[AUTO-CHERRYPICK] Patch frr for CVE-2024-55553 [High] - branch 3.0-dev (#14062)

Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>

Author: 3 people

SPECS/frr/CVE-2024-55553.patch

@@ -0,0 +1,258 @@
+From ee33d7a891c9e7abb5020e849f51a9ea8a91b850 Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <[email protected]>
+Date: Thu, 19 Jun 2025 06:40:11 +0000
+Subject: [PATCH] Backport CVE-2024-55553
+
+Upstream Reference : https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3
+
+Signed-off-by: Kanishk Bansal <[email protected]>
+---
+ bgpd/bgp_rpki.c | 139 ++++++++++++++++++++++--------------------------
+ bgpd/bgpd.c     |   4 --
+ bgpd/bgpd.h     |   1 -
+ 3 files changed, 65 insertions(+), 79 deletions(-)
+
+diff --git a/bgpd/bgp_rpki.c b/bgpd/bgp_rpki.c
+index f0b2ffd..8ccb948 100644
+--- a/bgpd/bgp_rpki.c
++++ b/bgpd/bgp_rpki.c
+@@ -48,6 +48,7 @@ DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_CACHE_GROUP, "BGP RPKI Cache server group");
+ DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_RTRLIB, "BGP RPKI RTRLib");
+ DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_REVALIDATE, "BGP RPKI Revalidation");
+ 
++
+ #define POLLING_PERIOD_DEFAULT 3600
+ #define EXPIRE_INTERVAL_DEFAULT 7200
+ #define RETRY_INTERVAL_DEFAULT 600
+@@ -108,7 +109,6 @@ static void print_record(const struct pfx_record *record, struct vty *vty,
+ 			 json_object *json, enum asnotation_mode asnotation);
+ static bool is_synchronized(void);
+ static bool is_running(void);
+-static bool is_stopping(void);
+ static void route_match_free(void *rule);
+ static enum route_map_cmd_result_t route_match(void *rule,
+ 					       const struct prefix *prefix,
+@@ -116,7 +116,6 @@ static enum route_map_cmd_result_t route_match(void *rule,
+ 					       void *object);
+ static void *route_match_compile(const char *arg);
+ static void revalidate_bgp_node(struct bgp_dest *dest, afi_t afi, safi_t safi);
+-static void revalidate_all_routes(void);
+ 
+ static struct rtr_mgr_config *rtr_config;
+ static struct list *cache_list;
+@@ -354,11 +353,6 @@ inline bool is_running(void)
+ 	return rtr_is_running;
+ }
+ 
+-inline bool is_stopping(void)
+-{
+-	return rtr_is_stopping;
+-}
+-
+ static void pfx_record_to_prefix(struct pfx_record *record,
+ 				 struct prefix *prefix)
+ {
+@@ -402,40 +396,19 @@ static void rpki_revalidate_prefix(struct event *thread)
+ 	XFREE(MTYPE_BGP_RPKI_REVALIDATE, rrp);
+ }
+ 
+-static void bgpd_sync_callback(struct event *thread)
++static void revalidate_single_prefix(struct vrf *vrf, struct prefix prefix, afi_t afi)
+ {
+ 	struct bgp *bgp;
+ 	struct listnode *node;
+-	struct prefix prefix;
+-	struct pfx_record rec;
+-
+-	event_add_read(bm->master, bgpd_sync_callback, NULL,
+-		       rpki_sync_socket_bgpd, NULL);
+-
+-	if (atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst)) {
+-		while (read(rpki_sync_socket_bgpd, &rec,
+-			    sizeof(struct pfx_record)) != -1)
+-			;
+-
+-		atomic_store_explicit(&rtr_update_overflow, 0,
+-				      memory_order_seq_cst);
+-		revalidate_all_routes();
+-		return;
+-	}
+-
+-	int retval =
+-		read(rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
+-	if (retval != sizeof(struct pfx_record)) {
+-		RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd");
+-		return;
+-	}
+-	pfx_record_to_prefix(&rec, &prefix);
+-
+-	afi_t afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
+ 
+ 	for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) {
+ 		safi_t safi;
+ 
++			if (!vrf && bgp->vrf_id != VRF_DEFAULT)
++				continue;
++			if (vrf && bgp->vrf_id != vrf->vrf_id)
++				continue;
++
+ 		for (safi = SAFI_UNICAST; safi < SAFI_MAX; safi++) {
+ 			struct bgp_table *table = bgp->rib[afi][safi];
+ 			struct rpki_revalidate_prefix *rrp;
+@@ -448,12 +421,67 @@ static void bgpd_sync_callback(struct event *thread)
+ 			rrp->prefix = prefix;
+ 			rrp->afi = afi;
+ 			rrp->safi = safi;
+-			event_add_event(bm->master, rpki_revalidate_prefix, rrp,
+-					0, &bgp->t_revalidate[afi][safi]);
++			event_add_event(bm->master, rpki_revalidate_prefix, rrp, 0, &bgp->t_revalidate[afi][safi]);
+ 		}
+ 	}
+ }
+ 
++
++static void bgpd_sync_callback(struct event *thread)
++{
++	struct prefix prefix;
++	struct pfx_record rec;
++	struct rpki_vrf *rpki_vrf = EVENT_ARG(thread);
++	struct vrf *vrf = NULL;
++	afi_t afi;
++	int retval;
++
++	event_add_read(bm->master, bgpd_sync_callback, rpki_vrf, rpki_vrf->rpki_sync_socket_bgpd,
++		       NULL);
++
++	if (rpki_vrf->vrfname) {
++		vrf = vrf_lookup_by_name(rpki_vrf->vrfname);
++		if (!vrf) {
++			zlog_err("%s(): vrf for rpki %s not found", __func__, rpki_vrf->vrfname);
++			return;
++		}
++	}
++
++	if (atomic_load_explicit(&rpki_vrf->rtr_update_overflow, memory_order_seq_cst)) {
++		ssize_t size = 0;
++
++		retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
++		while (retval != -1) {
++			if (retval != sizeof(struct pfx_record))
++				break;
++
++			size += retval;
++			pfx_record_to_prefix(&rec, &prefix);
++			afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
++			revalidate_single_prefix(vrf, prefix, afi);
++
++			retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec,
++				      sizeof(struct pfx_record));
++		}
++
++		RPKI_DEBUG("Socket overflow detected (%zu), revalidating affected prefixes", size);
++
++		atomic_store_explicit(&rpki_vrf->rtr_update_overflow, 0, memory_order_seq_cst);
++		return;
++	}
++
++	retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
++	if (retval != sizeof(struct pfx_record)) {
++		RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd");
++		return;
++	}
++	pfx_record_to_prefix(&rec, &prefix);
++
++	afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
++
++	revalidate_single_prefix(vrf, prefix, afi);
++}
++
+ static void revalidate_bgp_node(struct bgp_dest *bgp_dest, afi_t afi,
+ 				safi_t safi)
+ {
+@@ -501,48 +529,11 @@ static void bgp_rpki_revalidate_peer(struct event *thread)
+ 	XFREE(MTYPE_BGP_RPKI_REVALIDATE, rvp);
+ }
+ 
+-static void revalidate_all_routes(void)
+-{
+-	struct bgp *bgp;
+-	struct listnode *node;
+-
+-	for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) {
+-		struct peer *peer;
+-		struct listnode *peer_listnode;
+-
+-		for (ALL_LIST_ELEMENTS_RO(bgp->peer, peer_listnode, peer)) {
+-			afi_t afi;
+-			safi_t safi;
+-
+-			FOREACH_AFI_SAFI (afi, safi) {
+-				struct rpki_revalidate_peer *rvp;
+-
+-				if (!bgp->rib[afi][safi])
+-					continue;
+-
+-				if (!peer_established(peer->connection))
+-					continue;
+-
+-				rvp = XCALLOC(MTYPE_BGP_RPKI_REVALIDATE,
+-					      sizeof(*rvp));
+-				rvp->peer = peer;
+-				rvp->afi = afi;
+-				rvp->safi = safi;
+-
+-				event_add_event(
+-					bm->master, bgp_rpki_revalidate_peer,
+-					rvp, 0,
+-					&peer->t_revalidate_all[afi][safi]);
+-			}
+-		}
+-	}
+-}
+-
+ static void rpki_update_cb_sync_rtr(struct pfx_table *p __attribute__((unused)),
+ 				    const struct pfx_record rec,
+ 				    const bool added __attribute__((unused)))
+ {
+-	if (is_stopping() ||
++	if (rtr_is_stopping ||
+ 	    atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst))
+ 		return;
+ 
+diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
+index edb20ac..cfa1930 100644
+--- a/bgpd/bgpd.c
++++ b/bgpd/bgpd.c
+@@ -1248,8 +1248,6 @@ static void peer_free(struct peer *peer)
+ 	bgp_reads_off(peer->connection);
+ 	bgp_writes_off(peer->connection);
+ 	event_cancel_event_ready(bm->master, peer->connection);
+-	FOREACH_AFI_SAFI (afi, safi)
+-		EVENT_OFF(peer->t_revalidate_all[afi][safi]);
+ 	assert(!peer->connection->t_write);
+ 	assert(!peer->connection->t_read);
+ 	event_cancel_event_ready(bm->master, peer->connection);
+@@ -2637,8 +2635,6 @@ int peer_delete(struct peer *peer)
+ 	bgp_reads_off(peer->connection);
+ 	bgp_writes_off(peer->connection);
+ 	event_cancel_event_ready(bm->master, peer->connection);
+-	FOREACH_AFI_SAFI (afi, safi)
+-		EVENT_OFF(peer->t_revalidate_all[afi][safi]);
+ 	assert(!CHECK_FLAG(peer->connection->thread_flags,
+ 			   PEER_THREAD_WRITES_ON));
+ 	assert(!CHECK_FLAG(peer->connection->thread_flags,
+diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
+index dda108b..70c728c 100644
+--- a/bgpd/bgpd.h
++++ b/bgpd/bgpd.h
+@@ -1568,7 +1568,6 @@ struct peer {
+ 
+ 	/* Threads. */
+ 	struct event *t_llgr_stale[AFI_MAX][SAFI_MAX];
+-	struct event *t_revalidate_all[AFI_MAX][SAFI_MAX];
+ 	struct event *t_refresh_stalepath;
+ 
+ 	/* Thread flags. */
+-- 
+2.45.3
+

SPECS/frr/frr.spec

@@ -3,7 +3,7 @@
 Summary:        Routing daemon
 Name:           frr
 Version:        9.1.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Patch2:         0002-disable-eigrp-crypto.patch
 Patch3:         0003-fips-mode.patch
 Patch4:         0004-remove-grpc-test.patch
 Patch5:         CVE-2024-44070.patch
+Patch6:         CVE-2024-55553.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -199,6 +200,9 @@ rm tests/lib/*grpc*
 %{_sysusersdir}/%{name}.conf
 
 %changelog
+* Tue Jun 17 2025 Kanishk Bansal <[email protected]> - 9.1.1-3
+- Backport Patch CVE-2024-55553
+
 * Wed Aug 21 2024 Brian Fjeldstad <[email protected]> - 9.1.1-2
 - Fix CVE-2024-44070