Accepting request 1146716 from home:dpitchumani:branches:openSUSE:Factory

- Fix CVE-2023-3966 [bsc#1219465] openvswitch3: Invalid memory access in Geneve with HW offload - Added patch, +openvswitch-CVE-2023-3966.patch OBS-URL: https://build.opensuse.org/request/show/1146716 OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=255
2024-02-26 07:09:11 +00:00 · 2024-02-26 07:09:11 +00:00 · e2f18d8bbd
commit e2f18d8bbd
parent 362e50dfde
3 changed files with 121 additions and 0 deletions
--- a/openvswitch-CVE-2023-3966.patch
+++ b/openvswitch-CVE-2023-3966.patch
@ -0,0 +1,111 @@
+--- openvswitch-3.1.0.orig/lib/netdev-offload-tc.c	2024-02-13 11:52:45.356063229 +0530
+++ openvswitch-3.1.0/lib/netdev-offload-tc.c	2024-02-13 12:09:48.472094452 +0530
+@@ -1719,12 +1719,12 @@ test_key_and_mask(struct match *match)
+     return 0;
+ }
+ 
+-static void
+static int
+ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl,
+                         struct flow_tnl *tnl_mask)
+ {
+     struct geneve_opt *opt, *opt_mask;
+-    int len, cnt = 0;
+    int tot_opt_len, len, cnt = 0;
+ 
+     /* 'flower' always has an exact match on tunnel metadata length, so having
+      * it in a wrong format is not acceptable unless it is empty. */
+@@ -1740,7 +1740,7 @@ flower_match_to_tun_opt(struct tc_flower
+             memset(&tnl_mask->metadata.present.map, 0,
+                    sizeof tnl_mask->metadata.present.map);
+         }
+-        return;
+        return 0;
+     }
+ 
+     tnl_mask->flags &= ~FLOW_TNL_F_UDPIF;
+@@ -1754,7 +1754,7 @@ flower_match_to_tun_opt(struct tc_flower
+            sizeof tnl_mask->metadata.present.len);
+ 
+     if (!tnl->metadata.present.len) {
+-        return;
+        return 0;
+     }
+ 
+     memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv,
+@@ -1768,7 +1768,16 @@ flower_match_to_tun_opt(struct tc_flower
+      * also not masks, but actual lengths in the 'flower' structure. */
+     len = flower->key.tunnel.metadata.present.len;
+     while (len) {
+        if (len < sizeof *opt) {
+            return EOPNOTSUPP;
+        }
+
+         opt = &flower->key.tunnel.metadata.opts.gnv[cnt];
+        tot_opt_len = sizeof *opt + opt->length * 4;
+        if (len < tot_opt_len) {
+            return EOPNOTSUPP;
+        }
+
+         opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt];
+ 
+         opt_mask->length = opt->length;
+@@ -1776,6 +1785,7 @@ flower_match_to_tun_opt(struct tc_flower
+         cnt += sizeof(struct geneve_opt) / 4 + opt->length;
+         len -= sizeof(struct geneve_opt) + opt->length * 4;
+     }
+    return 0;
+ }
+ 
+ static void
+@@ -2213,7 +2223,11 @@ netdev_tc_flow_put(struct netdev *netdev
+         tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM);
+ 
+         if (!strcmp(netdev_get_type(netdev), "geneve")) {
+-            flower_match_to_tun_opt(&flower, tnl, tnl_mask);
+            err = flower_match_to_tun_opt(&flower, tnl, tnl_mask);
+            if (err) {
+                VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options");
+                return err;
+            }
+         }
+         flower.tunnel = true;
+     } else {
+--- openvswitch-3.1.0.orig/tests/system-offloads-traffic.at	2024-02-13 11:52:45.364063229 +0530
+++ openvswitch-3.1.0/tests/system-offloads-traffic.at	2024-02-13 12:21:58.880116742 +0530
+@@ -742,3 +742,35 @@ recirc_id(<recirc>),in_port(3),eth_type(
+ 
+ OVS_TRAFFIC_VSWITCHD_STOP
+ AT_CLEANUP
+AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled])
+OVS_CHECK_GENEVE()
+
+OVS_TRAFFIC_VSWITCHD_START(
+    [_ADD_BR([br-underlay]) -- \
+     set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \
+     set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02],
+    [], [-- set Open_vSwitch . other_config:hw-offload=true])
+
+AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
+AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
+
+ADD_NAMESPACES(at_ns0)
+
+dnl Set up underlay link from host into the namespace using veth pair.
+ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
+AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
+AT_CHECK([ip link set dev br-underlay up])
+
+dnl Set up tunnel endpoints on OVS outside the namespace and with a native
+dnl linux device inside the namespace.
+ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
+ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
+                  [vni 0], [address f2:ff:00:00:00:04])
+
+NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00  > /dev/null])
+
+OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log])
+
+OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d
+/Unable to parse geneve options/d"])
+AT_CLEANUP
--- a/openvswitch.changes
+++ b/openvswitch.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb 15 06:53:54 UTC 2024 - Duraisankar P <Duraisankar.pitchumani@suse.com>
+
+- Fix CVE-2023-3966 [bsc#1219465] openvswitch3: Invalid memory access in Geneve with HW offload
+- Added patch,
+      +openvswitch-CVE-2023-3966.patch 
+
 -------------------------------------------------------------------
 Thu Feb  1 19:34:16 UTC 2024 - Duraisankar P <Duraisankar.pitchumani@suse.com>

--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -81,6 +81,8 @@ Patch4:         install-ovsdb-tools.patch
 Patch5:         CVE-2023-1668.patch
 # PATCH-FIX-UPSTREAM CVE-2023-5366.patch
 Patch6:         CVE-2023-5366.patch
+# Fix CVE-2023-3966 [bsc#1219465] -- Invalid memory access in Geneve with HW offload
+Patch7:         openvswitch-CVE-2023-3966.patch
 #OVN patches
 # PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch
 Patch20:        0001-Run-ovn-as-openvswitch-openvswitch.patch
@ -422,6 +424,7 @@ Devel libraries and headers for Open Virtual Network.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 # remove python/ovs/dirs.py - this is generated from template to have proper paths
 rm python/ovs/dirs.py
 cd %{ovn_dir}