From 2323d7af6de10e09a08a54d93eacd5557fe63070 Mon Sep 17 00:00:00 2001 From: shirely16 Date: Wed, 1 Sep 2021 16:03:25 +0800 Subject: [PATCH 1/5] Change the OVS startup mode to service startup --- openvswitch.spec | 121 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 85 insertions(+), 36 deletions(-) diff --git a/openvswitch.spec b/openvswitch.spec index da973c8..b213807 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 17 +Release: 18 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -61,16 +61,44 @@ Python bindings for the Open vSwitch database %build autoreconf -./configure --prefix=/usr --sysconfdir=/etc --localstatedir=%{_localstatedir} \ - --libdir=%{_libdir} --enable-ssl --enable-shared +./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=%{_localstatedir} \ + --libdir=%{_libdir} \ + --enable-ssl \ + --enable-shared \ + --with-pkidir=%{_sharedstatedir}/openvswitch/pki \ + PYTHON=%{__python3} + +sed -i '1s/python/python3/g' build-aux/dpdkstrip.py + +build-aux/dpdkstrip.py \ + --nodpdk \ + < rhel/usr_lib_systemd_system_ovs-vswitchd.service.in \ + > rhel/usr_lib_systemd_system_ovs-vswitchd.service + %make_build make selinux-policy %install -%make_install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT + +install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch -install -D -m 0755 rhel/etc_init.d_openvswitch $RPM_BUILD_ROOT/etc/init.d/openvswitch +install -p -D -m 0644 \ + rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ + $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch +for service in openvswitch ovsdb-server ovs-vswitchd; do + install -p -D -m 0644 \ + rhel/usr_lib_systemd_system_${service}.service \ + $RPM_BUILD_ROOT%{_unitdir}/${service}.service +done + +install -m 0755 rhel/etc_init.d_openvswitch $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/openvswitch.init install -D -m 0644 rhel/etc_logrotate.d_openvswitch $RPM_BUILD_ROOT/etc/logrotate.d/openvswitch +install -D -m 0644 rhel/etc_openvswitch_default.conf $RPM_BUILD_ROOT/%{_sysconfdir}/openvswitch/default.conf install -D -m 0755 rhel/etc_sysconfig_network-scripts_ifup-ovs $RPM_BUILD_ROOT/etc/sysconfig/network-scripts/ifup-ovs install -D -m 0755 rhel/etc_sysconfig_network-scripts_ifdown-ovs $RPM_BUILD_ROOT/etc/sysconfig/network-scripts/ifdown-ovs install -D -m 0644 rhel/usr_share_openvswitch_scripts_sysconfig.template $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/sysconfig.template @@ -116,6 +144,8 @@ install -m 0644 lib/*.h $RPM_BUILD_ROOT/%{_includedir}/openvs install -D -m 0644 lib/.libs/libopenvswitch.a \ $RPM_BUILD_ROOT/%{_libdir}/libopenvswitch.a +install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch + install -d -m 0755 $RPM_BUILD_ROOT%{python3_sitelib} cp -a $RPM_BUILD_ROOT/%{_datadir}/openvswitch/python/* \ $RPM_BUILD_ROOT%{python3_sitelib} @@ -132,44 +162,52 @@ popd rm -rf $RPM_BUILD_ROOT/%{_datadir}/openvswitch/python/ -%clean -rm -rf $RPM_BUILD_ROOT +touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/.conf.db.~lock~ +touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf -%post -SYSCONFIG=/etc/sysconfig/openvswitch -TEMPLATE=/usr/share/openvswitch/scripts/sysconfig.template -if [ ! -e $SYSCONFIG ]; then - cp $TEMPLATE $SYSCONFIG -else - for var in $(awk -F'[ :]' '/^# [_A-Z0-9]+:/{print $2}' $TEMPLATE) - do - if ! grep $var $SYSCONFIG >/dev/null 2>&1; then - echo >> $SYSCONFIG - sed -n "/$var:/,/$var=/p" $TEMPLATE >> $SYSCONFIG - fi - done -fi +install -d $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ -/sbin/chkconfig --add openvswitch -/sbin/chkconfig openvswitch on +install -p -D -m 0755 \ + rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ + $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/ovs-systemd-reload -%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp +%clean +rm -rf $RPM_BUILD_ROOT %pre %selinux_relabel_pre -s targeted %preun -if [ "$1" = "0" ]; then # $1 = 0 for uninstall - /sbin/service openvswitch stop - /sbin/chkconfig --del openvswitch -fi +%if 0%{?systemd_preun:1} + %systemd_preun %{name}.service +%else + if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable %{name}.service >/dev/null 2>&1 || : + /bin/systemctl stop %{name}.service >/dev/null 2>&1 || : + fi +%endif + +%post +%if 0%{?systemd_post:1} + # This may not enable openvswitch service or do daemon-reload. + %systemd_post %{name}.service +%else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi +%endif + +%selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp %postun -if [ "$1" = "0" ]; then # $1 = 0 for uninstall - rm -f /etc/openvswitch/conf.db - rm -f /etc/sysconfig/openvswitch - rm -f /etc/openvswitch/vswitchd.cacert -fi +%if 0%{?systemd_postun:1} + %systemd_postun %{name}.service +%else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +%endif if [ $1 -eq 0 ] ; then %selinux_modules_uninstall -s targeted openvswitch-custom @@ -184,7 +222,6 @@ exit 0 %dir /etc/openvswitch /etc/bash_completion.d/ovs-appctl-bashcomp.bash /etc/bash_completion.d/ovs-vsctl-bashcomp.bash -/etc/init.d/openvswitch %config(noreplace) /etc/logrotate.d/openvswitch /etc/sysconfig/network-scripts/ifup-ovs /etc/sysconfig/network-scripts/ifdown-ovs @@ -214,6 +251,17 @@ exit 0 /usr/share/openvswitch/scripts/ovs-vtep /usr/share/openvswitch/scripts/sysconfig.template /usr/share/openvswitch/scripts/ovs-monitor-ipsec +%{_sysconfdir}/openvswitch/default.conf +%config %ghost %{_sysconfdir}/openvswitch/conf.db +%ghost %{_sysconfdir}/openvswitch/.conf.db.~lock~ +%config %ghost %{_sysconfdir}/openvswitch/system-id.conf +%config(noreplace) %{_sysconfdir}/sysconfig/openvswitch +%defattr(-,root,root) +%{_unitdir}/openvswitch.service +%{_unitdir}/ovsdb-server.service +%{_unitdir}/ovs-vswitchd.service +/usr/share/openvswitch/scripts/openvswitch.init +/usr/share/openvswitch/scripts/ovs-systemd-reload /usr/share/openvswitch/vswitch.ovsschema /usr/share/openvswitch/vtep.ovsschema %doc NOTICE @@ -237,11 +285,12 @@ exit 0 /usr/share/man/man5/* /usr/share/man/man7/* /usr/share/man/man8/* -%{_mandir}/man5/* -%{_mandir}/man7/* %doc README.rst NEWS rhel/README.RHEL.rst %changelog +* Wed Sep 1 2021 hanhui - 2.12.0-18 +- Change the OVS startup mode to service startup. + * Tue Aug 3 2021 huangtianhua - 2.12.0-17 - Adds python3-ovs as provide -- Gitee From 90c526f67c4edd4ae04eb6008d166307e5410316 Mon Sep 17 00:00:00 2001 From: shirely16 Date: Thu, 2 Sep 2021 15:53:01 +0800 Subject: [PATCH 2/5] Fix selinux preventing ovs-kmod-ctl err --- fix-selinux-err.patch | 41 +++++++++++++++++++++++++++++++++++++++++ openvswitch.spec | 7 ++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 fix-selinux-err.patch diff --git a/fix-selinux-err.patch b/fix-selinux-err.patch new file mode 100644 index 0000000..c51c91c --- /dev/null +++ b/fix-selinux-err.patch @@ -0,0 +1,41 @@ +From 3b35964c7da2a4000486c57e2c347c8cc67ac393 Mon Sep 17 00:00:00 2001 +Date: Wed, 1 Sep 2021 16:54:34 +0800 +Subject: [PATCH] openvswitch-2 + +--- + selinux/openvswitch-custom.te.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in +index b2c63ab..8f76c14 100644 +--- a/selinux/openvswitch-custom.te.in ++++ b/selinux/openvswitch-custom.te.in +@@ -15,10 +15,12 @@ require { + type ifconfig_exec_t; + type init_t; + type init_var_run_t; ++ type initrc_t; + type insmod_exec_t; + type kernel_t; + type hostname_exec_t; + type modules_conf_t; ++ type modules_dep_t; + type modules_object_t; + type passwd_file_t; + type plymouth_exec_t; +@@ -117,10 +119,12 @@ allow openvswitch_t openvswitch_load_module_t:process transition; + allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; + allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; + allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; ++allow openvswitch_load_module_t initrc_t:fifo_file ioctl; + allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; + allow openvswitch_load_module_t kernel_t:system module_request; + allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; + allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; ++allow openvswitch_load_module_t modules_dep_t:file open; + allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; + allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; + allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; +-- +2.27.0 + diff --git a/openvswitch.spec b/openvswitch.spec index b213807..79a7c52 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 18 +Release: 19 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -19,6 +19,8 @@ Patch0006: CVE-2020-27827.patch Patch0007: CVE-2015-8011.patch Patch0008: backport-CVE-2021-36980.patch +Patch9000: fix-selinux-err.patch + Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel BuildRequires: python3-devel @@ -288,6 +290,9 @@ exit 0 %doc README.rst NEWS rhel/README.RHEL.rst %changelog +* Thu Sep 2 2021 hanhui - 2.12.0-19 +- Fix selinux preventing ovs-kmod-ctl err + * Wed Sep 1 2021 hanhui - 2.12.0-18 - Change the OVS startup mode to service startup. -- Gitee From 09965c4228e2f7f5ea21d2377d5f72c94aa4971f Mon Sep 17 00:00:00 2001 From: jxy_git Date: Wed, 23 Mar 2022 11:26:33 +0800 Subject: [PATCH 3/5] Add ovn-central ovn-central and ovn-host subpackage --- openvswitch.spec | 144 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 137 insertions(+), 7 deletions(-) diff --git a/openvswitch.spec b/openvswitch.spec index 79a7c52..726dad1 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 19 +Release: 20 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -58,6 +58,35 @@ Requires: python3-six %description -n python3-openvswitch Python bindings for the Open vSwitch database +%package ovn-central +Summary: Open vSwitch - Open Virtual Network support +Requires: openvswitch openvswitch-ovn-common +Requires: firewalld-filesystem + +%description ovn-central +OVN, the Open Virtual Network, is a system to support virtual network +abstraction. OVN complements the existing capabilities of OVS to add +native support for virtual network abstractions, such as virtual L2 and +L3 overlays and security groups. + +%package ovn-host +Summary: Open vSwitch - Open Virtual Network support +Requires: openvswitch openvswitch-ovn-common +Requires: firewalld-filesystem + +%description ovn-host +OVN, the Open Virtual Network, is a system to support virtual network +abstraction. OVN complements the existing capabilities of OVS to add +native support for virtual network abstractions, such as virtual L2 and +L3 overlays and security groups. + +%package ovn-common +Summary: Open vSwitch - Open Virtual Network support +Requires: openvswitch + +%description ovn-common +Utilities that are use to diagnose and manage the OVN components. + %prep %autosetup -p1 @@ -92,7 +121,7 @@ install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch install -p -D -m 0644 \ rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch -for service in openvswitch ovsdb-server ovs-vswitchd; do +for service in openvswitch ovsdb-server ovs-vswitchd ovn-northd ovn-controller; do install -p -D -m 0644 \ rhel/usr_lib_systemd_system_${service}.service \ $RPM_BUILD_ROOT%{_unitdir}/${service}.service @@ -114,11 +143,9 @@ rm \ $RPM_BUILD_ROOT/usr/share/man/man8/ovs-test.8 \ $RPM_BUILD_ROOT/usr/share/man/man8/ovs-l3ping.8 \ $RPM_BUILD_ROOT/usr/sbin/ovs-vlan-bug-workaround \ - $RPM_BUILD_ROOT/usr/share/man/man8/ovs-vlan-bug-workaround.8 \ - $RPM_BUILD_ROOT/usr/bin/ovn-* \ - $RPM_BUILD_ROOT/usr/share/man/man?/ovn-* \ - $RPM_BUILD_ROOT/usr/share/openvswitch/ovn-* \ - $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/ovn* + $RPM_BUILD_ROOT/usr/bin/ovn-docker-* \ + $RPM_BUILD_ROOT/usr/bin/ovn-controller-vtep \ + $RPM_BUILD_ROOT/usr/share/man/man8/ovs-vlan-bug-workaround.8 (cd "$RPM_BUILD_ROOT" && rm -rf usr/%{_lib}/*.la) (cd "$RPM_BUILD_ROOT" && rm -rf usr/include) @@ -169,6 +196,14 @@ touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/.conf.db.~lock~ touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf install -d $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ +install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \ + $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml +install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \ + $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml + +install -d -m 0755 $RPM_BUILD_ROOT%{_prefix}/lib/ocf/resource.d/ovn +ln -s %{_datadir}/openvswitch/scripts/ovndb-servers.ocf \ + $RPM_BUILD_ROOT%{_prefix}/lib/ocf/resource.d/ovn/ovndb-servers install -p -D -m 0755 \ rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ @@ -191,6 +226,27 @@ rm -rf $RPM_BUILD_ROOT fi %endif +%preun ovn-central +%if 0%{?systemd_preun:1} + %systemd_preun ovn-northd.service +%else + if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable ovn-northd.service >/dev/null 2>&1 || : + /bin/systemctl stop ovn-northd.service >/dev/null 2>&1 || : + fi +%endif + +%preun ovn-host +%if 0%{?systemd_preun:1} + %systemd_preun ovn-controller.service +%else + if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable ovn-controller.service >/dev/null 2>&1 || : + /bin/systemctl stop ovn-controller.service >/dev/null 2>&1 || : + fi +%endif %post %if 0%{?systemd_post:1} # This may not enable openvswitch service or do daemon-reload. @@ -204,6 +260,46 @@ rm -rf $RPM_BUILD_ROOT %selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp +%post ovn-central +%if 0%{?systemd_post:1} + %systemd_post ovn-northd.service +%else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi +%endif + +%post ovn-host +%if 0%{?systemd_post:1} + %systemd_post ovn-controller.service +%else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi +%endif +%postun ovn-central +%if 0%{?systemd_postun_with_restart:1} + %systemd_postun_with_restart ovn-northd.service +%else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + if [ "$1" -ge "1" ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart ovn-northd.service >/dev/null 2>&1 || : + fi +%endif + +%postun ovn-host +%if 0%{?systemd_postun_with_restart:1} + %systemd_postun_with_restart ovn-controller.service +%else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + if [ "$1" -ge "1" ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart ovn-controller.service >/dev/null 2>&1 || : + fi +%endif %postun %if 0%{?systemd_postun:1} %systemd_postun %{name}.service @@ -289,7 +385,41 @@ exit 0 /usr/share/man/man8/* %doc README.rst NEWS rhel/README.RHEL.rst +%files ovn-common +%{_bindir}/ovn-detrace +%{_bindir}/ovn-nbctl +%{_bindir}/ovn-sbctl +%{_bindir}/ovn-trace +%{_datadir}/openvswitch/scripts/ovn-ctl +%{_datadir}/openvswitch/scripts/ovndb-servers.ocf +%{_mandir}/man1/ovn-detrace.1* +%{_mandir}/man8/ovn-ctl.8* +%{_mandir}/man8/ovn-nbctl.8* +%{_mandir}/man8/ovn-trace.8* +%{_mandir}/man7/ovn-architecture.7* +%{_mandir}/man8/ovn-sbctl.8* +%{_mandir}/man5/ovn-nb.5* +%{_mandir}/man5/ovn-sb.5* +%{_prefix}/lib/ocf/resource.d/ovn/ovndb-servers + +%files ovn-central +%{_bindir}/ovn-northd +%{_mandir}/man8/ovn-northd.8* +%config %{_datadir}/openvswitch/ovn-nb.ovsschema +%config %{_datadir}/openvswitch/ovn-sb.ovsschema +%{_unitdir}/ovn-northd.service +%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml + +%files ovn-host +%{_bindir}/ovn-controller +%{_mandir}/man8/ovn-controller.8* +%{_unitdir}/ovn-controller.service +%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml + %changelog +* Wed May 18 2022 jiangxinyu - 2.12.0-20 +- Add ovn-central ovn-central and ovn-host subpackage + * Thu Sep 2 2021 hanhui - 2.12.0-19 - Fix selinux preventing ovs-kmod-ctl err -- Gitee From 81f3215f5078be990cc16c77f022911b58e2eb58 Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Wed, 13 Jul 2022 17:30:58 +0800 Subject: [PATCH 4/5] fix CVE-2021-3905 --- CVE-2021-3905.patch | 63 +++++++++++++++++++++++++++++++++++++++++++++ openvswitch.spec | 6 ++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3905.patch diff --git a/CVE-2021-3905.patch b/CVE-2021-3905.patch new file mode 100644 index 0000000..c3db7ae --- /dev/null +++ b/CVE-2021-3905.patch @@ -0,0 +1,63 @@ +From a5e7296363137b4d77d1ae1ffb7bc2be5980bd9c Mon Sep 17 00:00:00 2001 +From: qz_cx +Date: Fri, 8 Jul 2022 13:59:53 +0800 +Subject: [PATCH] ipf: release unhandled packets from the batch Since 640d4db + ("ipf: Fix a use-after-free error, ...") the ipf framework unconditionally + allocates a new dp_packet to track individual fragments. This prevents a + use-after-free. However, an additional issue was present - even when the + packet buffer is cloned, if the ip fragment handling code keeps it, the + original buffer is leaked during the refill loop. Even in the original + processing code, the hardcoded dnsteal branches would always leak a packet + buffer from the refill loop. + +This can be confirmed with valgrind: + +==717566== 16,672 (4,480 direct, 12,192 indirect) bytes in 8 blocks are definitely lost in loss record 390 of 390 +==717566== at 0x484086F: malloc (vg_replace_malloc.c:380) +==717566== by 0x537BFD: xmalloc__ (util.c:137) +==717566== by 0x537BFD: xmalloc (util.c:172) +==717566== by 0x46DDD4: dp_packet_new (dp-packet.c:153) +==717566== by 0x46DDD4: dp_packet_new_with_headroom (dp-packet.c:163) +==717566== by 0x550AA6: netdev_linux_batch_rxq_recv_sock.constprop.0 (netdev-linux.c:1262) +==717566== by 0x5512AF: netdev_linux_rxq_recv (netdev-linux.c:1511) +==717566== by 0x4AB7E0: netdev_rxq_recv (netdev.c:727) +==717566== by 0x47F00D: dp_netdev_process_rxq_port (dpif-netdev.c:4699) +==717566== by 0x47FD13: dpif_netdev_run (dpif-netdev.c:5957) +==717566== by 0x4331D2: type_run (ofproto-dpif.c:370) +==717566== by 0x41DFD8: ofproto_type_run (ofproto.c:1768) +==717566== by 0x40A7FB: bridge_run__ (bridge.c:3245) +==717566== by 0x411269: bridge_run (bridge.c:3310) +==717566== by 0x406E6C: main (ovs-vswitchd.c:127) + +The fix is to delete the original packet when it isn't able to be +reinserted into the packet batch. Subsequent valgrind runs show that +the packets are not leaked from the batch any longer. + +Fixes: 640d4db ("ipf: Fix a use-after-free error, and remove the 'do_not_steal' flag.") +Fixes: 4ea9669 ("Userspace datapath: Add fragmentation handling.") +Reported-by: Wan Junjie +Reported-at: openvswitch/ovs-issues#226 +Signed-off-by: Aaron Conole +Reviewed-by: David Marchand +Tested-by: Wan Junjie +Signed-off-by: Alin-Gabriel Serdean +--- + lib/ipf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/ipf.c b/lib/ipf.c +index 4cc0f2d..e8858d2 100644 +--- a/lib/ipf.c ++++ b/lib/ipf.c +@@ -941,6 +941,8 @@ ipf_extract_frags_from_batch(struct ipf *ipf, struct dp_packet_batch *pb, + if (!ipf_handle_frag(ipf, pkt, dl_type, zone, now, hash_basis, + pb->do_not_steal)) { + dp_packet_batch_refill(pb, pkt, pb_idx); ++ } else { ++ dp_packet_delete(pkt); + } + ovs_mutex_unlock(&ipf->ipf_lock); + } else { +-- +2.33.0 + diff --git a/openvswitch.spec b/openvswitch.spec index 726dad1..3d06bd6 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 20 +Release: 21 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -18,6 +18,7 @@ Patch0005: CVE-2020-35498.patch Patch0006: CVE-2020-27827.patch Patch0007: CVE-2015-8011.patch Patch0008: backport-CVE-2021-36980.patch +Patch0009: CVE-2021-3905.patch Patch9000: fix-selinux-err.patch @@ -417,6 +418,9 @@ exit 0 %{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml %changelog +* Wed Jul 13 2022 zhouwenpei - 2.12.0-21 +- fix CVE-2021-3905 + * Wed May 18 2022 jiangxinyu - 2.12.0-20 - Add ovn-central ovn-central and ovn-host subpackage -- Gitee From 81b79eff875bda3472728f0ec6d84162707002b4 Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Mon, 25 Jul 2022 23:41:45 +0800 Subject: [PATCH 5/5] revent Add ovn-central ovn-central and ovn-host subpackage --- openvswitch.spec | 146 ++++------------------------------------------- 1 file changed, 11 insertions(+), 135 deletions(-) diff --git a/openvswitch.spec b/openvswitch.spec index 3d06bd6..426a91a 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 21 +Release: 22 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -18,7 +18,7 @@ Patch0005: CVE-2020-35498.patch Patch0006: CVE-2020-27827.patch Patch0007: CVE-2015-8011.patch Patch0008: backport-CVE-2021-36980.patch -Patch0009: CVE-2021-3905.patch +Patch0009: CVE-2021-3905.patch Patch9000: fix-selinux-err.patch @@ -59,35 +59,6 @@ Requires: python3-six %description -n python3-openvswitch Python bindings for the Open vSwitch database -%package ovn-central -Summary: Open vSwitch - Open Virtual Network support -Requires: openvswitch openvswitch-ovn-common -Requires: firewalld-filesystem - -%description ovn-central -OVN, the Open Virtual Network, is a system to support virtual network -abstraction. OVN complements the existing capabilities of OVS to add -native support for virtual network abstractions, such as virtual L2 and -L3 overlays and security groups. - -%package ovn-host -Summary: Open vSwitch - Open Virtual Network support -Requires: openvswitch openvswitch-ovn-common -Requires: firewalld-filesystem - -%description ovn-host -OVN, the Open Virtual Network, is a system to support virtual network -abstraction. OVN complements the existing capabilities of OVS to add -native support for virtual network abstractions, such as virtual L2 and -L3 overlays and security groups. - -%package ovn-common -Summary: Open vSwitch - Open Virtual Network support -Requires: openvswitch - -%description ovn-common -Utilities that are use to diagnose and manage the OVN components. - %prep %autosetup -p1 @@ -122,7 +93,7 @@ install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch install -p -D -m 0644 \ rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch -for service in openvswitch ovsdb-server ovs-vswitchd ovn-northd ovn-controller; do +for service in openvswitch ovsdb-server ovs-vswitchd; do install -p -D -m 0644 \ rhel/usr_lib_systemd_system_${service}.service \ $RPM_BUILD_ROOT%{_unitdir}/${service}.service @@ -144,9 +115,11 @@ rm \ $RPM_BUILD_ROOT/usr/share/man/man8/ovs-test.8 \ $RPM_BUILD_ROOT/usr/share/man/man8/ovs-l3ping.8 \ $RPM_BUILD_ROOT/usr/sbin/ovs-vlan-bug-workaround \ - $RPM_BUILD_ROOT/usr/bin/ovn-docker-* \ - $RPM_BUILD_ROOT/usr/bin/ovn-controller-vtep \ - $RPM_BUILD_ROOT/usr/share/man/man8/ovs-vlan-bug-workaround.8 + $RPM_BUILD_ROOT/usr/share/man/man8/ovs-vlan-bug-workaround.8 \ + $RPM_BUILD_ROOT/usr/bin/ovn-* \ + $RPM_BUILD_ROOT/usr/share/man/man?/ovn-* \ + $RPM_BUILD_ROOT/usr/share/openvswitch/ovn-* \ + $RPM_BUILD_ROOT/usr/share/openvswitch/scripts/ovn* (cd "$RPM_BUILD_ROOT" && rm -rf usr/%{_lib}/*.la) (cd "$RPM_BUILD_ROOT" && rm -rf usr/include) @@ -197,14 +170,6 @@ touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/.conf.db.~lock~ touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf install -d $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ -install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \ - $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml -install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \ - $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml - -install -d -m 0755 $RPM_BUILD_ROOT%{_prefix}/lib/ocf/resource.d/ovn -ln -s %{_datadir}/openvswitch/scripts/ovndb-servers.ocf \ - $RPM_BUILD_ROOT%{_prefix}/lib/ocf/resource.d/ovn/ovndb-servers install -p -D -m 0755 \ rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ @@ -227,27 +192,6 @@ rm -rf $RPM_BUILD_ROOT fi %endif -%preun ovn-central -%if 0%{?systemd_preun:1} - %systemd_preun ovn-northd.service -%else - if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable ovn-northd.service >/dev/null 2>&1 || : - /bin/systemctl stop ovn-northd.service >/dev/null 2>&1 || : - fi -%endif - -%preun ovn-host -%if 0%{?systemd_preun:1} - %systemd_preun ovn-controller.service -%else - if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable ovn-controller.service >/dev/null 2>&1 || : - /bin/systemctl stop ovn-controller.service >/dev/null 2>&1 || : - fi -%endif %post %if 0%{?systemd_post:1} # This may not enable openvswitch service or do daemon-reload. @@ -261,46 +205,6 @@ rm -rf $RPM_BUILD_ROOT %selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp -%post ovn-central -%if 0%{?systemd_post:1} - %systemd_post ovn-northd.service -%else - # Package install, not upgrade - if [ $1 -eq 1 ]; then - /bin/systemctl daemon-reload >dev/null || : - fi -%endif - -%post ovn-host -%if 0%{?systemd_post:1} - %systemd_post ovn-controller.service -%else - # Package install, not upgrade - if [ $1 -eq 1 ]; then - /bin/systemctl daemon-reload >dev/null || : - fi -%endif -%postun ovn-central -%if 0%{?systemd_postun_with_restart:1} - %systemd_postun_with_restart ovn-northd.service -%else - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - if [ "$1" -ge "1" ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart ovn-northd.service >/dev/null 2>&1 || : - fi -%endif - -%postun ovn-host -%if 0%{?systemd_postun_with_restart:1} - %systemd_postun_with_restart ovn-controller.service -%else - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - if [ "$1" -ge "1" ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart ovn-controller.service >/dev/null 2>&1 || : - fi -%endif %postun %if 0%{?systemd_postun:1} %systemd_postun %{name}.service @@ -386,38 +290,10 @@ exit 0 /usr/share/man/man8/* %doc README.rst NEWS rhel/README.RHEL.rst -%files ovn-common -%{_bindir}/ovn-detrace -%{_bindir}/ovn-nbctl -%{_bindir}/ovn-sbctl -%{_bindir}/ovn-trace -%{_datadir}/openvswitch/scripts/ovn-ctl -%{_datadir}/openvswitch/scripts/ovndb-servers.ocf -%{_mandir}/man1/ovn-detrace.1* -%{_mandir}/man8/ovn-ctl.8* -%{_mandir}/man8/ovn-nbctl.8* -%{_mandir}/man8/ovn-trace.8* -%{_mandir}/man7/ovn-architecture.7* -%{_mandir}/man8/ovn-sbctl.8* -%{_mandir}/man5/ovn-nb.5* -%{_mandir}/man5/ovn-sb.5* -%{_prefix}/lib/ocf/resource.d/ovn/ovndb-servers - -%files ovn-central -%{_bindir}/ovn-northd -%{_mandir}/man8/ovn-northd.8* -%config %{_datadir}/openvswitch/ovn-nb.ovsschema -%config %{_datadir}/openvswitch/ovn-sb.ovsschema -%{_unitdir}/ovn-northd.service -%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml - -%files ovn-host -%{_bindir}/ovn-controller -%{_mandir}/man8/ovn-controller.8* -%{_unitdir}/ovn-controller.service -%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml - %changelog +* Mon Jul 25 2022 zhouwenpei - 2.12.0-22 +- revent "Add ovn-central ovn-central and ovn-host subpackage" + * Wed Jul 13 2022 zhouwenpei - 2.12.0-21 - fix CVE-2021-3905 -- Gitee