Overview

File CVE-2025-0650.patch of Package openvswitch3.37664

From 5f387b090fbc00a51a07dcd70fd2dfe78004004f Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
Date: Fri, 7 Feb 2025 15:01:34 +0100
Subject: [PATCH] bsc#1236353 (CVE-2025-0650) ovn: egress ACLs may be bypassed
 via specially crafted UDP packet
Reference: bsc#1236353
Upstream: 4140fead049ecef6a6b0f90e74f5de7d5a40fd5d

Backported upstream fix 4140fead0 without tests.

---

[PATCH 1/1] Skip only OVN DNS responder packets from OUT_ACL.

When OVN's DNS caching feature is enabled, due to the OpenFlow rules
that OVN installs in Open vSwitch, it is possible for an attacker to
craft a UDP packet that can bypass egress ACL rules configured on the
same switch that has DNS caching configured.

This patch fixes the issue by setting a register bit when OVN's DNS
responder replies to an incoming request. Then the flow that allows
egress ACL bypass only applies to packets that have this register bit
set. This gives the intended effect of allowing internally-generated DNS
responses to not be blocked by user-defined ACLs without potentially
compromising the security of the switch.

Signed-off-by: Numan Siddique <numans@ovn.org>
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Dumitru Ceara <dceara@redhat.com>

---
 controller/pinctrl.c                          |  27 +++
 include/ovn/logical-fields.h                  |   1 +
 lib/logical-fields.c                          |   3 +
 northd/northd.c                               |   3 +-
 ...N-DNS-responder-packets-from-OUT_ACL.patch | 225 ++++++++++++++++++
 5 files changed, 258 insertions(+), 1 deletion(-)
 create mode 100644 suse.patches/0001-Skip-only-OVN-DNS-responder-packets-from-OUT_ACL.patch

diff --git a/controller/pinctrl.c b/controller/pinctrl.c
index 795847729..abfc89683 100644
--- a/controller/pinctrl.c
+++ b/controller/pinctrl.c
@@ -374,6 +374,8 @@ static void pinctrl_handle_put_fdb(const struct flow *md,
                                    const struct flow *headers)
                                    OVS_REQUIRES(pinctrl_mutex);
 
+static void set_from_ctrl_flag_in_pkt_metadata(struct ofputil_packet_in *);
+
 COVERAGE_DEFINE(pinctrl_drop_put_mac_binding);
 COVERAGE_DEFINE(pinctrl_drop_buffered_packets_map);
 COVERAGE_DEFINE(pinctrl_drop_controller_event);
@@ -3173,6 +3175,10 @@ exit:
         union mf_subvalue sv;
         sv.u8_val = success;
         mf_write_subfield(&dst, &sv, &pin->flow_metadata);
+
+        /* Indicate that this packet is from ovn-controller. */
+        set_from_ctrl_flag_in_pkt_metadata(pin);
+
     }
     queue_msg(swconn, ofputil_encode_resume(pin, continuation, proto));
     dp_packet_uninit(pkt_out_ptr);
@@ -8255,3 +8261,24 @@ pinctrl_handle_put_fdb(const struct flow *md, const struct flow *headers)
     ovn_fdb_add(&put_fdbs, dp_key, headers->dl_src, port_key);
     notify_pinctrl_main();
 }
+
+/* This function sets the register bit 'MLF_FROM_CTRL_BIT'
+ * in the register 'MFF_LOG_FLAGS' to indicate that this packet
+ * is generated/sent by ovn-controller.
+ * ovn-northd can add logical flows to match on "flags.from_ctrl".
+ */
+static void
+set_from_ctrl_flag_in_pkt_metadata(struct ofputil_packet_in *pin)
+{
+    const struct mf_field *f = mf_from_id(MFF_LOG_FLAGS);
+
+    struct mf_subfield dst = {
+        .field = f,
+        .ofs = MLF_FROM_CTRL_BIT,
+        .n_bits = 1,
+    };
+
+    union mf_subvalue sv;
+    sv.u8_val = 1;
+    mf_write_subfield(&dst, &sv, &pin->flow_metadata);
+}
diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
index a7b64ef67..70c6d6658 100644
--- a/include/ovn/logical-fields.h
+++ b/include/ovn/logical-fields.h
@@ -77,6 +77,7 @@ enum mff_log_flags_bits {
     MLF_CHECK_PORT_SEC_BIT = 12,
     MLF_LOOKUP_COMMIT_ECMP_NH_BIT = 13,
     MLF_USE_LB_AFF_SESSION_BIT = 14,
+    MLF_FROM_CTRL_BIT = 16,
 };
 
 /* MFF_LOG_FLAGS_REG flag assignments */
diff --git a/lib/logical-fields.c b/lib/logical-fields.c
index fd509d9ee..085a94b00 100644
--- a/lib/logical-fields.c
+++ b/lib/logical-fields.c
@@ -130,6 +130,9 @@ ovn_init_symtab(struct shash *symtab)
     expr_symtab_add_subfield(symtab, "flags.use_snat_zone", NULL,
                              flags_str);
 
+    snprintf(flags_str, sizeof flags_str, "flags[%d]", MLF_FROM_CTRL_BIT);
+    expr_symtab_add_subfield(symtab, "flags.from_ctrl", NULL, flags_str);
+
     /* Connection tracking state. */
     expr_symtab_add_field_scoped(symtab, "ct_mark", MFF_CT_MARK, NULL, false,
                                  WR_CT_COMMIT);
diff --git a/northd/northd.c b/northd/northd.c
index 1e05b8f22..5538ba0ab 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -6943,7 +6943,8 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features,
     if (ls_has_dns_records(od->nbs)) {
         const char *dns_actions = has_stateful ? "ct_commit; next;" : "next;";
         ovn_lflow_add(
-            lflows, od, S_SWITCH_OUT_ACL, 34000, "udp.src == 53",
+            lflows, od, S_SWITCH_OUT_ACL, 34000,
+            "flags.from_ctrl && udp.src == 53",
             dns_actions);
     }
openSUSE Build Service is sponsored by
Places