16 Laszlo Ersek 2020-07-02 11:45:30 UTC 
Hello Leidong Wang,

thanks for the question.

TianoCore Bugzillas 1610, 2031 and 2032 were all found with network fuzzing; we don't have a reproducer.

TianoCore #2174 does not say if it had been found with a fuzzer or not, but we still have no reproducer.

So the above indicate that sanity testing should be sufficient.

The fix for TianoCore#2174 introduced a regression however (up-stream); that one was fixed under TianoCore#2655. This suggests a more directed sanity testing in turn, namely an IPv6 netboot test.

So please sanity check IPv4 and IPv6 PXE boot.

Thanks!
Comment 17 leidwang@redhat.com 2020-07-03 05:31:46 UTC 
Hi Laszlo,

thanks for your reply! ! !

OVMF sanity test, IPv4 boot and IPv6 boot can work normally.

Thank you!
Comment 18 Product Security DevOps Team 2020-11-04 02:21:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14559
Comment 19 errata-xmlrpc 2020-11-04 04:01:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4805 https://access.redhat.com/errata/RHSA-2020:4805