merged to kirstone.
Other OVS changes are staged on master-next.
Bruce
On Mon, Apr 17, 2023 at 12:36 AM Xiangyu Chen
<xiangyu.c...@eng.windriver.com> wrote:
>
> From: Xiangyu Chen <xiangyu.c...@windriver.com>
>
> Updating openvswitch from 2.17.1 to 2.17.6, pickup the latest security and
> bug fixes.
>
> Changes:
> 1. Removed the patch
> 0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch.
> 2. Update SRCREV PV-version and CVE_VERSION
>
> Commit short log:
> a08bb41e3 Set release date for 2.17.6.
> 27fb5db7f ofproto-dpif-xlate: Always mask ip proto field.
> c3684a060 conntrack-tp: Fix clang warning.
> be19308aa netdev-offload-tc: Del ufid mapping if device not exist.
> 4f41e58bc netdev-tc-offloads: Fix misaligned 8 byte read.
> d6d1cad6a dpif-netlink: Always create at least 1 handler.
> 09e6e1de7 ofproto-dpif-upcall: Wait for valid hw flow stats before applying
> min-revalidate-pps.
> 691b9e514 system-traffic: Fix conntrack test cases which are failing with
> af_xdp.
> 7aa314c9c netdev-windows: Add checking when creating netdev with system type
> on Windows
> 215278bde ofproto-dpif-upcall: Include hardware offloaded flows in total
> flows.
> 4a3f8845e ofproto-dpif-upcall: Reset ukey's last stats value if the datapath
> changed.
> 132fa24b6 classifier: Fix missing masks on a final stage with ports trie.
> 8661abd4c ofproto: Fix re-creation of tunnel backing interfaces on restart.
> 638441e98 ovs-actions: Correct typo in ovs-actions man page.
> 3c4bd63bc ofproto-ipfix: Use per-domain template timeouts.
> d2583ccb7 ofproto-dpif-upcall: Use last known stats ukey stats on revalidate
> missed dp flows.
> 705190d88 conntrack: Properly unNAT inner header of related traffic.
> d87b6180e dpctl: Fix memory leak in flush conntrack.
> 6626562c5 sparse: Fix build with DPDK and GCC 12.
> 82dc71f80 ovsdb-server: Fix handling of DNS name for listener configuration.
> 9b341844e netdev-offload-tc: If the flow has not been used, report it as such.
> adac28dcd netdev-offload-tc: Conntrack ALGs are not supported with tc.
> a1c2abba7 netdev-offload-tc: Fix tc conntrack force commit support.
> 68a2818b0 ofproto-dpif-upcall: New ukey needs to take the old ukey's dump seq.
> 2eb7a6066 netdev-offload-tc: Preserve tc statistics when flow gets modified.
> 4f5140769 sparse: Fix numa.h for libnuma >= 2.0.13.
> 32853c084 tc: Add TCA_KIND flower to delete and get operation to avoid
> rtnl_lock().
> 037131229 netdev-offload-tc: Fix misaligned access to ct label.
> 206409bb7 ovsdb: Fix database statistics during the database replacement.
> 0f55eced1 cirrus: Update to use FreeBSD 12.4.
> e9336a91f tc: Add support for TCA_STATS_PKT64.
> ba62a1eae Documentation: Fix links in maintainers.rst.
> 1b76faf8d Documentation: Fix links in the DPDK guide on physical ports.
> e1ee9c32a treewide: Don't use non-portable '==' with test command.
> a7d7c30c4 dpif: Fix tunnel key set for IPv6 tunnels with SLOW_ACTION.
> 8d055809b ci: Fix overriding OPTS provided from the yml.
> 0eb2aa46b Prepare for 2.17.6.
> 08971e4b9 Set release date for 2.17.5.
> ecaacb01a lldp: Fix bugs when parsing malformed AutoAttach.
> ee002b351 dpif-netdev: Use unmasked key when adding datapath flows.
> 18dcfda67 ovsdb-cs: Consider default conditions implicitly acked.
> 793709a85 rculist: Use rculist_back_protected to access prev.
> abb9d3482 Prepare for 2.17.5.
> b6c3788fe Set release date for 2.17.4.
> b50f4e3d2 odp-util: Fix reporting unknown keys as keys with bad length.
> 44012fccd ovs-dpctl-top: Fix ovs-dpctl-top via pipe.
> 118e4349d rculist: Fix iteration macros.
> c9f10ae33 vswitchd: Publish per iface received multicast packets.
> 4e3f9951f learn: Fix parsing immediate value for a field match.
> 282ba24d9 datapath-windows: Check the condition to reset pseudo header
> checksum on Rx side
> ee0e1d0a5 netdev-offload-dpdk: Enhance the support of tunnel pop action
> 4e3d762f0 ci: Update meson requirement for DPDK.
> 0d1e425c7 ovsdb: transaction: Fix weak reference leak.
> ceab1ca1e ovsdb: transaction: Refactor assess_weak_refs.
> fa95bf962 ovs-tcpdump: Cleanup mirror port on SIGHUP/SIGTERM.
> 7ebef81f9 netdev-linux: Fix inability to apply QoS on ports with custom
> qdiscs.
> 037ef6301 tc: Fix misaligned writes while parsing pedit.
> 869e2e1ba odp-util: Add missing separator in format_odp_conntrack_action().
> 0aa55709f vswitch.xml: Fix the name of rstp-path-cost option.
> af459fa37 mac-learning: Fix learned fdb entries not age out issue.
> c4336a1f1 ofproto-dpif-xlate: Update tunnel neighbor when receive gratuitous
> ARP.
> 683508cd4 bond: Fix crash while logging not yet enabled member.
> 41b178d52 netdev-dpdk: Fix tx_dropped counters value.
> d0276481a unaligned: Correct the stats of packet_count and byte_count on
> Windows.
> 71401199f tests: Fix filtering of whole-second durations.
> 3c1c034e5 netdev-offload: Set 'miss_api_supported' to be under netdev.
> 35615cd37 cmap: Add thread fence for slot update.
> 5f8ba216a ofproto-dpif-xlate: Do not use zero-weight buckets in select groups.
> 5e26f88b4 github: Update versions of action dependencies.
> afce3662f ovs-tcpdump: Fix bond port unable to capture jumbo frames.
> 602a41bb3 json: Fix deep copy of objects and arrays.
> 5dde4d748 Prepare for 2.17.4.
> 2b4b4b868 Set release date for 2.17.3.
> fbc3b10e9 Add support for OpenSSL 3.0 functions.
> 5a77d53b8 dhparams: Fix .c file generation with OpenSSL >= 3.0.
> 09e22fec4 daemon-unix: Fix file descriptor leak when monitor restarts child.
> 53df50db2 vconn: Allow ECONNREFUSED in refuse connection test.
> 26a11ca61 dpdk: Use DPDK 21.11.2 release.
> edf699ec6 m4: Test avx512 for x86 only.
> 1989caf9e ovsdb-idl: Preserve references for rows deleted in same IDL run as
> their insertion.
> db6a612cd python: idl: Fix idl.Row.__str__ method.
> 73d7bf64a bond: Avoid deadlock while updating post recirculation rules.
> 70a63391c ofproto-dpif-upcall: Add debug commands to pause/resume
> revalidators.
> cf0e12f8a test-list: Fix false-positive build failure with GCC 12.
> 5cbed27c8 tests: Fix tests with GNU grep 3.8.
> a5cd60db0 cirrus: Upgrade to FreeBSD 13.1 image.
> 43ece36f3 netdev-linux: Skip some internal kernel stats gathering.
> 846d6a0c5 ofproto-dpif-xlate: Fix error messages for nonexistent
> ports/recirc_ids.
> e8814c9b8 ofproto-dpif-xlate: Clear tunnel wc bits if original packet is
> non-tunnel.
> dfc3e65c8 raft: Fix unnecessary periodic compactions.
> 6f322ccf8 netdev-offload-tc: Parse tunnel options only for geneve ports.
> a9f10a2bd netdev-offload-tc: Add missing handling of the tunnel source port.
> ec2e967c1 netdev-offload-tc: Fix ignoring unknown tunnel keys.
> 686984d9a netdev-offload-tc: Use masks instead of keys while parsing tunnel
> attributes.
> 92c072d94 netdev-offload-tc: Explicitly handle mask for the tunnel
> destination port.
> 87f191a3a netdev-offload-tc: Fix the mask for tunnel metadata length.
> cadcea6fe releases: Mark 2.17 as a new LTS release.
> 8a1b73448 handlers: Fix handlers mapping.
> 713072fda handlers: Create additional handler threads when using CPU
> isolation.
> 84a8910ff packets: Fix misaligned access to ip6_hdr.
> fe27e0c88 python: Do not send non-zero flag for a SSL socket.
> 729a872f1 dpif-netdev: Simplify AVX512 build time checks to enhance
> readability.
> 1b566f8b8 github: Move CI to ubuntu 20.04 base image.
> 86725abe1 netdev-offload-tc: Disable offload of IPv6 fragments.
> 2276daf88 ovs-save: Use right OpenFlow version for add-tlv-map.
> c353e757d system-traffic: Fix IPv4 fragmentation test sequence for
> check-kernel.
> 6f54dc134 system-traffic: Fix incorrect neigh entry in ipv6 header
> modification test.
> 7848ae6ff system-traffic: Don't run IPv6 header modification test on kernels
> < 5.19.
> 399185865 netdev-linux: set correct action for packets that passed policer
> cda60c855 python: Fix E275 missing whitespace after keyword.
> 3678fb544 tc: Use sparse hex dump while printing inconsistencies.
> 03a0ec82b netdev-offload-tc: Print unused mask bits on failure.
> 5b8453a44 dynamic-string: Add function for a sparse hex dump.
> 8d7cb1daf dpif-netlink: Fix incorrect bit shift in compat mode.
> d1cec2686 python: Use setuptools instead of distutils.
> 8d6ecb259 packets: Re-calculate IPv6 checksum only for first frag upon modify.
> 26dbc822d test-ovsdb: Fix false-positive leaks from LeakSanitizer.
> 6eab10cf2 m4: Update ax_func_posix_memalign to the latest version.
> 2f51bfd23 m4: Replace obsolete AC_HELP_STRING with AS_HELP_STRING.
> 8ad325aab libopenvswitch.pc: Add missing libs for a static build.
> b64ff3f48 rhel: Stop installing internal headers.
> b63bbf2db python-c-ext: Handle initialization failures.
> 4ad02ad04 netdev-linux: Do not touch LAG members if master is not attached to
> OVS.
> e6dcd07bc netdev: Clear auto_classified if netdev reopened with the type
> specified.
> 1eedf45e8 system-traffic: Properly stop dangling ping after geneve test.
> fb8e34bdb conntrack: Fix conntrack multiple new state.
> af37f4118 python-c-ext: Fix a couple of build warnings.
> b7d9f7610 python-c-ext: Remove Python 2 support.
> 02fb4bfb8 netdev-offload-dpdk: Setting RSS hash types in RSS action.
> 8e8fcf7bd lib: Print nw_frag in flow key.
> 29d8ce1ad ovsdb: Remove extra make target dependency for local-config.5.
> 13ac0bc7c tc: Fix misaligned access while creating pedit actions.
> 2c85d737a utilities/bashcomp: Fix incorrect file mode.
> 05e9d2b7a Pmd.at: fix dpcls and dpif configuration test cases.
> 45ecaa9e5 ovsdb: Add Local_Config schema.
> 61d64d389 dpif-netdev: Fix leak of AVX512 DPIF scratch pad.
> a77ad9693 dpif-netdev: Refactor AVX512 runtime checks.
> ccea7df57 dpif-netdev-extract-avx512: Protect GCC builtin usage.
> 807f7f994 ovs-tcpdump: Default to OVS_RUNDIR if present.
> ec13b03ca ovsdb: Fix memory leak on error path in ovsdb_file_read__().
> 8b2dff2e3 odp-util: Ignore unknown attributes in
> parse_key_and_mask_to_match().
> 13d97f663 ofproto-dpif: Avoid unneccesary backer revalidation.
> 9b4035d69 lldp: Fix lldp memory leak.
> d9351febc ipfix: Trigger revalidation if ipfix options changes.
> 5419b1de9 conntrack: Fix incorrect bit shift while hashing nat range.
> 1ab5f94a1 packets: Fix misaligned write to MPLS lse.
> 8e00be03c tc: Fix misaligned access to stats and time values.
> 3a1f5341c odp-util: Fix unaligned access to tunnel id.
> 0c54c43b8 ofpbuf: Fix offsetting a NULL pointer in ofpbuf_reserve.
> 98edacb40 drop-stats.at: Fix frequent failures of the recursion too deep test.
> cbc13ce4f odp_util: Fix parse_key_and_mask_to_match() vlan parsing.
> 73e6ce492 Prepare for 2.17.3.
> 95979b0f0 Set release date for 2.17.2.
> 250e1a6dd ofproto-dpif-xlate: Fix internal CT state for non-recirc traffic.
> fe870ee07 classifier: Adjust segment boundary to execute prerequisite
> processing.
> ec0ec464b ovs-tcpdump: Fix error when stopping ovs-tcpdump.
> 420823e2a ofproto-dpif: Fix meter use-after-free.
> c762da262 ovs-rcu: Add ovsrcu_barrier.
> cd9b6b64f dpif-netdev: Fix ALB 'rebalance_intvl' max hard limit.
> 64f6c49d2 dpif-netdev: Fix ALB parameters type mismatch.
> b11b84ea7 dpdk: Use DPDK 21.11.1 release.
> d3bf48e9a raft: Don't use HMAP_FOR_EACH_SAFE when logging commands.
> e07377bb4 ovsdb: raft: Fix transaction double commit due to lost leadership.
> 5da86cb36 dynamic-string: Fix undefined behavior due to offsetting null
> pointer.
> 369e68890 Revert "odp-util: Always report ODP_FIT_TOO_LITTLE for IGMP."
> 18341166e ofproto-dpif-xlate: Fix netdev native tunnel neigh discovery spa.
> 748e4b2b5 ovs-router: Expose the ovs_router_get_netdev_source_address
> function.
> 34390bb35 ofproto-dpif: Trigger revalidation if ct tp changes.
> 1adb07e20 Carefully release NBL in Windows
> 1ccaba448 tests: Properly kill ovsdb test processes.
> 260b091c2 ovs-save: Get highest ofp version error.
> 7606bb121 netdev-linux: Properly access 32-bit aligned rtnl_link_stats64
> structs.
> 0688b9f27 treewide: Avoid offsetting NULL pointers.
> 92bcf0a82 treewide: Fix invalid bit shift operations.
> 7fa76371d utilities: Handle dumping packets in GDB TUI.
> 8cac8baa8 ofproto-dpif-xlate: Remove mirror assert.
> e0e8f0c54 netdev-dpdk: Fix tx drops statistic for a down netdev.
> f9b5f8a78 netdev-dpdk: Remove a leftover lock annotation.
> 4c3976ff2 netdev-dpdk: Refactor the DPDK transmit path.
> 410b97c83 netdev-offload-dpdk: Fix ethernet type for VLANs.
> 7948312fe netdev-offload-dpdk: Use has_vlan match attribute.
> 522c46884 python: idl: Raise AttributeError from uuid_to_row.
> cb24c524e ofproto-dpif-xlate: Clear out vlan flow fields while processing
> native tunnel.
> a665b75de dpif-netdev-avx512: Fix overflow of UINT32_C(1).
> 60e7badd6 dpif-netdev-avx512: Fix ubsan shift error in bitmasks.
> 9cc329ec5 python: Politely handle misuse of table.condition.
> 0631be2b5 ofproto-xlate: Fix crash when forwarding packet between legacy_l3
> tunnels.
> df9790309 system-traffic: Fix fragment reassembly with L3 L4 protocol
> information.
> ba159ee0f cirrus: Update FreeBSD versions.
> bd1a3b6b4 Prepare for 2.17.2.
>
> Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> ---
> ...gs-when-parsing-malformed-AutoAttach.patch | 86 -------------------
> .../openvswitch/openvswitch_git.bb | 7 +-
> 2 files changed, 3 insertions(+), 90 deletions(-)
> delete mode 100644
> recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
>
> diff --git
> a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
>
> b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
> deleted file mode 100644
> index ec40106..0000000
> ---
> a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
> +++ /dev/null
> @@ -1,86 +0,0 @@
> -From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001
> -From: Qian Chen <cq674350...@163.com>
> -Date: Tue, 20 Dec 2022 09:36:08 -0500
> -Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach.
> -
> -The OVS LLDP implementation includes support for AutoAttach standard, which
> -the 'upstream' lldpd project does not include. As part of adding this
> -support, the message parsing for these TLVs did not include proper length
> -checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the
> -LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message
> -without a proper boundary will cause an overread of memory, and lead to
> -undefined results, including crashes or other unidentified behavior.
> -
> -The fix is to introduce proper bounds checking for these elements. Introduce
> -a unit test to ensure that we have some proper rejection in this code
> -base in the future.
> -
> -Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
> -
> -Upstream-Status: Backport from upstream
> [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4]
> -CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization
> Specific TLV
> -CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific
> TLV
> -
> -Signed-off-by: Qian Chen <cq674350...@163.com>
> -Co-authored-by: Aaron Conole <acon...@redhat.com>
> -Signed-off-by: Aaron Conole <acon...@redhat.com>
> -Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
> -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> ----
> - lib/lldp/lldp.c | 2 ++
> - tests/ofproto-dpif.at | 19 +++++++++++++++++++
> - 2 files changed, 21 insertions(+)
> -
> -diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
> -index dfeb2a800..6fdcfef56 100644
> ---- a/lib/lldp/lldp.c
> -+++ b/lib/lldp/lldp.c
> -@@ -583,6 +583,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame,
> int s,
> -
> - switch(tlv_subtype) {
> - case LLDP_TLV_AA_ELEMENT_SUBTYPE:
> -+ CHECK_TLV_SIZE(50, "ELEMENT");
> - PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
> -
> - aa_element_dword = PEEK_UINT32;
> -@@ -629,6 +630,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame,
> int s,
> - break;
> -
> - case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE:
> -+ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS");
> - PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
> -
> - /* Subtract off tlv type and length (2Bytes) + OUI (3B)
> +
> -diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
> -index eb4cd1896..fa6111c1e 100644
> ---- a/tests/ofproto-dpif.at
> -+++ b/tests/ofproto-dpif.at
> -@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter
> rev_reconfigure], [0], [dnl
> - OVS_VSWITCHD_STOP
> - AT_CLEANUP
> -
> -+AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv])
> -+OVS_VSWITCHD_START()
> -+add_of_ports br0 1
> -+
> -+dnl Enable lldp
> -+AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true])
> -+
> -+dnl Send a malformed lldp packet
> -+packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl
> -+"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl
> -+"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl
> -+"4445414442454546fe0500040d0c010000"
> -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout])
> -+
> -+OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log])
> -+
> -+OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"])
> -+AT_CLEANUP
> -+
> - AT_SETUP([ofproto-dpif - active-backup bonding (with primary)])
> -
> - dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and
> ---
> -2.34.1
> -
> diff --git a/recipes-networking/openvswitch/openvswitch_git.bb
> b/recipes-networking/openvswitch/openvswitch_git.bb
> index ac42026..a629f9b 100644
> --- a/recipes-networking/openvswitch/openvswitch_git.bb
> +++ b/recipes-networking/openvswitch/openvswitch_git.bb
> @@ -14,12 +14,12 @@ RDEPENDS:${PN}-ptest += "\
> "
>
> S = "${WORKDIR}/git"
> -PV = "2.17.1+${SRCPV}"
> -CVE_VERSION = "2.17.1"
> +PV = "2.17.6+${SRCPV}"
> +CVE_VERSION = "2.17.6"
>
> FILESEXTRAPATHS:append := "${THISDIR}/${PN}-git:"
>
> -SRCREV = "41bb202fb37f184b0a8820a029c62d03c118614e"
> +SRCREV = "a08bb41e3c381f695b5ab62b0ab49b39c2b98727"
> SRC_URI +=
> "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.17 \
>
> file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
> file://run-ptest \
> @@ -27,7 +27,6 @@ SRC_URI +=
> "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.
> file://kernel_module.patch \
> file://systemd-update-tool-paths.patch \
> file://systemd-create-runtime-dirs.patch \
> -
> file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \
> "
>
> LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
> --
> 2.34.1
>
>
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#8009):
https://lists.yoctoproject.org/g/meta-virtualization/message/8009
Mute This Topic: https://lists.yoctoproject.org/mt/98312725/21656
Group Owner: meta-virtualization+ow...@lists.yoctoproject.org
Unsubscribe:
https://lists.yoctoproject.org/g/meta-virtualization/leave/6693005/21656/1014668956/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
