import passt-0%5E20240806.gee36266-2.el9

3dea4725 · Rocky Automation · a484e26a · 3dea4725 · 3dea4725 · 3dea4725
Commit 3dea4725 authored 4 months ago by Rocky Automation
--- a/.passt.checksum
+++ b/.passt.checksum
-9a420fce64dd5d55bd6b30ef4c781c8caaeda7f2148d14b318c356dab767bb94
+642dfeadac92b3a81224c3ae9289642354e260a341101d546cd60666753351a0
--- a/.passt.metadata
+++ b/.passt.metadata
-b8748957d3ea8a09145438087e2527cc687e188c6df6010cab80b4b58cd6601d SOURCES/passt-b86afe3559c0bd3d24bc6fed7c60466cf141224c.tar.xz
+ffcbfc459a689acd3086b9be20f4d8413c2c03bb94343901ece22ac19d6f559e SOURCES/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz
--- a/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
+++ b/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
+From 002b2a23380d4df552bac7665d462ac4c7bced0b Mon Sep 17 00:00:00 2001
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Wed, 14 Aug 2024 20:03:33 +1000
+Subject: [PATCH] flow: Don't crash if guest attempts to connect to port 0
+Using a zero port on TCP or UDP is dubious, and we can't really deal with
+forwarding such a flow within the constraints of the socket API.  Hence
+we ASSERT()ed that we had non-zero ports in flow_hash().
+The intention was to make sure that the protocol code sanitizes such ports
+before completing a flow entry.  Unfortunately, flow_hash() is also called
+on new packets to see if they have an existing flow, so the unsanitized
+guest packet can crash passt with the assert.
+Correct this by moving the assert from flow_hash() to flow_sidx_hash()
+which is only used on entries already in the table, not on unsanitized
+data.
+Reported-by: Matt Hamilton <matt@thmail.io>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+---
+ flow.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+diff --git a/flow.c b/flow.c
+index 687e9fd..93b687d 100644
+--- a/flow.c
+++ b/flow.c
+@@ -561,12 +561,6 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
+ {
+ 	struct siphash_state state = SIPHASH_INIT(c->hash_secret);
+-	/* For the hash table to work, we need complete endpoint information,
+-	 * and at least a forwarding port.
+-	 */
+-	ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
+-	       side->eport != 0 && side->fport != 0);
+-
+ 	inany_siphash_feed(&state, &side->faddr);
+ 	inany_siphash_feed(&state, &side->eaddr);
+@@ -586,8 +580,16 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
+ static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx)
+ {
+ 	const struct flow_common *f = &flow_at_sidx(sidx)->f;
+-	return flow_hash(c, FLOW_PROTO(f),
+-			 f->pif[sidx.sidei], &f->side[sidx.sidei]);
+	const struct flowside *side = &f->side[sidx.sidei];
+	uint8_t pif = f->pif[sidx.sidei];
+
+	/* For the hash table to work, entries must have complete endpoint
+	 * information, and at least a forwarding port.
+	 */
+	ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
+	       side->eport != 0 && side->fport != 0);
+
+	return flow_hash(c, FLOW_PROTO(f), pif, side);
+ }
+ /**
+-- 
+2.43.0
--- a/SPECS/passt.spec
+++ b/SPECS/passt.spec
@@ -7,19 +7,20 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
-%global git_hash b86afe3559c0bd3d24bc6fed7c60466cf141224c
+%global git_hash ee36266a55478672ad2c5f4efbd6ca0bef3d37cd
 %global selinuxtype targeted
 Name:		passt
-Version:	0^20231204.gb86afe3
+Version:	0^20240806.gee36266
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	User-mode networking daemons for virtual machines and namespaces
-License:	GPLv2+ and BSD
+License:	GPL-2.0-or-later AND BSD-3-Clause
 Group:		System Environment/Daemons
 URL:		https://passt.top/
 Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
 Patch1:		0001-selinux-Drop-user_namespace-create-allow-rules.patch
+Patch2:		0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
 Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
@@ -126,6 +127,21 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
 %changelog
+* Wed Aug 14 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240806-gee36266-2
+- Resolves: RHEL-54268
+* Wed Aug  7 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240806.gee36266-1
+- Resolves: RHEL-53189
+* Fri Aug  2 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240726.g57a21d2-1
+- Resolves: RHEL-52638
+* Mon Jun 24 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240624.g1ee2eca-1
+- Resolves: RHEL-44837
+* Wed May 22 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240510.g7288448-1
+- Resolves: RHEL-37647
 * Fri Dec 15 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20231204.gb86afe3-1
 - Resolves: RHEL-19590