Accepting request 1109539 from network

Description: - Added fix for CVE-2023-3152, openvswitch : service monitor MAC flow is not rate limited Actions: - submit network/openvswitch => openSUSE:Factory/openvswitch Changes: - Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited - Added patch, CVE-2023-3152.patch OBS-URL: https://build.opensuse.org/request/show/1109539 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvswitch?expand=0&rev=69
2023-09-07 19:12:22 +00:00 · 2023-09-07 19:12:22 +00:00 · 8914997bcf
commit 8914997bcf
parent 5bf1b64211 2fa8fb38ca
3 changed files with 131 additions and 0 deletions
--- a/CVE-2023-3152.patch
+++ b/CVE-2023-3152.patch
@ -0,0 +1,121 @@
+commit 9a3f7ed905e525ebdcb14541e775211cbb0203bd
+Author: Ales Musil <amusil@redhat.com>
+Date:   Wed Jul 12 07:12:29 2023 +0200
+
+    northd, controller: Add CoPP for SVC monitor
+    
+    The SVC monitor was exposed without any limitation.
+    Add CoPP for the SVC monitor flow, which adds a way
+    for CMSs to limit the traffic that this flow accepts.
+    
+    Signed-off-by: Ales Musil <amusil@redhat.com>
+
+diff --git a/lib/copp.c b/lib/copp.c
+index 603e3f5bf..11dd9029d 100644
+--- a/lib/copp.c
+++ b/lib/copp.c
+@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = {
+     [COPP_ND_RA_OPTS]    = "nd-ra-opts",
+     [COPP_TCP_RESET]     = "tcp-reset",
+     [COPP_REJECT]        = "reject",
+    [COPP_SVC_MONITOR]   = "svc-monitor",
+     [COPP_BFD]           = "bfd",
+ };
+ 
+diff --git a/lib/copp.h b/lib/copp.h
+index f03004aa6..b99737220 100644
+--- a/lib/copp.h
+++ b/lib/copp.h
+@@ -37,6 +37,7 @@ enum copp_proto {
+     COPP_TCP_RESET,
+     COPP_BFD,
+     COPP_REJECT,
+    COPP_SVC_MONITOR,
+     COPP_PROTO_MAX,
+     COPP_PROTO_INVALID = COPP_PROTO_MAX,
+ };
+diff --git a/northd/northd.c b/northd/northd.c
+index 7ad4cdfad..1e05b8f22 100644
+--- a/northd/northd.c
+++ b/northd/northd.c
+@@ -8876,9 +8876,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
+ {
+     if (od->nbs) {
+ 
+-        ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110,
+-                      "eth.dst == $svc_monitor_mac",
+-                      "handle_svc_check(inport);");
+        ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == "
+                          "$svc_monitor_mac && (tcp || icmp || icmp6)",
+                          "handle_svc_check(inport);",
+                          copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp,
+                                         meter_groups));
+ 
+         struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw;
+ 
+diff --git a/ovn-nb.xml b/ovn-nb.xml
+index 35acda107..59ac42dbd 100644
+--- a/ovn-nb.xml
+++ b/ovn-nb.xml
+@@ -466,6 +466,10 @@
+     <column name="meters" key="reject">
+       Rate limiting meter for packets that trigger a reject action
+     </column>
+    <column name="meters" key="svc-monitor">
+      Rate limiting meter for packets that are arriving to service
+      monitor MAC address.
+    </column>
+     <column name="external_ids">
+       See <em>External IDs</em> at the beginning of this document.
+     </column>
+diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
+index b8376991b..70350a781 100644
+--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
+@@ -3544,7 +3544,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0
+ 
+ # let's try to add an usupported protocol "dhcp"
+ AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl
+-ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject.
+ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor.
+ ])
+ 
+ #Let's try to add a valid protocol to an unknown datapath
+diff --git a/tests/system-ovn.at b/tests/system-ovn.at
+index f8131b90e..7c009e157 100644
+--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
+@@ -7282,6 +7282,23 @@ OVS_WAIT_UNTIL([
+ ])
+ kill $(pidof tcpdump)
+ 
+check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33"
+check ovn-nbctl meter-add svc-meter drop 1 pktps 0
+check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter
+check ovn-nbctl --wait=hv ls-copp-add copp4 sw0
+check ovn-appctl -t ovn-controller vlog/set vconn:dbg
+AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl
+svc-monitor: svc-meter
+])
+
+ip netns exec sw01 scapy -H <<-EOF
+p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\
+    IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234)
+sendp(p, iface='sw01', loop=0, verbose=0, count=20)
+EOF
+
+OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"])
+
+ kill $(pidof ovn-controller)
+ 
+ as ovn-sb
+@@ -7295,7 +7312,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+ 
+ as
+ OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d
+-/.*terminating with signal 15.*/d"])
+/.*terminating with signal 15.*/d
+/.*Service monitor not found/d"])
+ 
+ AT_CLEANUP
+ ])
--- a/openvswitch.changes
+++ b/openvswitch.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Sep  7 07:55:29 UTC 2023 - Duraisankar P <Duraisankar.pitchumani@suse.com>
+
+- Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited
+- Added patch,
+       CVE-2023-3152.patch 
+
 -------------------------------------------------------------------
 Wed May 17 09:46:44 UTC 2023 - Duraisankar P <Duraisankar.pitchumani@suse.com>

--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -81,6 +81,8 @@ Patch5:         CVE-2023-1668.patch
 #OVN patches
 # PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch
 Patch20:        0001-Run-ovn-as-openvswitch-openvswitch.patch
+# PATCH-FIX-UPSTREAM CVE-2023-3152 [bsc#1212125] -- service monitor MAC flow is not rate limited
+Patch21:        CVE-2023-3152.patch
 # CVE-2021-36980 [bsc#1188524], use-after-free in decode_NXAST_RAW_ENCAP
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -417,6 +419,7 @@ Devel libraries and headers for Open Virtual Network.
 rm python/ovs/dirs.py
 cd %{ovn_dir}
 %patch20 -p1
+%patch21 -p1

 %build
 mkdir %ovs_dir