Overview

File CVE-2025-0650.patch of Package openvswitch.37499

From 8e9db99fa0e875b0f6a75572fb5bb8af38874104 Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
Date: Tue, 11 Feb 2025 10:49:30 +0100
Subject: [PATCH 1/1] bsc#1236353 (CVE-2025-0650) ovn: egress ACLs may be
 bypassed via specially crafted UDP packet
Reference: bsc#1236353
Upstream: 4140fead049ecef6a6b0f90e74f5de7d5a40fd5d

Backported upstream fix 4140fead0 without tests.

---

[PATCH 1/1] Skip only OVN DNS responder packets from OUT_ACL.

When OVN's DNS caching feature is enabled, due to the OpenFlow rules
that OVN installs in Open vSwitch, it is possible for an attacker to
craft a UDP packet that can bypass egress ACL rules configured on the
same switch that has DNS caching configured.

This patch fixes the issue by setting a register bit when OVN's DNS
responder replies to an incoming request. Then the flow that allows
egress ACL bypass only applies to packets that have this register bit
set. This gives the intended effect of allowing internally-generated DNS
responses to not be blocked by user-defined ACLs without potentially
compromising the security of the switch.

Signed-off-by: Numan Siddique <numans@ovn.org>
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Dumitru Ceara <dceara@redhat.com>
---
 controller/pinctrl.c         | 27 +++++++++++++++++++++++++++
 include/ovn/logical-fields.h |  1 +
 lib/logical-fields.c         |  3 +++
 northd/ovn-northd.c          |  3 ++-
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/controller/pinctrl.c b/controller/pinctrl.c
index b39ce64e7..6f5623d42 100644
--- a/controller/pinctrl.c
+++ b/controller/pinctrl.c
@@ -313,6 +313,8 @@ static void pinctrl_compose_ipv6(struct dp_packet *packet,
                                  uint8_t ip_proto, uint8_t ttl,
                                  uint16_t ip_payload_len);
 
+static void set_from_ctrl_flag_in_pkt_metadata(struct ofputil_packet_in *);
+
 COVERAGE_DEFINE(pinctrl_drop_put_mac_binding);
 COVERAGE_DEFINE(pinctrl_drop_buffered_packets_map);
 COVERAGE_DEFINE(pinctrl_drop_controller_event);
@@ -1910,6 +1912,10 @@ exit:
         union mf_subvalue sv;
         sv.u8_val = success;
         mf_write_subfield(&dst, &sv, &pin->flow_metadata);
+
+        /* Indicate that this packet is from ovn-controller. */
+        set_from_ctrl_flag_in_pkt_metadata(pin);
+
     }
     queue_msg(swconn, ofputil_encode_resume(pin, continuation, proto));
     dp_packet_uninit(pkt_out_ptr);
@@ -5680,3 +5686,24 @@ pinctrl_handle_svc_check(struct rconn *swconn, const struct flow *ip_flow,
         svc_mon->next_send_time = time_msec() + svc_mon->interval;
     }
 }
+
+/* This function sets the register bit 'MLF_FROM_CTRL_BIT'
+ * in the register 'MFF_LOG_FLAGS' to indicate that this packet
+ * is generated/sent by ovn-controller.
+ * ovn-northd can add logical flows to match on "flags.from_ctrl".
+ */
+static void
+set_from_ctrl_flag_in_pkt_metadata(struct ofputil_packet_in *pin)
+{
+    const struct mf_field *f = mf_from_id(MFF_LOG_FLAGS);
+
+    struct mf_subfield dst = {
+        .field = f,
+        .ofs = MLF_FROM_CTRL_BIT,
+        .n_bits = 1,
+    };
+
+    union mf_subvalue sv;
+    sv.u8_val = 1;
+    mf_write_subfield(&dst, &sv, &pin->flow_metadata);
+}
diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
index c7bd2dba9..2e6627cfb 100644
--- a/include/ovn/logical-fields.h
+++ b/include/ovn/logical-fields.h
@@ -57,6 +57,7 @@ enum mff_log_flags_bits {
     MLF_LOCAL_ONLY_BIT = 4,
     MLF_NESTED_CONTAINER_BIT = 5,
     MLF_LOOKUP_MAC_BIT = 6,
+    MLF_FROM_CTRL_BIT = 16,
 };
 
 /* MFF_LOG_FLAGS_REG flag assignments */
diff --git a/lib/logical-fields.c b/lib/logical-fields.c
index a007085b3..34afeb8e2 100644
--- a/lib/logical-fields.c
+++ b/lib/logical-fields.c
@@ -118,6 +118,9 @@ ovn_init_symtab(struct shash *symtab)
     expr_symtab_add_subfield(symtab, "flags.force_snat_for_lb", NULL,
                              flags_str);
 
+    snprintf(flags_str, sizeof flags_str, "flags[%d]", MLF_FROM_CTRL_BIT);
+    expr_symtab_add_subfield(symtab, "flags.from_ctrl", NULL, flags_str);
+
     /* Connection tracking state. */
     expr_symtab_add_field(symtab, "ct_mark", MFF_CT_MARK, NULL, false);
 
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 26a6441ce..5223b7d90 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -5404,7 +5404,8 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
     if (ls_has_dns_records(od->nbs)) {
         const char *actions = has_stateful ? "ct_commit; next;" : "next;";
         ovn_lflow_add(
-            lflows, od, S_SWITCH_OUT_ACL, 34000, "udp.src == 53",
+            lflows, od, S_SWITCH_OUT_ACL, 34000,
+            "flags.from_ctrl && udp.src == 53",
             actions);
     }
 
-- 
2.48.1
openSUSE Build Service is sponsored by
Places