Version in base suite: 2.15.0+ds1-2+deb11u4 Base version: openvswitch_2.15.0+ds1-2+deb11u4 Target version: openvswitch_2.15.0+ds1-2+deb11u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openvswitch/openvswitch_2.15.0+ds1-2+deb11u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openvswitch/openvswitch_2.15.0+ds1-2+deb11u5.dsc changelog | 24 + patches/CVE-2023-3966-netdev-offload-tc-Fix-the-mask-for-tunnel-metadata-l.patch | 153 ++++++ patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch | 198 ++++++++ patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch | 229 ++++++++++ patches/CVE-2024-22563_Fix-memory-leak-in-ovs_pcap_open.patch | 26 + patches/adjust-segment-boundary.patch | 70 +++ patches/fix-testcase-ipv6-ND-dependency.patch | 63 ++ patches/series | 6 rules | 16 9 files changed, 777 insertions(+), 8 deletions(-) diff -Nru openvswitch-2.15.0+ds1/debian/changelog openvswitch-2.15.0+ds1/debian/changelog --- openvswitch-2.15.0+ds1/debian/changelog 2023-04-11 08:08:09.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/changelog 2024-02-25 14:10:01.000000000 +0000 @@ -1,3 +1,27 @@ +openvswitch (2.15.0+ds1-2+deb11u5) bullseye-security; urgency=medium + + * CVE-2023-5366: A flaw was found in Open vSwitch that allows ICMPv6 Neighbor + Advertisement packets between virtual machines to bypass OpenFlow rules. + This issue may allow a local attacker to create specially crafted packets + with a modified or spoofed target IP address field that can redirect ICMPv6 + traffic to arbitrary IP addresses. Added upstream patch: "Fix missing masks + on a final stage with ports trie". + Added additional patches that the LTS team added to fix this: + - Cherry-pick additional patch adjust-segment-boundary.patch + to fix test suite for the patch for this CVE. + - Cherry-pick fix-testcase-ipv6-ND-dependency.patch to fix + new test ipv6-ND-dependency (added by the previous patch) + * CVE-2023-3966: Invalid memory access in Geneve with HW offload. Add + upstream patches (Closes: #1063492): + - Fix the mask for tunnel metadata length + - Check geneve metadata length + * CVE-2024-22563: openvswitch 2.17.8 was discovered to contain a memory leak + via the function xmalloc__ in openvswitch-2.17.8/lib/util.c. Add upstream + patch "Fix memory leak in ovs_pcap_open". + * Blacklist unittest 21 - bpf decay, which isn't deterministic. + + -- Thomas Goirand Sun, 25 Feb 2024 15:10:01 +0100 + openvswitch (2.15.0+ds1-2+deb11u4) bullseye-security; urgency=medium * CVE-2023-1668: Remote traffic denial of service via crafted packets with IP diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc-Fix-the-mask-for-tunnel-metadata-l.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc-Fix-the-mask-for-tunnel-metadata-l.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc-Fix-the-mask-for-tunnel-metadata-l.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc-Fix-the-mask-for-tunnel-metadata-l.patch 2024-02-25 14:10:01.000000000 +0000 @@ -0,0 +1,153 @@ +From 7a6c8074c5d2d1f2d9457ef5d8b5c71a3b661732 Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Sun, 14 Aug 2022 16:45:59 +0200 +Subject: [PATCH] netdev-offload-tc: Fix the mask for tunnel metadata length. + +'wc.masks.tunnel.metadata.present.len' must be a mask for the same +field in the flow key, but in the tc_flower structure it's the real +length of metadata masks. + +That is correctly handled for the individual opt->length, setting all +the masks to 0x1f like it's done in the tun_metadata_to_geneve_mask__(), +but not handled for the main 'len' field. + +Fix that by setting the mask to 0xff like it's done during the flow +translation in xlate_actions() and during the flow dump in the +tun_metadata_from_geneve_nlattr(). + +Also, flower always has an exact match on the present.len field +regardless of its value and regardless of this field being masked +by OVS flow translation layer while installing the flow. Hence, +all tunnel flows dumped from TC should have an exact match on +present.len and also UDPIF flag, because present.len doesn't make +sense without that flag. Without the change, zero-length options +match is incorrectly reported as a wildcard match. The side effect +though is that zero-length match on geneve options is reported even +for other tunnel types, e.g. vxlan. But that should be fairly +harmless. To avoid reporting a match on empty geneve options for +vxlan/etc. tunnels we'll need to check the tunnel port type, there +is no enough information in the TUNNEL attribute itself. + +Extra checks and comments added around the code to better explain +what is going on. + +Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload") +Reviewed-by: Roi Dayan +Signed-off-by: Ilya Maximets +--- + lib/netdev-offload-tc.c | 33 +++++++++++++++++++++++---------- + lib/tc.c | 13 ++++++++++--- + 2 files changed, 33 insertions(+), 13 deletions(-) + +Index: openvswitch/lib/netdev-offload-tc.c +=================================================================== +--- openvswitch.orig/lib/netdev-offload-tc.c ++++ openvswitch/lib/netdev-offload-tc.c +@@ -480,30 +480,42 @@ flower_tun_opt_to_match(struct match *ma + struct geneve_opt *opt, *opt_mask; + int len, cnt = 0; + ++ /* Options are always in UDPIF format in the 'flower'. */ ++ match->flow.tunnel.flags |= FLOW_TNL_F_UDPIF; ++ match->wc.masks.tunnel.flags |= FLOW_TNL_F_UDPIF; ++ ++ match->flow.tunnel.metadata.present.len = ++ flower->key.tunnel.metadata.present.len; ++ /* In the 'flower' mask len is an actual length, not a mask. But in the ++ * 'match' it is an actual mask, so should be an exact match, because TC ++ * will always match on the exact value. */ ++ match->wc.masks.tunnel.metadata.present.len = 0xff; ++ ++ if (!flower->key.tunnel.metadata.present.len) { ++ /* No options present. */ ++ return; ++ } ++ + memcpy(match->flow.tunnel.metadata.opts.gnv, + flower->key.tunnel.metadata.opts.gnv, + flower->key.tunnel.metadata.present.len); +- match->flow.tunnel.metadata.present.len = +- flower->key.tunnel.metadata.present.len; +- match->flow.tunnel.flags |= FLOW_TNL_F_UDPIF; + memcpy(match->wc.masks.tunnel.metadata.opts.gnv, + flower->mask.tunnel.metadata.opts.gnv, + flower->mask.tunnel.metadata.present.len); + ++ /* Fixing up 'length' fields of particular options, since these are ++ * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { + opt = &match->flow.tunnel.metadata.opts.gnv[cnt]; + opt_mask = &match->wc.masks.tunnel.metadata.opts.gnv[cnt]; + ++ /* "Exact" match as set in tun_metadata_to_geneve_mask__(). */ + opt_mask->length = 0x1f; + + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } +- +- match->wc.masks.tunnel.metadata.present.len = +- flower->mask.tunnel.metadata.present.len; +- match->wc.masks.tunnel.flags |= FLOW_TNL_F_UDPIF; + } + + static void +@@ -717,9 +729,8 @@ parse_tc_flower_to_match(struct tc_flowe + if (flower->key.tunnel.tp_dst) { + match_set_tun_tp_dst(match, flower->key.tunnel.tp_dst); + } +- if (flower->key.tunnel.metadata.present.len) { +- flower_tun_opt_to_match(match, flower); +- } ++ ++ flower_tun_opt_to_match(match, flower); + } + + act_off = nl_msg_start_nested(buf, OVS_FLOW_ATTR_ACTIONS); +@@ -1403,6 +1414,8 @@ flower_match_to_tun_opt(struct tc_flower + len -= sizeof(struct geneve_opt) + opt->length * 4; + } + ++ /* Copying from the key and not from the mask, since in the 'flower' ++ * the length for a mask is not a mask, but the actual length. */ + flower->mask.tunnel.metadata.present.len = tnl->metadata.present.len; + } + +Index: openvswitch/lib/tc.c +=================================================================== +--- openvswitch.orig/lib/tc.c ++++ openvswitch/lib/tc.c +@@ -681,15 +681,17 @@ flower_tun_geneve_opt_check_len(struct t + const struct geneve_opt *opt, *opt_mask; + int len, cnt = 0; + ++ if (key->present.len != mask->present.len) { ++ goto bad_length; ++ } ++ + len = key->present.len; + while (len) { + opt = &key->opts.gnv[cnt]; + opt_mask = &mask->opts.gnv[cnt]; + + if (opt->length != opt_mask->length) { +- VLOG_ERR_RL(&error_rl, +- "failed to parse tun options; key/mask length differ"); +- return EINVAL; ++ goto bad_length; + } + + cnt += sizeof(struct geneve_opt) / 4 + opt->length; +@@ -697,6 +699,11 @@ flower_tun_geneve_opt_check_len(struct t + } + + return 0; ++ ++bad_length: ++ VLOG_ERR_RL(&error_rl, ++ "failed to parse tun options; key/mask length differ"); ++ return EINVAL; + } + + static int diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch 2024-02-25 14:10:01.000000000 +0000 @@ -0,0 +1,198 @@ +Author: Timothy Redaelli +Date: Thu, 23 Nov 2023 19:47:54 +0100 +Description: CVE-2023-3966 netdev-offload-tc: Check geneve metadata length. + Currently ovs-vswitchd crashes, with hw offloading enabled, if a geneve + packet with corrupted metadata is received, because the metadata header + is not verified correctly. + . + This commit adds a check for geneve metadata length and, if the header + is wrong, the packet is not sent to flower. + . + It also includes a system-traffic test for geneve packets with corrupted + metadata. + . +Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload") +Reported-by: Haresh Khandelwal +Signed-off-by: Timothy Redaelli +Signed-off-by: Ilya Maximets +Bug-Debian: https://bugs.debian.org/1063492 +Origin: upstream, https://github.com/openvswitch/ovs/commit/91e621bd5abab19954bec09c7d27c59acdf607b1.patch +Last-Update: 2024-02-18 + +Index: openvswitch/lib/netdev-offload-tc.c +=================================================================== +--- openvswitch.orig/lib/netdev-offload-tc.c ++++ openvswitch/lib/netdev-offload-tc.c +@@ -43,6 +43,7 @@ + VLOG_DEFINE_THIS_MODULE(netdev_offload_tc); + + static struct vlog_rate_limit error_rl = VLOG_RATE_LIMIT_INIT(60, 5); ++static struct vlog_rate_limit warn_rl = VLOG_RATE_LIMIT_INIT(10, 2); + + static struct hmap ufid_to_tc = HMAP_INITIALIZER(&ufid_to_tc); + static struct hmap tc_to_ufid = HMAP_INITIALIZER(&tc_to_ufid); +@@ -1389,23 +1390,63 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, +- const struct flow_tnl *tnl_mask) ++ struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; ++ ++ /* 'flower' always has an exact match on tunnel metadata length, so having ++ * it in a wrong format is not acceptable unless it is empty. */ ++ if (!(tnl->flags & FLOW_TNL_F_UDPIF)) { ++ if (tnl->metadata.present.map) { ++ /* XXX: Add non-UDPIF format parsing here? */ ++ VLOG_WARN_RL(&warn_rl, "Tunnel options are in the wrong format."); ++ } else { ++ /* There are no options, that equals for them to be in UDPIF format ++ * with a zero 'len'. Clearing the 'map' mask as consumed. ++ * No need to explicitly set 'len' to zero in the 'flower'. */ ++ tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; ++ memset(&tnl_mask->metadata.present.map, 0, ++ sizeof tnl_mask->metadata.present.map); ++ } ++ return 0; ++ } ++ ++ tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; + +- memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +- tnl->metadata.present.len); + flower->key.tunnel.metadata.present.len = tnl->metadata.present.len; ++ /* Copying from the key and not from the mask, since in the 'flower' ++ * the length for a mask is not a mask, but the actual length. TC ++ * will use an exact match for the length. */ ++ flower->mask.tunnel.metadata.present.len = tnl->metadata.present.len; ++ memset(&tnl_mask->metadata.present.len, 0, ++ sizeof tnl_mask->metadata.present.len); + ++ if (!tnl->metadata.present.len) { ++ return 0; ++ } ++ ++ memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, ++ tnl->metadata.present.len); + memcpy(flower->mask.tunnel.metadata.opts.gnv, tnl_mask->metadata.opts.gnv, + tnl->metadata.present.len); +- ++ memset(tnl_mask->metadata.opts.gnv, 0, tnl->metadata.present.len); ++ /* Fixing up 'length' fields of particular options, since these are ++ * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if (len < sizeof *opt) { ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } ++ + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1414,9 +1455,7 @@ flower_match_to_tun_opt(struct tc_flower + len -= sizeof(struct geneve_opt) + opt->length * 4; + } + +- /* Copying from the key and not from the mask, since in the 'flower' +- * the length for a mask is not a mask, but the actual length. */ +- flower->mask.tunnel.metadata.present.len = tnl->metadata.present.len; ++ return 0; + } + + static int +@@ -1431,7 +1470,7 @@ netdev_tc_flow_put(struct netdev *netdev + const struct flow *key = &match->flow; + struct flow *mask = &match->wc.masks; + const struct flow_tnl *tnl = &match->flow.tunnel; +- const struct flow_tnl *tnl_mask = &mask->tunnel; ++ struct flow_tnl *tnl_mask = &mask->tunnel; + struct tc_action *action; + bool recirc_act = false; + uint32_t block_id = 0; +@@ -1479,7 +1518,32 @@ netdev_tc_flow_put(struct netdev *netdev + flower.mask.tunnel.tos = tnl_mask->ip_tos; + flower.mask.tunnel.ttl = tnl_mask->ip_ttl; + flower.mask.tunnel.id = (tnl->flags & FLOW_TNL_F_KEY) ? tnl_mask->tun_id : 0; +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ ++ memset(&tnl_mask->ip_src, 0, sizeof tnl_mask->ip_src); ++ memset(&tnl_mask->ip_dst, 0, sizeof tnl_mask->ip_dst); ++ memset(&tnl_mask->ipv6_src, 0, sizeof tnl_mask->ipv6_src); ++ memset(&tnl_mask->ipv6_dst, 0, sizeof tnl_mask->ipv6_dst); ++ memset(&tnl_mask->ip_tos, 0, sizeof tnl_mask->ip_tos); ++ memset(&tnl_mask->ip_ttl, 0, sizeof tnl_mask->ip_ttl); ++ memset(&tnl_mask->tp_src, 0, sizeof tnl_mask->tp_src); ++ memset(&tnl_mask->tp_dst, 0, sizeof tnl_mask->tp_dst); ++ memset(&tnl_mask->tun_id, 0, sizeof tnl_mask->tun_id); ++ tnl_mask->flags &= ~FLOW_TNL_F_KEY; ++ /* XXX: This is wrong! We're ignoring DF and CSUM flags configuration ++ * requested by the user. However, TC for now has no way to pass ++ * these flags in a flower key and their masks are set by default, ++ * meaning tunnel offloading will not work at all if not cleared. ++ * Keeping incorrect behavior for now. */ ++ tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); ++ ++ if (!strcmp(netdev_get_type(netdev), "geneve")) { ++ flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } ++ } + flower.tunnel = true; + } + memset(&mask->tunnel, 0, sizeof mask->tunnel); +Index: openvswitch/tests/system-offloads-traffic.at +=================================================================== +--- openvswitch.orig/tests/system-offloads-traffic.at ++++ openvswitch/tests/system-offloads-traffic.at +@@ -70,3 +70,36 @@ AT_CHECK([ovs-appctl upcall/show | grep + + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP ++ ++AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02], ++ [], [-- set Open_vSwitch . other_config:hw-offload=true]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch 2024-02-25 14:10:01.000000000 +0000 @@ -0,0 +1,229 @@ +Description: CVE-2023-5366 classifier: Fix missing masks on a final stage with ports trie. + Flow lookup doesn't include masks of the final stage in a resulting + flow wildcards in case that stage had L4 ports match. Only the result + of ports trie lookup is added to the mask. It might be sufficient in + many cases, but it's not correct, because ports trie is not how we + decided that the packet didn't match in this subtable. In fact, we + used a full subtable mask in order to determine that, so all the + subtable mask bits has to be added. + . + Ports trie can still be used to adjust ports' mask, but it is not + sufficient to determine that the packet didn't match. + . + Assuming we have following 2 OpenFlow rules on the bridge: + . + table=0, priority=10,tcp,tp_dst=80,tcp_flags=+psh actions=drop + table=0, priority=0 actions=output(1) + . + The first high priority rule supposed to drop all the TCP data traffic + sent on port 80. The handshake, however, is allowed for forwarding. + . + Both 'tcp_flags' and 'tp_dst' are on the final stage in the flow. + Since the stage mask from that stage is not incorporated into the flow + wildcards and only ports mask is getting updated, we have the following + megaflow for the SYN packet that has no match on 'tcp_flags': + . + $ ovs-appctl ofproto/trace br0 "in_port=br0,tcp,tp_dst=80,tcp_flags=syn" + . + Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80 + Datapath actions: 1 + . + If this flow is getting installed into datapath flow table, all the + packets for port 80, regardless of TCP flags, will be forwarded. + . + Incorporating all the looked at bits from the final stage into the + stages map in order to get all the necessary wildcards. Ports mask + has to be updated as a last step, because it doesn't cover the full + 64-bit slot in the flowmap. + . + With this change, in the example above, OVS is producing correct + flow wildcards including match on TCP flags: + . + Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80,tcp_flags=-psh + Datapath actions: 1 + . + This way only -psh packets will be forwarded, as expected. + . + This issue affects all other fields on stage 4, not only TCP flags. + Tests included to cover tcp_flags, nd_target and ct_tp_src/dst. + First two are frequently used, ct ones are sharing the same flowmap + slot with L4 ports, so important to test. + . + Before the pre-computation of stage masks, flow wildcards were updated + during lookup, so there was no issue. The bits of the final stage was + lost with introduction of 'stages_map'. + . + Recent adjustment of segment boundaries exposed 'tcp_flags' to the issue. + . +From a7c572e9a1cda2851b50a744f4e84087ed7bdda3 Mon Sep 17 00:00:00 2001 +Author: Ilya Maximets +Date: Fri, 17 Feb 2023 21:09:59 +0100 +Reported-at: https://github.com/openvswitch/ovs-issues/issues/272 +Fixes: ca44218515f0 ("classifier: Adjust segment boundary to execute prerequisite processing.") +Fixes: fa2fdbf8d0c1 ("classifier: Pre-compute stage masks.") +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +Last-Update: 2024-02-25 + +diff --git a/lib/classifier.c b/lib/classifier.c +index c4790ee6b..f6a86b662 100644 +--- a/lib/classifier.c ++++ b/lib/classifier.c +@@ -1695,6 +1695,8 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + const struct cls_match *rule = NULL; + struct flowmap stages_map = FLOWMAP_EMPTY_INITIALIZER; + unsigned int mask_offset = 0; ++ bool adjust_ports_mask = false; ++ ovs_be32 ports_mask; + int i; + + /* Try to finish early by checking fields in segments. */ +@@ -1722,6 +1724,9 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + subtable->index_maps[i], flow, wc)) { + goto no_match; + } ++ /* Accumulate the map used so far. */ ++ stages_map = flowmap_or(stages_map, subtable->index_maps[i]); ++ + hash = flow_hash_in_minimask_range(flow, &subtable->mask, + subtable->index_maps[i], + &mask_offset, &basis); +@@ -1731,14 +1736,16 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + * unwildcarding all the ports bits, use the ports trie to figure out a + * smaller set of bits to unwildcard. */ + unsigned int mbits; +- ovs_be32 value, plens, mask; ++ ovs_be32 value, plens; + +- mask = miniflow_get_ports(&subtable->mask.masks); +- value = ((OVS_FORCE ovs_be32 *)flow)[TP_PORTS_OFS32] & mask; ++ ports_mask = miniflow_get_ports(&subtable->mask.masks); ++ value = ((OVS_FORCE ovs_be32 *) flow)[TP_PORTS_OFS32] & ports_mask; + mbits = trie_lookup_value(&subtable->ports_trie, &value, &plens, 32); + +- ((OVS_FORCE ovs_be32 *)&wc->masks)[TP_PORTS_OFS32] |= +- mask & be32_prefix_mask(mbits); ++ ports_mask &= be32_prefix_mask(mbits); ++ ports_mask |= ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32]; ++ ++ adjust_ports_mask = true; + + goto no_match; + } +@@ -1751,6 +1758,14 @@ no_match: + /* Unwildcard the bits in stages so far, as they were used in determining + * there is no match. */ + flow_wildcards_fold_minimask_in_map(wc, &subtable->mask, stages_map); ++ if (adjust_ports_mask) { ++ /* This has to be done after updating flow wildcards to overwrite ++ * the ports mask back. We can't simply disable the corresponding bit ++ * in the stages map, because it has 64-bit resolution, i.e. one ++ * bit covers not only tp_src/dst, but also ct_tp_src/dst, which are ++ * not covered by the trie. */ ++ ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32] = ports_mask; ++ } + return NULL; + } + +diff --git a/tests/classifier.at b/tests/classifier.at +index f652b5983..de2705653 100644 +--- a/tests/classifier.at ++++ b/tests/classifier.at +@@ -65,6 +65,94 @@ Datapath actions: 2 + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([flow classifier - lookup segmentation - final stage]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 3 ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=33,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) ++table=0 in_port=1 priority=0,ip,action=drop ++table=0 in_port=2 priority=16,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 ,action=output(1) ++table=0 in_port=2 priority=0,ip,action=drop ++table=0 in_port=3 action=resubmit(,1) ++table=1 in_port=3 priority=45,ct_state=+trk+rpl,ct_nw_proto=6,ct_tp_src=3/0x1,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) ++table=1 in_port=3 priority=10,ip,action=drop ++]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn|ack'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=ack|psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=+psh ++Datapath actions: 2 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=-psh ++Datapath actions: drop ++]) ++ ++dnl Having both the port and the tcp flags in the resulting megaflow below ++dnl is redundant, but that is how ports trie logic is implemented. ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=81'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=81,tcp_flags=-psh ++Datapath actions: drop ++]) ++ ++dnl nd_target is redundant in the megaflow below and it is also not relevant ++dnl for an icmp reply. Datapath may discard that match, but it is OK as long ++dnl as we have prerequisites (icmp_type) in the match as well. ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=128,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x80/0xfc,nd_target=:: ++Datapath actions: drop ++]) ++ ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=:: ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::1"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::1 ++Datapath actions: 1 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::2"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::2 ++Datapath actions: drop ++]) ++ ++dnl Check that ports' mask doesn't affect ct ports. ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=80,tcp_flags=+psh ++Datapath actions: 2 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79,tcp_flags=psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=+psh ++Datapath actions: drop ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_BANNER([flow classifier prefix lookup]) + AT_SETUP([flow classifier - prefix lookup]) + OVS_VSWITCHD_START +-- +2.39.2 + diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2024-22563_Fix-memory-leak-in-ovs_pcap_open.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2024-22563_Fix-memory-leak-in-ovs_pcap_open.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2024-22563_Fix-memory-leak-in-ovs_pcap_open.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2024-22563_Fix-memory-leak-in-ovs_pcap_open.patch 2024-02-25 14:10:01.000000000 +0000 @@ -0,0 +1,26 @@ +Description: CVE-2024-22563: pcap-file: Fix memory leak in ovs_pcap_open(). + In ovs_pcap_open(), we allocate memory for the 'p_file' + structure but not released when fopen fails. + . + Addresses-Coverity: ("Resource leak") +From 3168f328c78cf6e4b3022940452673b0e49f7620 Mon Sep 17 00:00:00 2001 +Author: Yunjian Wang +Date: Wed, 1 Sep 2021 20:19:15 +0800 +Fixes: b6e840aed03e ("pcap-file: Add nanosecond resolution pcap support.") +Signed-off-by: Yunjian Wang +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +Last-Update: 2024-02-25 + +diff --git a/lib/pcap-file.c b/lib/pcap-file.c +index b30a11c24b8..41835f6f4dd 100644 +--- a/lib/pcap-file.c ++++ b/lib/pcap-file.c +@@ -89,6 +89,7 @@ ovs_pcap_open(const char *file_name, const char *mode) + : mode[0] == 'w' ? "writing" + : "appending"), + ovs_strerror(errno)); ++ free(p_file); + return NULL; + } + diff -Nru openvswitch-2.15.0+ds1/debian/patches/adjust-segment-boundary.patch openvswitch-2.15.0+ds1/debian/patches/adjust-segment-boundary.patch --- openvswitch-2.15.0+ds1/debian/patches/adjust-segment-boundary.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/adjust-segment-boundary.patch 2024-02-25 14:10:01.000000000 +0000 @@ -0,0 +1,70 @@ +Description: Adjust segment boundary to execute prerequisite processing. + The fix for the CVE-2023-5666 depends on the changeset in this patch, otherwise the + information tp_dst will not be exposed in the trace, failing the testsuite introduced + with CVE-2023-5366.patch. (The patch has been determinded using git bisect) +Origin: https://github.com/openvswitch/ovs/commit/ca44218515f02d7421e4b228e0a3b6ee2cefffcf +Index: openvswitch/include/openvswitch/flow.h +=================================================================== +--- openvswitch.orig/include/openvswitch/flow.h ++++ openvswitch/include/openvswitch/flow.h +@@ -141,6 +141,7 @@ struct flow { + uint8_t nw_tos; /* IP ToS (including DSCP and ECN). */ + uint8_t nw_ttl; /* IP TTL/Hop Limit. */ + uint8_t nw_proto; /* IP protocol or low 8 bits of ARP opcode. */ ++ /* L4 (64-bit aligned) */ + struct in6_addr nd_target; /* IPv6 neighbor discovery (ND) target. */ + struct eth_addr arp_sha; /* ARP/ND source hardware address. */ + struct eth_addr arp_tha; /* ARP/ND target hardware address. */ +@@ -149,7 +150,6 @@ struct flow { + ovs_be16 pad2; /* Pad to 64 bits. */ + struct ovs_key_nsh nsh; /* Network Service Header keys */ + +- /* L4 (64-bit aligned) */ + ovs_be16 tp_src; /* TCP/UDP/SCTP source port/ICMP type. */ + ovs_be16 tp_dst; /* TCP/UDP/SCTP destination port/ICMP code. */ + ovs_be16 ct_tp_src; /* CT original tuple source port/ICMP type. */ +@@ -179,7 +179,7 @@ BUILD_ASSERT_DECL(offsetof(struct flow, + enum { + FLOW_SEGMENT_1_ENDS_AT = offsetof(struct flow, dl_dst), + FLOW_SEGMENT_2_ENDS_AT = offsetof(struct flow, nw_src), +- FLOW_SEGMENT_3_ENDS_AT = offsetof(struct flow, tp_src), ++ FLOW_SEGMENT_3_ENDS_AT = offsetof(struct flow, nd_target), + }; + BUILD_ASSERT_DECL(FLOW_SEGMENT_1_ENDS_AT % sizeof(uint64_t) == 0); + BUILD_ASSERT_DECL(FLOW_SEGMENT_2_ENDS_AT % sizeof(uint64_t) == 0); +Index: openvswitch/tests/classifier.at +=================================================================== +--- openvswitch.orig/tests/classifier.at ++++ openvswitch/tests/classifier.at +@@ -217,6 +217,31 @@ Datapath actions: 3 + OVS_VSWITCHD_STOP(["/'prefixes' with incompatible field: ipv6_label/d"]) + AT_CLEANUP + ++AT_SETUP([flow classifier - ipv6 ND dependency]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 ++AT_DATA([flows.txt], [dnl ++ table=0,priority=100,ipv6,ipv6_src=1000::/10 actions=resubmit(,1) ++ table=0,priority=0 actions=NORMAL ++ table=1,priority=110,ipv6,ipv6_dst=1000::3 actions=resubmit(,2) ++ table=1,priority=100,ipv6,ipv6_dst=1000::4 actions=resubmit(,2) ++ table=1,priority=0 actions=NORMAL ++ table=2,priority=120,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 actions=NORMAL ++ table=2,priority=100,tcp actions=NORMAL ++ table=2,priority=100,icmp6 actions=NORMAL ++ table=2,priority=0 actions=NORMAL ++]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++# test ICMPv6 echo request (which should have no nd_target field) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,icmpv6_type=128,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=1,dl_src=f6:d2:b0:19:5e:7b,dl_dst=d2:49:19:91:78:fe,ipv6_src=1000::/10,ipv6_dst=1000::4,nw_ttl=0,nw_frag=no ++Datapath actions: 100,2 ++]) ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_BANNER([conjunctive match]) + + AT_SETUP([single conjunctive match]) diff -Nru openvswitch-2.15.0+ds1/debian/patches/fix-testcase-ipv6-ND-dependency.patch openvswitch-2.15.0+ds1/debian/patches/fix-testcase-ipv6-ND-dependency.patch --- openvswitch-2.15.0+ds1/debian/patches/fix-testcase-ipv6-ND-dependency.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/fix-testcase-ipv6-ND-dependency.patch 2024-02-25 14:10:01.000000000 +0000 @@ -0,0 +1,63 @@ +Description: Fix "testcase ipv6 ND dependency" + ofproto: Fix for frequent invalidation of mega flows for push actions + . + When a packet is processed by the slow path and the matching OpenFlow + rule has actions like push_mpls/set_field and push_vlan/set_field, the + ofproto layer un-wildcards the MPLS and VLAN match fields in the megaflow + entry that it plans to install. However, when the megaflow entry is + actually installed, all protocol match fields that are not present in the + packet are wildcarded. Thus, the wildcard bits in the installed megaflow + entry could be different from the bits originally generated by the ofproto + layer. + . + When the revalidator thread validates a megaflow, it will first query the + ofproto layer to get the wildcard bits and then compare it against the + wildcard bits in the megaflow. If the bits are different the entry will be + removed. A subsequent packet will again result in the same megaflow entry + being installed only for it to be removed by the revalidator thread. This + cycle will continue and will significantly degrade performance. + . + This patch fixes the issue by wildcarding flow fields which are not present + in the incoming packet. + . + (This failed the testcase introduced with Adjust-segment-boundary.patch with + the name ipv6 ND dependency. The patch has been found using git bisect.) +Index: openvswitch/ofproto/ofproto-dpif-xlate.c +=================================================================== +--- openvswitch.orig/ofproto/ofproto-dpif-xlate.c ++++ openvswitch/ofproto/ofproto-dpif-xlate.c +@@ -6729,6 +6729,7 @@ do_xlate_actions(const struct ofpact *of + struct flow_wildcards *wc = ctx->wc; + struct flow *flow = &ctx->xin->flow; + const struct ofpact *a; ++ unsigned long i; + + /* dl_type already in the mask, not set below. */ + +@@ -7175,6 +7176,26 @@ do_xlate_actions(const struct ofpact *of + break; + } + } ++ ++ /* Clear flow wildcard bits for fields which are not present ++ * in the original packet header. These wildcards may get set ++ * due to push/set_field actions. This results into frequent ++ * invalidation of datapath flows by revalidator thread. */ ++ ++ /* Clear mpls label wc bits if original packet is non-mpls. */ ++ if (!eth_type_mpls(ctx->xin->upcall_flow->dl_type)) { ++ for (i = 0; i < FLOW_MAX_MPLS_LABELS; i++) { ++ ctx->wc->masks.mpls_lse[i] = 0; ++ } ++ } ++ /* Clear vlan header wc bits if original packet does not have ++ * vlan header. */ ++ for (i = 0; i < FLOW_MAX_VLAN_HEADERS; i++) { ++ if (!eth_type_vlan(ctx->xin->upcall_flow->vlans[i].tpid)) { ++ ctx->wc->masks.vlans[i].tpid = 0; ++ ctx->wc->masks.vlans[i].tci = 0; ++ } ++ } + } + + void diff -Nru openvswitch-2.15.0+ds1/debian/patches/series openvswitch-2.15.0+ds1/debian/patches/series --- openvswitch-2.15.0+ds1/debian/patches/series 2023-04-11 08:08:09.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/series 2024-02-25 14:10:01.000000000 +0000 @@ -5,3 +5,9 @@ CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch fix_ovsdb-idl_fix-the-database-update-signaling-if-it-has-never-been-connected.patch CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch +CVE-2023-5366-Fix-missing-masks-on-a-final-stage-with-ports-trie.patch +CVE-2023-3966-netdev-offload-tc-Fix-the-mask-for-tunnel-metadata-l.patch +CVE-2023-3966-netdev-offload-tc_Check_geneve_metadata_length.patch +CVE-2024-22563_Fix-memory-leak-in-ovs_pcap_open.patch +adjust-segment-boundary.patch +fix-testcase-ipv6-ND-dependency.patch diff -Nru openvswitch-2.15.0+ds1/debian/rules openvswitch-2.15.0+ds1/debian/rules --- openvswitch-2.15.0+ds1/debian/rules 2023-04-11 08:08:09.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/rules 2024-02-25 14:10:01.000000000 +0000 @@ -42,7 +42,7 @@ # that one doesn't feel like deterministic. # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) -TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058- +TEST_LIST = 1-19 22-525 527-531 533-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) # armhf: @@ -53,7 +53,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) ifneq (,$(filter armhf, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-23 28-525 527-531 533-917 919-1020 1022-1056 1058- +TEST_LIST = 1-19 22-23 28-525 527-531 533-917 919-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) endif # armhf @@ -90,7 +90,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1123: ofproto-dpif - sFlow packet sampling - LACP structures FAILED (ofproto-dpif.at:6643) ifneq (,$(filter armel, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058-1122 1124- +TEST_LIST = 1-19 22-525 527-531 533-1020 1022-1056 1058-1122 1124- TEST_LIST_DPDK = $(TEST_LIST) endif #armel @@ -99,7 +99,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) ifneq (,$(filter arm64, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-158 160-525 527-531 533-1020 1022-1056 1058- +TEST_LIST = 1-19 22-158 160-525 527-531 533-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) endif #arm64 @@ -108,7 +108,7 @@ # 2728: ovn -- vlan traffic for external network with distributed router gateway port FAILED (ovn.at:8563) # 2737: ovn -- IPv6 periodic RA FAILED (ovn.at:9916) ifneq (,$(filter alpha, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-525 527-531 533-2723 2725-2727 2729-2736 2738- +TEST_LIST = 1-19 22-525 527-531 533-2723 2725-2727 2729-2736 2738- TEST_LIST_DPDK = $(TEST_LIST) endif #alpha @@ -132,7 +132,7 @@ # 1735: ovsdb-server combines updates on backlogged connections FAILED (ovsdb-server.at:1205) # 2193: RSTP - dummy interface FAILED (rstp.at:210) ifneq (,$(filter hppa, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-525 527-531 533-846 848-849 851-915 920-941 943-1020 1022-1056 1058-1101 1103-1104 1106-1122 1124-1180 1182-1208 1210-1734 1736-2192 2194- +TEST_LIST = 1-19 22-525 527-531 533-846 848-849 851-915 920-941 943-1020 1022-1056 1058-1101 1103-1104 1106-1122 1124-1180 1182-1208 1210-1734 1736-2192 2194- TEST_LIST_DPDK = $(TEST_LIST) endif #hppa @@ -149,7 +149,7 @@ # 2185: STP - flush the fdb and mdb when topology changed FAILED (stp.at:529) # 2249: auto-attach - packets FAILED (auto-attach.at:5) ifneq (,$(filter sparc64, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-25 27-465 467-525 527-531 533-899 901-917 919-941 943-997 999-1056 1058-2183 2186-2248 2250- +TEST_LIST = 1-19 22-25 27-465 467-525 527-531 533-899 901-917 919-941 943-997 999-1056 1058-2183 2186-2248 2250- TEST_LIST_DPDK = $(TEST_LIST) endif #sparc64 @@ -158,7 +158,7 @@ # 1021: ofproto-dpif - select group with weights FAILED (ofproto-dpif.at:535) # 1057: ofproto-dpif - controller action without megaflows FAILED (ofproto-dpif.at:1893) ifneq (,$(filter ia64, $(DEB_HOST_ARCH))) -TEST_LIST = 1-19 21-525 527-531 533-1020 1022-1056 1058- +TEST_LIST = 1-19 22-525 527-531 533-1020 1022-1056 1058- TEST_LIST_DPDK = $(TEST_LIST) endif #ia64