diff --git a/backport-CVE-2023-3966.patch b/backport-CVE-2023-3966.patch new file mode 100644 index 0000000000000000000000000000000000000000..e45a3fb608b9e501ccb2cc7498f1fabb3d1d33b3 --- /dev/null +++ b/backport-CVE-2023-3966.patch @@ -0,0 +1,144 @@ +From 2cfbcd5247ed0fd941c1ebb9f4adb952b67fe13a Mon Sep 17 00:00:00 2001 +From: Timothy Redaelli +Date: Thu, 23 Nov 2023 19:47:54 +0100 +Subject: [PATCH] netdev-offload-tc: Check geneve metadata length. + +Currently ovs-vswitchd crashes, with hw offloading enabled, if a geneve +packet with corrupted metadata is received, because the metadata header +is not verified correctly. + +This commit adds a check for geneve metadata length and, if the header +is wrong, the packet is not sent to flower. + +It also includes a system-traffic test for geneve packets with corrupted +metadata. + +Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload") +Reported-by: Haresh Khandelwal +Signed-off-by: Timothy Redaelli +Signed-off-by: Ilya Maximets +--- + lib/netdev-offload-tc.c | 25 ++++++++++++++++++++----- + tests/system-traffic.at | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+), 5 deletions(-) + +diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c +index 164c7eef63e..921d5231777 100644 +--- a/lib/netdev-offload-tc.c ++++ b/lib/netdev-offload-tc.c +@@ -1785,12 +1785,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1806,7 +1806,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1820,7 +1820,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1834,7 +1834,16 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if (len < sizeof *opt) { ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } ++ + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1842,6 +1851,8 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ ++ return 0; + } + + static void +@@ -2287,7 +2298,11 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +diff --git a/tests/system-traffic.at b/tests/system-traffic.at +index 418cd32..4c40580 100644 +--- a/tests/system-traffic.at ++++ b/tests/system-traffic.at +@@ -903,6 +903,39 @@ ovs-pcap p0.pcap + AT_CHECK([ovs-pcap p0.pcap | grep -Eq "^[[[:xdigit:]]]{24}86dd60000000003a1140fc000000000000000000000000000100fc000000000000000000000000000001[[[:xdigit:]]]{4}17c1003a[[[:xdigit:]]]{4}0000655800000000fffffffffffffa163e949d8008060001080006040001[[[:xdigit:]]]{12}0a0000f40000000000000a0000fe$"]) + AT_CLEANUP + ++AT_SETUP([datapath - handling of geneve corrupted metadata]) ++OVS_CHECK_TUNNEL_TSO() ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP ++ + AT_SETUP([datapath - ping over gre tunnel by simulated packets]) + OVS_CHECK_TUNNEL_TSO() + OVS_CHECK_MIN_KERNEL(3, 10) diff --git a/fix-selinux-err.patch b/fix-selinux-err.patch index 7d2948e3ee49a0de2ba41e605f906f7b5c895057..e626c65aa384f0dc8650186273ce3cbb72466771 100644 --- a/fix-selinux-err.patch +++ b/fix-selinux-err.patch @@ -1,16 +1,97 @@ +From 5ab25718492e83565e4376577510a151541714ee Mon Sep 17 00:00:00 2001 +From: zhangpan +Date: Fri, 29 Mar 2024 15:26:06 +0800 +Subject: [PATCH] fix selinux err + +add openvswitch-ipsec.service policy + +--- + selinux/openvswitch-custom.te.in | 42 ++++++++++++++++++++++++++++---- + 1 file changed, 37 insertions(+), 5 deletions(-) + diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in -index 9f51f604e..77b0bd98f 100644 +index 9f51f60..1b34147 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in -@@ -15,6 +15,7 @@ require { +@@ -12,11 +12,22 @@ require { + type openvswitch_var_run_t; + + type bin_t; ++ type etc_t; type ifconfig_exec_t; ++ type ipsec_t; ++ type ipsec_conf_file_t; ++ type ipsec_exec_t; ++ type ipsec_key_file_t; ++ type ipsec_mgmt_exec_t; ++ type ipsec_mgmt_unit_file_t; ++ type ipsec_var_run_t; type init_t; type init_var_run_t; -+ type initrc_t; ++ type initrc_t; type insmod_exec_t; type kernel_t; ++ type ldconfig_exec_t; ++ type systemd_systemctl_exec_t; type hostname_exec_t; -@@ -118,6 +119,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition; + type modules_conf_t; + type modules_dep_t; +@@ -45,7 +56,7 @@ require { + class chr_file { write getattr read open ioctl map }; + class dir { write remove_name add_name lock read getattr search open }; + class fd { use }; +- class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; ++ class file { setattr map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; + class fifo_file { getattr read write append ioctl lock open }; + class filesystem getattr; + class lnk_file { read open }; +@@ -55,11 +66,12 @@ require { + class netlink_rdma_socket { setopt bind create }; + @end_dpdk@ + class netlink_socket { setopt getopt create connect getattr write read }; +- class sock_file { write }; ++ class sock_file { read write }; + class system { module_load module_request }; + class process { sigchld signull transition noatsecure siginh rlimitinh }; + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; + ++ class service { start status }; + @begin_dpdk@ + class sock_file { read append getattr open }; + class tun_socket { relabelfrom relabelto create }; +@@ -78,9 +90,28 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); + domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); + + #============= openvswitch_t ============== +-allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; +-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; +-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; ++allow openvswitch_t etc_t:dir { write }; ++allow openvswitch_t ifconfig_exec_t:file map; ++allow openvswitch_t init_t:file { getattr open read }; ++allow openvswitch_t init_t:lnk_file read; ++allow openvswitch_t init_t:unix_stream_socket connectto; ++allow openvswitch_t ipsec_t:unix_stream_socket connectto; ++allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write }; ++allow openvswitch_t ipsec_exec_t:file { execute execute_no_trans map open read }; ++allow openvswitch_t ipsec_key_file_t:dir { search add_name remove_name write }; ++allow openvswitch_t ipsec_key_file_t:file { create getattr setattr ioctl lock open read write unlink }; ++allow openvswitch_t ipsec_mgmt_exec_t:file { execute execute_no_trans getattr ioctl open read }; ++allow openvswitch_t ipsec_mgmt_unit_file_t:service { start status }; ++allow openvswitch_t ipsec_var_run_t:sock_file { read write }; ++allow openvswitch_t ldconfig_exec_t:file execute; ++allow openvswitch_t ldconfig_exec_t:file map; ++allow openvswitch_t ldconfig_exec_t:file { execute execute_no_trans open read }; ++allow openvswitch_t systemd_systemctl_exec_t:file map; ++allow openvswitch_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read }; ++ ++allow openvswitch_t self:capability { dac_override net_broadcast net_raw }; ++allow openvswitch_t self:netlink_audit_socket { create read write }; ++allow openvswitch_t self:netlink_netfilter_socket { create read write }; + @begin_dpdk@ + allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; + @end_dpdk@ +@@ -118,6 +149,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition; allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; @@ -18,3 +99,6 @@ index 9f51f604e..77b0bd98f 100644 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; +-- +2.27.0 + diff --git a/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch b/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d272a32957189fcc4b96ea523264181cabd0f86 --- /dev/null +++ b/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch @@ -0,0 +1,24 @@ +From 5e2e60e2f05195f506ea68fe17e72a2a6fe4bdbe Mon Sep 17 00:00:00 2001 +From: zhangpan +Date: Fri, 29 Mar 2024 15:26:47 +0800 +Subject: [PATCH] Fix the problem that openvswitch-ipsec.service causes ipsec.service to fail to start + +--- + ipsec/ovs-monitor-ipsec.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in +index 7945162..c4f48e9 100755 +--- a/ipsec/ovs-monitor-ipsec.in ++++ b/ipsec/ovs-monitor-ipsec.in +@@ -389,6 +389,7 @@ class LibreSwanHelper(object): + """This class does LibreSwan specific configurations.""" + CONF_HEADER = """%s + config setup ++ nssdir=/etc/ipsec.d + uniqueids=yes + + conn %%default +-- +2.27.0 + diff --git a/openvswitch-2.17.5.tar.gz b/openvswitch-3.2.1.tar.gz similarity index 50% rename from openvswitch-2.17.5.tar.gz rename to openvswitch-3.2.1.tar.gz index bebe967830130ae36a7b794be89ee5fa6c133c63..531ba92d56ed0a775e3617fc82de00078396e742 100644 Binary files a/openvswitch-2.17.5.tar.gz and b/openvswitch-3.2.1.tar.gz differ diff --git a/openvswitch.spec b/openvswitch.spec index c3d2967c2ac187cfa51fbccc6ef2a62bb4f4134d..61ccd271b76b046b007388184e7bbe2385806266 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -12,7 +12,7 @@ Name: openvswitch Summary: Open vSwitch daemon/database/utilities URL: https://www.openvswitch.org/ -Version: 2.17.5 +Version: 3.2.1 Release: 4 License: ASL 2.0 and LGPLv2+ and SISSL @@ -21,7 +21,9 @@ Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0002: 0002-Remove-unsupported-permission-names.patch Patch0003: fix-selinux-err.patch -Patch6000: backport-CVE-2023-1668.patch +Patch0004: fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch + +Patch6000: backport-CVE-2023-3966.patch BuildRequires: gcc gcc-c++ make BuildRequires: autoconf automake libtool @@ -30,9 +32,11 @@ BuildRequires: python3-devel python3-six python3-setuptools BuildRequires: python3-sphinx BuildRequires: desktop-file-utils BuildRequires: groff-base graphviz -BuildRequires: unbound-devel +BuildRequires: unbound-devel groff # make check dependencies BuildRequires: procps-ng +BuildRequires: checkpolicy selinux-policy-devel +BuildRequires: chrpath %if %{with check_datapath_kernel} BuildRequires: nmap-ncat @@ -47,6 +51,7 @@ BuildRequires: dpdk-devel libpcap-devel numactl-devel %endif Requires: openssl iproute module-init-tools +Requires: selinux-policy-targeted Requires(post): /bin/sed Requires(post): %{_sbindir}/update-alternatives @@ -144,6 +149,9 @@ ln -s ../configure --enable-ssl \ --with-pkidir=%{_sharedstatedir}/openvswitch/pki make %{?_smp_mflags} +sed -i "s#selinux/openvswitch-custom.te selinux/openvswitch-custom.fc#../selinux/openvswitch-custom.te ../selinux/openvswitch-custom.fc#g" Makefile +sed -i "s#-C selinux/ -f#-C ../selinux/ -f#g" Makefile +make selinux-policy popd %if %{with dpdk} pushd build-dpdk @@ -186,6 +194,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/run/openvswitch install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch +install -p -m 644 -D selinux/openvswitch-custom.pp \ + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp + install -p -D -m 0644 rhel/usr_lib_udev_rules.d_91-vfio.rules \ $RPM_BUILD_ROOT%{_udevrulesdir}/91-vfio.rules @@ -243,6 +254,9 @@ install -p -D -m 0755 \ rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload +chrpath -d $RPM_BUILD_ROOT%{_sbindir}/ovs-vswitchd.dpdk +chrpath -d $RPM_BUILD_ROOT%{_libdir}/openvswitch-dpdk/libofproto*.so.* + touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf @@ -289,6 +303,9 @@ pushd $dir %endif popd done + +%pre +%selinux_relabel_pre -s targeted %preun %if 0%{?systemd_preun:1} @@ -310,6 +327,7 @@ done /bin/systemctl daemon-reload >dev/null || : fi %endif +%selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp %postun %if 0%{?systemd_postun:1} @@ -318,9 +336,16 @@ done /bin/systemctl daemon-reload >/dev/null 2>&1 || : %endif +if [ $1 -eq 0 ] ; then + %selinux_modules_uninstall -s targeted openvswitch-custom +fi + +%posttrans +%selinux_relabel_post -s targeted + %if %{with dpdk} %post dpdk -if fgrep -qw sse4_1 /proc/cpuinfo; then +if grep -Fqw sse4_1 /proc/cpuinfo; then priority=20 else echo "Warning: the CPU doesn't support SSE 4.1, dpdk support is not enabled." >&2 @@ -353,6 +378,7 @@ fi %{_bindir}/ovs-test %{_bindir}/ovs-vlan-test %{_bindir}/ovs-l3ping +%{_datadir}/openvswitch/scripts/usdt/* %{python3_sitelib}/ovstest %files testcontroller @@ -420,13 +446,36 @@ fi %doc LICENSE NOTICE README.rst NEWS rhel/README.RHEL.rst /var/lib/openvswitch /var/log/openvswitch +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp %ghost %attr(755,root,root) %verify(not owner group) /run/openvswitch %{_sysconfdir}/sysconfig/network-scripts/ifup-ovs %{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs %changelog -* Thu Jun 15 2023 wangxiyuan - 2.17.5-4 -- Clean up openvswitch group and user +* Mon Apr 08 2024 zhangxianting - 3.2.1-4 +- remove rpath + +* Fri Mar 29 2024 zhangpan - 3.2.1-3 +- fix openvswitch-ipsec servive failure when selinux is on +- fix the problem that openvswitch-ipsec.service causes ipsec.service to fail when starting + +* Sun Feb 18 2024 zhangpan - 3.2.1-2 +- fix CVE-2023-3966 + +* Fri Jan 26 2024 zhangpan - 3.2.1-1 +- update to 3.2.1 + +* Sat Oct 07 2023 zhouwenpei - 2.17.5-7 +- fix CVE-2023-5366 + +* Tue Aug 29 2023 zhangpan - 2.17.5-6 +- replace fgrep witch grep -F + +* Mon Aug 28 2023 zhouwenpei - 2.17.5-5 +- sync pulls/150: clean up openswitch group and user + +* Thu Aug 10 2023 zhangpan - 2.17.5-4 +- fix build fail * Wed Apr 12 2023 zhangpan - 2.17.5-3 - fix CVE-2023-1668