From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A41E813C3F2; Wed, 4 Jun 2025 01:07:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748999242; cv=none; b=lqFip+XzPdXu1jUxNZOgVBs/G7IvltFIH9iUx0DRbJo4AsCUzHQCXZU6Nio5MxL8wwU63fj9aArDcegmzoT++l5ulNUbtcFcYWhgV6dRXrIH4jw6FL/Bm97U20CRYU2W3o8/3CJfyJcalzULp7Ahaqeqc+4ZoRd8JihD+g4/sts= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748999242; c=relaxed/simple; bh=/jsKi9CSTHx+CeAbjK67+mABdsFxLzAAzg44Qy9Ksyw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=o+SvS66YzMRboJPmvkGTyDXrn7LsW/hIUEhxJJBpmDxdpIC/u2IaSRdu+0bA8Fqyc/GMbdb8s2ZbTb46zSfB+vCQ1ldmRQfdLR6JNbMAB6PQxWgQKVbr5gz9J+XGkonRQ6xIdTs8jomp7M6AzOsGMK+eMS7FV126pkRRQ8XW5To= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=exZ9JZCT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="exZ9JZCT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EEFD4C4CEEF; Wed, 4 Jun 2025 01:07:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1748999242; bh=/jsKi9CSTHx+CeAbjK67+mABdsFxLzAAzg44Qy9Ksyw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=exZ9JZCTX5HRuoxjxWI8Xh/nKrny4XlOcXQ3cXQ+qeCsgwyseqXsn62dsovj69qn5 /EMAQCx18cl58Q2ex/MjJ6YIKdiNQI9hjTKRTSD/eCibzoS4VxiD6+dqyjGDZjMuZs e5gciPbRKuXeb0LNxLIUBO6+4hIk+wKyV3e6TleeuafNtGHq/3wWQhQ2s5mFTr5mLw 31jcV2Dwzcm3iaJ/no6Ym+sHzm5/4eDsaXVWiV8yYhVQaHWm7D3sySTkYyGOLWU8Lp 4tjczqg0HtT/sx36TFifq9P+zM0PIwfP5pAgvpxrtPBz3k+t2hLc+SVhMMvuDRXxNo z5rYuXuxk8uzw== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Eelco Chaudron , Simon Horman , Ilya Maximets , Jakub Kicinski , Sasha Levin , aconole@redhat.com, netdev@vger.kernel.org, dev@openvswitch.org Subject: [PATCH AUTOSEL 5.4 09/20] openvswitch: Stricter validation for the userspace action Date: Tue, 3 Jun 2025 21:06:55 -0400 Message-Id: <20250604010706.7395-9-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250604010706.7395-1-sashal@kernel.org> References: <20250604010706.7395-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 5.4.293 Content-Transfer-Encoding: 8bit From: Eelco Chaudron [ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ] This change enhances the robustness of validate_userspace() by ensuring that all Netlink attributes are fully contained within the parent attribute. The previous use of nla_parse_nested_deprecated() could silently skip trailing or malformed attributes, as it stops parsing at the first invalid entry. By switching to nla_parse_deprecated_strict(), we make sure only fully validated attributes are copied for later use. Signed-off-by: Eelco Chaudron Reviewed-by: Simon Horman Acked-by: Ilya Maximets Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- **YES** This commit should be backported to stable kernel trees. ## Analysis **Commit Overview:** The commit changes `validate_userspace()` function in `net/openvswitch/flow_netlink.c` by replacing `nla_parse_nested_deprecated()` with `nla_parse_deprecated_strict()` to ensure stricter validation of Netlink attributes for the userspace action. **Specific Code Changes:** The key change is on lines 3052-3054: ```c // Before: error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, userspace_policy, NULL); // After: error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, nla_data(attr), nla_len(attr), userspace_policy, NULL); ``` **Why This Should Be Backported:** 1. **Security Enhancement:** This commit addresses a parsing vulnerability where malformed attributes could be silently ignored. The original `nla_parse_nested_deprecated()` stops parsing at the first invalid entry, potentially allowing trailing malformed data to bypass validation. 2. **Robustness Fix:** The change ensures all netlink attributes are fully contained within the parent attribute bounds, preventing potential buffer over-reads or under-reads that could lead to security issues. 3. **Pattern Consistency:** Looking at the git blame output (lines 3085-3087), we can see that `nla_parse_deprecated_strict()` was already introduced in 2019 by commit 8cb081746c031 and is used elsewhere in the same file for similar validation (e.g., `validate_and_copy_check_pkt_len()` function). 4. **Low Risk:** This is a small, contained change that only affects input validation - it doesn't change functionality or introduce new features. The change is defensive and follows existing patterns in the codebase. 5. **Similar Precedent:** This commit is very similar to the validated "Similar Commit #2" which was marked for backporting (status: YES). That commit also dealt with netlink attribute validation safety in openvswitch (`validate_set()` function) and was considered suitable for stable trees. 6. **Critical Subsystem:** Open vSwitch is a critical networking component used in virtualization and container environments. Input validation issues in this subsystem could potentially be exploited for privilege escalation or denial of service. 7. **Clear Intent:** The commit message explicitly states this "enhances robustness" and ensures "only fully validated attributes are copied for later use," indicating this is a defensive security improvement. **Risk Assessment:** - Very low regression risk - No API changes - Only affects error handling paths - Follows established validation patterns in the same codebase This commit fits perfectly into the stable tree criteria: it's an important security/robustness fix, has minimal risk of regression, is well- contained, and addresses a clear validation vulnerability in a critical kernel subsystem. net/openvswitch/flow_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 4ad4c89886ee3..f1f7a0e34c7a9 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2912,7 +2912,8 @@ static int validate_userspace(const struct nlattr *attr) struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; int error; - error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, + error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, + nla_data(attr), nla_len(attr), userspace_policy, NULL); if (error) return error; -- 2.39.5