diff --git a/CVE-2023-3152.patch b/CVE-2023-3152.patch new file mode 100644 index 0000000..576afa4 --- /dev/null +++ b/CVE-2023-3152.patch @@ -0,0 +1,121 @@ +commit 9a3f7ed905e525ebdcb14541e775211cbb0203bd +Author: Ales Musil +Date: Wed Jul 12 07:12:29 2023 +0200 + + northd, controller: Add CoPP for SVC monitor + + The SVC monitor was exposed without any limitation. + Add CoPP for the SVC monitor flow, which adds a way + for CMSs to limit the traffic that this flow accepts. + + Signed-off-by: Ales Musil + +diff --git a/lib/copp.c b/lib/copp.c +index 603e3f5bf..11dd9029d 100644 +--- a/lib/copp.c ++++ b/lib/copp.c +@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = { + [COPP_ND_RA_OPTS] = "nd-ra-opts", + [COPP_TCP_RESET] = "tcp-reset", + [COPP_REJECT] = "reject", ++ [COPP_SVC_MONITOR] = "svc-monitor", + [COPP_BFD] = "bfd", + }; + +diff --git a/lib/copp.h b/lib/copp.h +index f03004aa6..b99737220 100644 +--- a/lib/copp.h ++++ b/lib/copp.h +@@ -37,6 +37,7 @@ enum copp_proto { + COPP_TCP_RESET, + COPP_BFD, + COPP_REJECT, ++ COPP_SVC_MONITOR, + COPP_PROTO_MAX, + COPP_PROTO_INVALID = COPP_PROTO_MAX, + }; +diff --git a/northd/northd.c b/northd/northd.c +index 7ad4cdfad..1e05b8f22 100644 +--- a/northd/northd.c ++++ b/northd/northd.c +@@ -8876,9 +8876,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od, + { + if (od->nbs) { + +- ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110, +- "eth.dst == $svc_monitor_mac", +- "handle_svc_check(inport);"); ++ ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == " ++ "$svc_monitor_mac && (tcp || icmp || icmp6)", ++ "handle_svc_check(inport);", ++ copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp, ++ meter_groups)); + + struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw; + +diff --git a/ovn-nb.xml b/ovn-nb.xml +index 35acda107..59ac42dbd 100644 +--- a/ovn-nb.xml ++++ b/ovn-nb.xml +@@ -466,6 +466,10 @@ + + Rate limiting meter for packets that trigger a reject action + ++ ++ Rate limiting meter for packets that are arriving to service ++ monitor MAC address. ++ + + See External IDs at the beginning of this document. + +diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at +index b8376991b..70350a781 100644 +--- a/tests/ovn-northd.at ++++ b/tests/ovn-northd.at +@@ -3544,7 +3544,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0 + + # let's try to add an usupported protocol "dhcp" + AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl +-ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject. ++ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor. + ]) + + #Let's try to add a valid protocol to an unknown datapath +diff --git a/tests/system-ovn.at b/tests/system-ovn.at +index f8131b90e..7c009e157 100644 +--- a/tests/system-ovn.at ++++ b/tests/system-ovn.at +@@ -7282,6 +7282,23 @@ OVS_WAIT_UNTIL([ + ]) + kill $(pidof tcpdump) + ++check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33" ++check ovn-nbctl meter-add svc-meter drop 1 pktps 0 ++check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter ++check ovn-nbctl --wait=hv ls-copp-add copp4 sw0 ++check ovn-appctl -t ovn-controller vlog/set vconn:dbg ++AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl ++svc-monitor: svc-meter ++]) ++ ++ip netns exec sw01 scapy -H <<-EOF ++p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\ ++ IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234) ++sendp(p, iface='sw01', loop=0, verbose=0, count=20) ++EOF ++ ++OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"]) ++ + kill $(pidof ovn-controller) + + as ovn-sb +@@ -7295,7 +7312,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) + + as + OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d +-/.*terminating with signal 15.*/d"]) ++/.*terminating with signal 15.*/d ++/.*Service monitor not found/d"]) + + AT_CLEANUP + ]) diff --git a/openvswitch.changes b/openvswitch.changes index c16e60d..6fa2370 100644 --- a/openvswitch.changes +++ b/openvswitch.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 7 07:55:29 UTC 2023 - Duraisankar P + +- Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited +- Added patch, + CVE-2023-3152.patch + ------------------------------------------------------------------- Wed May 17 09:46:44 UTC 2023 - Duraisankar P diff --git a/openvswitch.spec b/openvswitch.spec index fb40e69..113c5c5 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -81,6 +81,8 @@ Patch5: CVE-2023-1668.patch #OVN patches # PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch Patch20: 0001-Run-ovn-as-openvswitch-openvswitch.patch +# PATCH-FIX-UPSTREAM CVE-2023-3152 [bsc#1212125] -- service monitor MAC flow is not rate limited +Patch21: CVE-2023-3152.patch # CVE-2021-36980 [bsc#1188524], use-after-free in decode_NXAST_RAW_ENCAP BuildRequires: autoconf BuildRequires: automake @@ -417,6 +419,7 @@ Devel libraries and headers for Open Virtual Network. rm python/ovs/dirs.py cd %{ovn_dir} %patch20 -p1 +%patch21 -p1 %build mkdir %ovs_dir