Re: [PATCH net] net: openvswitch: fix middle attribute validation in push_nsh() action

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aaron Conole <aconole@redhat.com>
To: Ilya Maximets <i.maximets@ovn.org>
Cc: netdev@vger.kernel.org,  "David S. Miller" <davem@davemloft.net>,
	 Eric Dumazet <edumazet@google.com>,
	 Jakub Kicinski <kuba@kernel.org>,
	 Paolo Abeni <pabeni@redhat.com>,
	 Simon Horman <horms@kernel.org>,
	linux-kernel@vger.kernel.org,  dev@openvswitch.org,
	 Eelco Chaudron <echaudro@redhat.com>,  Willy Tarreau <w@1wt.eu>,
	 LePremierHomme <kwqcheii@proton.me>,
	 Junvy Yang <zhuque@tencent.com>
Subject: Re: [PATCH net] net: openvswitch: fix middle attribute validation in push_nsh() action
Date: Thu, 04 Dec 2025 12:41:51 -0500	[thread overview]
Message-ID: <f7ttsy6cffk.fsf@redhat.com> (raw)
In-Reply-To: <20251204105334.900379-1-i.maximets@ovn.org> (Ilya Maximets's message of "Thu, 4 Dec 2025 11:53:32 +0100")

Ilya Maximets <i.maximets@ovn.org> writes:

> The push_nsh() action structure looks like this:
>
>  OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
>
> The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
> nla_for_each_nested() inside __ovs_nla_copy_actions().  The innermost
> OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
> inside nsh_key_put_from_nlattr().  But nothing checks if the attribute
> in the middle is OK.  We don't even check that this attribute is the
> OVS_KEY_ATTR_NSH.  We just do a double unwrap with a pair of nla_data()
> calls - first time directly while calling validate_push_nsh() and the
> second time as part of the nla_for_each_nested() macro, which isn't
> safe, potentially causing invalid memory access if the size of this
> attribute is incorrect.  The failure may not be noticed during
> validation due to larger netlink buffer, but cause trouble later during
> action execution where the buffer is allocated exactly to the size:
>
>  BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
>  Read of size 184 at addr ffff88816459a634 by task a.out/22624
>
>  CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
>  Call Trace:
>   <TASK>
>   dump_stack_lvl+0x51/0x70
>   print_address_description.constprop.0+0x2c/0x390
>   kasan_report+0xdd/0x110
>   kasan_check_range+0x35/0x1b0
>   __asan_memcpy+0x20/0x60
>   nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
>   push_nsh+0x82/0x120 [openvswitch]
>   do_execute_actions+0x1405/0x2840 [openvswitch]
>   ovs_execute_actions+0xd5/0x3b0 [openvswitch]
>   ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
>   genl_family_rcv_msg_doit+0x1d6/0x2b0
>   genl_family_rcv_msg+0x336/0x580
>   genl_rcv_msg+0x9f/0x130
>   netlink_rcv_skb+0x11f/0x370
>   genl_rcv+0x24/0x40
>   netlink_unicast+0x73e/0xaa0
>   netlink_sendmsg+0x744/0xbf0
>   __sys_sendto+0x3d6/0x450
>   do_syscall_64+0x79/0x2c0
>   entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   </TASK>
>
> Let's add some checks that the attribute is properly sized and it's
> the only one attribute inside the action.  Technically, there is no
> real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
> pushing an NSH header already, it just creates extra nesting, but
> that's how uAPI works today.  So, keeping as it is.
>
> Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
> Reported-by: Junvy Yang <zhuque@tencent.com>
> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> ---

Checked it out using also the userspace kmod test suite, and the
kernel selftest scripts.  Change makes sense to me.

Reviewed-by: Aaron Conole <aconole@redhat.com>

next prev parent reply	other threads:[~2025-12-04 17:42 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-04 10:53 [PATCH net] net: openvswitch: fix middle attribute validation in push_nsh() action Ilya Maximets
2025-12-04 11:03 ` Eelco Chaudron
2025-12-04 11:36   ` Ilya Maximets
2025-12-04 13:22     ` Eelco Chaudron
2025-12-04 13:50       ` Ilya Maximets
2025-12-04 17:41 ` Aaron Conole [this message]
2025-12-10  8:50 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f7ttsy6cffk.fsf@redhat.com \
    --to=aconole@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dev@openvswitch.org \
    --cc=echaudro@redhat.com \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=i.maximets@ovn.org \
    --cc=kuba@kernel.org \
    --cc=kwqcheii@proton.me \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=w@1wt.eu \
    --cc=zhuque@tencent.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.