diff --git a/0001-Fix-rendering-of-VLAN-Comparison-Chart.patch b/0001-Fix-rendering-of-VLAN-Comparison-Chart.patch new file mode 100644 index 0000000000000000000000000000000000000000..8108611f45cc76e6e130f4e58151a941506eaa9f --- /dev/null +++ b/0001-Fix-rendering-of-VLAN-Comparison-Chart.patch @@ -0,0 +1,67 @@ +From 9842d89e58e801b6b3a92ac079688b99b5669587 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Thu, 24 Aug 2023 10:31:56 +0200 +Subject: [PATCH] docs: Fix rendering of VLAN Comparison Chart. + +tbl defaults to expecting table entries to be separated by tab +characters. However, commit 5a0e4aec1af5cf7741c490bce704577e51e536b9 +converted these to spaces and inadvertently broke the rendering. Use +semicolons as separators instead; these are less prone to being broken +by tree-wide changes, and match the style used by +build-aux/extract-ofp-fields. + +Fixes: 5a0e4aec1af5 ("treewide: Convert leading tabs to spaces.") +Reported-by: Lucas Nussbaum +Reported-at: https://bugs.debian.org/1042358 +Co-authored-by: Frode Nordahl +Signed-off-by: Frode Nordahl +Signed-off-by: Colin Watson +Signed-off-by: Ilya Maximets +--- + lib/meta-flow.xml | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml +index 416ea0cf224..ac72a44bce4 100644 +--- a/lib/meta-flow.xml ++++ b/lib/meta-flow.xml +@@ -3517,24 +3517,24 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123) +

+ + +-nowarn; ++tab(;); + r r r r r. +-Criteria OpenFlow 1.0 OpenFlow 1.1 OpenFlow 1.2+ NXM +-\_ \_ \_ \_ \_ +-[1] \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR \fL0000\fR/\fL0000\fR,\fL--\fR \fL0000\fR/\fL0000\fR +-[2] \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR \fL0000\fR/\fLffff\fR,\fL--\fR \fL0000\fR/\fLffff\fR +-[3] \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR \fL1xxx\fR/\fLffff\fR,\fL--\fR \fL1xxx\fR/\fL1fff\fR +-[4] \fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR \fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL1000\fR/\fL1000\fR,\fL0y\fR \fLz000\fR/\fLf000\fR +-[5] \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL1xxx\fR/\fLffff\fR,\fL0y\fR \fLzxxx\fR/\fLffff\fR ++Criteria;OpenFlow 1.0;OpenFlow 1.1;OpenFlow 1.2+;NXM ++\_;\_;\_;\_;\_ ++[1];\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fL0000\fR,\fL--\fR;\fL0000\fR/\fL0000\fR ++[2];\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fLffff\fR,\fL--\fR;\fL0000\fR/\fLffff\fR ++[3];\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL1xxx\fR/\fLffff\fR,\fL--\fR;\fL1xxx\fR/\fL1fff\fR ++[4];\fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR;\fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1000\fR/\fL1000\fR,\fL0y\fR;\fLz000\fR/\fLf000\fR ++[5];\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1xxx\fR/\fLffff\fR,\fL0y\fR;\fLzxxx\fR/\fLffff\fR + .T& +-r r c c r. +-[6] (none) (none) \fL1001\fR/\fL1001\fR,\fL--\fR \fL1001\fR/\fL1001\fR ++r c c r r. ++[6];(none);(none);\fL1001\fR/\fL1001\fR,\fL--\fR;\fL1001\fR/\fL1001\fR + .T& +-r r c c c. +-[7] (none) (none) (none) \fL3000\fR/\fL3000\fR +-[8] (none) (none) (none) \fL0000\fR/\fL0fff\fR +-[9] (none) (none) (none) \fL0000\fR/\fLf000\fR +-[10] (none) (none) (none) \fL0000\fR/\fLefff\fR ++r c c c r. ++[7];(none);(none);(none);\fL3000\fR/\fL3000\fR ++[8];(none);(none);(none);\fL0000\fR/\fL0fff\fR ++[9];(none);(none);(none);\fL0000\fR/\fLf000\fR ++[10];(none);(none);(none);\fL0000\fR/\fLefff\fR + + +

diff --git a/0001-Fixed-troff-warning-in-versions.patch b/0001-Fixed-troff-warning-in-versions.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba705a5fa461d823b41e9e0ec126b347eccecc9c --- /dev/null +++ b/0001-Fixed-troff-warning-in-versions.patch @@ -0,0 +1,26 @@ +From 2428050aef9e52b0e523accd37ef121594bf7e4b Mon Sep 17 00:00:00 2001 +From: gordonwwang +Date: Thu, 17 Aug 2023 11:04:39 +0800 +Subject: [PATCH] [PATCH 1/1] lib/ovs.tmac: Fixed troff warning in versions + above groff-1.23 + +Signed-off-by: gordonwwang +Signed-off-by: Xiaojie Chen +Co-authored-by: Xiaojie Chen +--- + lib/ovs.tmac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ovs.tmac b/lib/ovs.tmac +index 5f8f20afa4a..97b6fa3df76 100644 +--- a/lib/ovs.tmac ++++ b/lib/ovs.tmac +@@ -175,7 +175,7 @@ + . nr mE \\n(.f + . nf + . nh +-. ft CW ++. ft CR + .. + . + . diff --git a/0001-docs-Add-nowarn-region-option-to-tables.patch b/0001-docs-Add-nowarn-region-option-to-tables.patch new file mode 100644 index 0000000000000000000000000000000000000000..0ba170a41d76a860053586bf80bf2d68ae67d766 --- /dev/null +++ b/0001-docs-Add-nowarn-region-option-to-tables.patch @@ -0,0 +1,56 @@ +From 8add72af395257825080314cb5062337fff28b31 Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Wed, 27 Mar 2024 14:53:41 +0800 +Subject: [PATCH] docs: Add nowarn region option to tables + +--- + build-aux/extract-ofp-fields | 6 +++--- + lib/meta-flow.xml | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/build-aux/extract-ofp-fields b/build-aux/extract-ofp-fields +index 8766995..7a9788b 100755 +--- a/build-aux/extract-ofp-fields ++++ b/build-aux/extract-ofp-fields +@@ -578,7 +578,7 @@ def field_to_xml(field_node, f, body, summary): + body += [""".PP + \\fB%s Field\\fR + .TS +-tab(;); ++tab(;),nowarn; + l lx. + """ % title] + +@@ -655,7 +655,7 @@ def group_xml_to_nroff(group_node, fields): + '.SH \"%s\"\n' % build.nroff.text_to_nroff(title.upper() + " FIELDS"), + '.SS "Summary:"\n', + '.TS\n', +- 'tab(;);\n', ++ 'tab(;),nowarn;\n', + 'l l l l l l l.\n', + 'Name;Bytes;Mask;RW?;Prereqs;NXM/OXM Support\n', + '\_;\_;\_;\_;\_;\_\n'] +@@ -665,7 +665,7 @@ def group_xml_to_nroff(group_node, fields): + return ''.join(content) + + def make_oxm_classes_xml(document): +- s = '''tab(;); ++ s = '''tab(;),nowarn; + l l l. + Prefix;Vendor;Class + \_;\_;\_ +diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml +index 28865f8..d861100 100644 +--- a/lib/meta-flow.xml ++++ b/lib/meta-flow.xml +@@ -3517,6 +3517,7 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123) +

+ + ++nowarn; + r r r r r. + Criteria OpenFlow 1.0 OpenFlow 1.1 OpenFlow 1.2+ NXM + \_ \_ \_ \_ \_ +-- +2.27.0 + diff --git a/0001-fix-CVE-2023-3966.patch b/0001-fix-CVE-2023-3966.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ccfb60451ade1a59a7479ff6c35d87178cc1832 --- /dev/null +++ b/0001-fix-CVE-2023-3966.patch @@ -0,0 +1,130 @@ +From 3585beb369f241b74395eabb85270488e57868d5 Mon Sep 17 00:00:00 2001 +From: dashnfschina +Date: Mon, 6 May 2024 21:26:04 -0400 +Subject: [PATCH] fix:CVE-2023-3966 + +--- + lib/netdev-offload-tc.c | 24 +++++++++++++++++----- + tests/system-offloads-traffic.at | 34 ++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+), 5 deletions(-) + +diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c +index 6d918ae..f7b414a 100644 +--- a/lib/netdev-offload-tc.c ++++ b/lib/netdev-offload-tc.c +@@ -1597,12 +1597,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1618,7 +1618,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1632,7 +1632,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1646,7 +1646,15 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if(len < sizeof *opt){ ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1654,6 +1662,8 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ ++ return 0; + } + + static void +@@ -1835,7 +1845,11 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +diff --git a/tests/system-offloads-traffic.at b/tests/system-offloads-traffic.at +index bf60e4c..e59fa3c 100644 +--- a/tests/system-offloads-traffic.at ++++ b/tests/system-offloads-traffic.at +@@ -351,3 +351,37 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/could not open network device ovs-p0/d + /failed to offload flow/d + "]) + AT_CLEANUP ++ ++AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02]) ++ ++AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:hw-offload=true]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP +-- +2.18.2 + diff --git a/0002-Run-tbl-preprocessor-in-manpage-check-rule.patch b/0002-Run-tbl-preprocessor-in-manpage-check-rule.patch new file mode 100644 index 0000000000000000000000000000000000000000..09881088376e3166cec3592827dbcac6231dcd5d --- /dev/null +++ b/0002-Run-tbl-preprocessor-in-manpage-check-rule.patch @@ -0,0 +1,31 @@ +From 6180fefa835c7cad36e89f77f3d9de13c680fb88 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Mon, 21 Aug 2023 15:53:34 +0200 +Subject: [PATCH] docs: Run tbl preprocessor in manpage-check rule. + +If we omit this, groff 1.23.0 warns: + + tbl preprocessor failed, or it or soelim was not run; table(s) likely + not rendered (TE macro called with TW register undefined) + +Reported-by: Lucas Nussbaum +Reported-at: https://bugs.debian.org/1042358 +Signed-off-by: Colin Watson +Signed-off-by: Ilya Maximets +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index db341504d37..265cf0a7b52 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -368,7 +368,7 @@ ALL_LOCAL += manpage-check + manpage-check: $(man_MANS) $(dist_man_MANS) $(noinst_man_MANS) + @error=false; \ + for manpage in $?; do \ +- LANG=en_US.UTF-8 groff -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \ ++ LANG=en_US.UTF-8 groff -t -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \ + if grep warning: $@.tmp; then error=:; fi; \ + rm -f $@.tmp; \ + done; \ diff --git a/openvswitch.spec b/openvswitch.spec index c36d65fb8e3a683fecfdd3efa5d26a5b9f73a225..0f7fc45ff9840c18b9b41de484156eb225c2b61c 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global _hardened_build 1 %define _rundir /run @@ -22,6 +22,13 @@ License: ASL 2.0 and LGPLv2+ and SISSL Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz Source1: openvswitch.sysusers +Patch1: 0001-Fixed-troff-warning-in-versions.patch +Patch2: 0002-Run-tbl-preprocessor-in-manpage-check-rule.patch +Patch3: 0001-docs-Add-nowarn-region-option-to-tables.patch +Patch4: 0001-Fix-rendering-of-VLAN-Comparison-Chart.patch +Patch5: 0001-fix-CVE-2023-3966.patch + + BuildRequires: gcc gcc-c++ make autoconf automake libtool BuildRequires: systemd-rpm-macros openssl openssl-devel desktop-file-utils BuildRequires: python3-devel python3-six python3-setuptools python3-sortedcontainers @@ -511,5 +518,8 @@ fi %doc NOTICE README.rst NEWS %changelog +* Tue May 7 2024 dash -2.17.6-2 +- fix CVE-2023-3966 + * Tue Apr 18 2023 happy_orange -2.17.6-1 - init package