diff --git a/0001-fix-CVE-2023-3966.patch b/0001-fix-CVE-2023-3966.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ccfb60451ade1a59a7479ff6c35d87178cc1832 --- /dev/null +++ b/0001-fix-CVE-2023-3966.patch @@ -0,0 +1,130 @@ +From 3585beb369f241b74395eabb85270488e57868d5 Mon Sep 17 00:00:00 2001 +From: dashnfschina +Date: Mon, 6 May 2024 21:26:04 -0400 +Subject: [PATCH] fix:CVE-2023-3966 + +--- + lib/netdev-offload-tc.c | 24 +++++++++++++++++----- + tests/system-offloads-traffic.at | 34 ++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+), 5 deletions(-) + +diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c +index 6d918ae..f7b414a 100644 +--- a/lib/netdev-offload-tc.c ++++ b/lib/netdev-offload-tc.c +@@ -1597,12 +1597,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1618,7 +1618,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1632,7 +1632,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1646,7 +1646,15 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if(len < sizeof *opt){ ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1654,6 +1662,8 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ ++ return 0; + } + + static void +@@ -1835,7 +1845,11 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +diff --git a/tests/system-offloads-traffic.at b/tests/system-offloads-traffic.at +index bf60e4c..e59fa3c 100644 +--- a/tests/system-offloads-traffic.at ++++ b/tests/system-offloads-traffic.at +@@ -351,3 +351,37 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/could not open network device ovs-p0/d + /failed to offload flow/d + "]) + AT_CLEANUP ++ ++AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02]) ++ ++AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:hw-offload=true]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP +-- +2.18.2 + diff --git a/openvswitch.spec b/openvswitch.spec index 7d016ef46f56b8e087f5792f436abcb904a90a0e..aee39ddb6f8b3d891bb5ef98fc460621e7344b04 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global _hardened_build 1 %define _rundir /run @@ -26,6 +26,7 @@ Patch1: 0001-Fixed-troff-warning-in-versions.patch Patch2: 0002-Run-tbl-preprocessor-in-manpage-check-rule.patch Patch3: 0001-docs-Add-nowarn-region-option-to-tables.patch Patch4: 0001-Fix-rendering-of-VLAN-Comparison-Chart.patch +Patch5: 0001-fix-CVE-2023-3966.patch BuildRequires: gcc gcc-c++ make autoconf automake libtool BuildRequires: systemd-rpm-macros openssl openssl-devel desktop-file-utils @@ -516,6 +517,9 @@ fi %doc NOTICE README.rst NEWS %changelog +* Tue May 07 2024 dash - 2.17.6-3 +- fix:CVE-2023-3966 + * Wed Mar 27 2024 Liwei Ge - 2.17.6-2 - rebuild with python3.11