Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openvswitch for openSUSE:Factory checked in at 2024-02-27 22:43:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvswitch (Old) and /work/SRC/openSUSE:Factory/.openvswitch.new.1770 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvswitch" Tue Feb 27 22:43:34 2024 rev:73 rq:1150566 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/openvswitch/openvswitch.changes 2024-02-06 16:33:13.276159948 +0100 +++ /work/SRC/openSUSE:Factory/.openvswitch.new.1770/openvswitch.changes 2024-02-27 22:43:40.808382517 +0100 @@ -1,0 +2,7 @@ +Thu Feb 15 06:53:54 UTC 2024 - Duraisankar P <[email protected]> + +- Fix CVE-2023-3966 [bsc#1219465] openvswitch3: Invalid memory access in Geneve with HW offload +- Added patch, + +openvswitch-CVE-2023-3966.patch + +------------------------------------------------------------------- New: ---- openvswitch-CVE-2023-3966.patch BETA DEBUG BEGIN: New:- Added patch, +openvswitch-CVE-2023-3966.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvswitch.spec ++++++ --- /var/tmp/diff_new_pack.OiiWJv/_old 2024-02-27 22:43:41.576410359 +0100 +++ /var/tmp/diff_new_pack.OiiWJv/_new 2024-02-27 22:43:41.576410359 +0100 @@ -81,6 +81,8 @@ Patch5: CVE-2023-1668.patch # PATCH-FIX-UPSTREAM CVE-2023-5366.patch Patch6: CVE-2023-5366.patch +# Fix CVE-2023-3966 [bsc#1219465] -- Invalid memory access in Geneve with HW offload +Patch7: openvswitch-CVE-2023-3966.patch #OVN patches # PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch Patch20: 0001-Run-ovn-as-openvswitch-openvswitch.patch @@ -422,6 +424,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # remove python/ovs/dirs.py - this is generated from template to have proper paths rm python/ovs/dirs.py cd %{ovn_dir} ++++++ openvswitch-CVE-2023-3966.patch ++++++ --- openvswitch-3.1.0.orig/lib/netdev-offload-tc.c 2024-02-13 11:52:45.356063229 +0530 +++ openvswitch-3.1.0/lib/netdev-offload-tc.c 2024-02-13 12:09:48.472094452 +0530 @@ -1719,12 +1719,12 @@ test_key_and_mask(struct match *match) return 0; } -static void +static int flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, struct flow_tnl *tnl_mask) { struct geneve_opt *opt, *opt_mask; - int len, cnt = 0; + int tot_opt_len, len, cnt = 0; /* 'flower' always has an exact match on tunnel metadata length, so having * it in a wrong format is not acceptable unless it is empty. */ @@ -1740,7 +1740,7 @@ flower_match_to_tun_opt(struct tc_flower memset(&tnl_mask->metadata.present.map, 0, sizeof tnl_mask->metadata.present.map); } - return; + return 0; } tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; @@ -1754,7 +1754,7 @@ flower_match_to_tun_opt(struct tc_flower sizeof tnl_mask->metadata.present.len); if (!tnl->metadata.present.len) { - return; + return 0; } memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, @@ -1768,7 +1768,16 @@ flower_match_to_tun_opt(struct tc_flower * also not masks, but actual lengths in the 'flower' structure. */ len = flower->key.tunnel.metadata.present.len; while (len) { + if (len < sizeof *opt) { + return EOPNOTSUPP; + } + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; + tot_opt_len = sizeof *opt + opt->length * 4; + if (len < tot_opt_len) { + return EOPNOTSUPP; + } + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; opt_mask->length = opt->length; @@ -1776,6 +1785,7 @@ flower_match_to_tun_opt(struct tc_flower cnt += sizeof(struct geneve_opt) / 4 + opt->length; len -= sizeof(struct geneve_opt) + opt->length * 4; } + return 0; } static void @@ -2213,7 +2223,11 @@ netdev_tc_flow_put(struct netdev *netdev tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); if (!strcmp(netdev_get_type(netdev), "geneve")) { - flower_match_to_tun_opt(&flower, tnl, tnl_mask); + err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); + if (err) { + VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); + return err; + } } flower.tunnel = true; } else { --- openvswitch-3.1.0.orig/tests/system-offloads-traffic.at 2024-02-13 11:52:45.364063229 +0530 +++ openvswitch-3.1.0/tests/system-offloads-traffic.at 2024-02-13 12:21:58.880116742 +0530 @@ -742,3 +742,35 @@ recirc_id(<recirc>),in_port(3),eth_type( OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) +OVS_CHECK_GENEVE() + +OVS_TRAFFIC_VSWITCHD_START( + [_ADD_BR([br-underlay]) -- \ + set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ + set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02], + [], [-- set Open_vSwitch . other_config:hw-offload=true]) + +AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) +AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) + +ADD_NAMESPACES(at_ns0) + +dnl Set up underlay link from host into the namespace using veth pair. +ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) +AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) +AT_CHECK([ip link set dev br-underlay up]) + +dnl Set up tunnel endpoints on OVS outside the namespace and with a native +dnl linux device inside the namespace. +ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) +ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], + [vni 0], [address f2:ff:00:00:00:04]) + +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) + +OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) + +OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d +/Unable to parse geneve options/d"]) +AT_CLEANUP
