Netdev List
 help / color / mirror / Atom feed
* [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
@ 2022-04-15  8:08 Paolo Valerio
  2022-04-15 10:25 ` [ovs-dev] " Eelco Chaudron
  2022-04-15 11:00 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Paolo Valerio @ 2022-04-15  8:08 UTC (permalink / raw)
  To: netdev, dev
  Cc: Pravin B Shelar, David S. Miller, Jakub Kicinski, Paolo Abeni,
	stable

Given a sufficiently large number of actions, while copying and
reserving memory for a new action of a new flow, if next_offset is
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
bytes increasing actions_len by req_size. This can then lead to an OOB
write access, especially when further actions need to be copied.

Fix it by rearranging the flow action size check.

KASAN splat below:

==================================================================
BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
Write of size 65360 at addr ffff888147e4001c by task handler15/836

CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
...
Call Trace:
 <TASK>
 dump_stack_lvl+0x45/0x5a
 print_report.cold+0x5e/0x5db
 ? __lock_text_start+0x8/0x8
 ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
 kasan_report+0xb5/0x130
 ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
 kasan_check_range+0xf5/0x1d0
 memcpy+0x39/0x60
 reserve_sfa_size+0x1ba/0x380 [openvswitch]
 __add_action+0x24/0x120 [openvswitch]
 ovs_nla_add_action+0xe/0x20 [openvswitch]
 ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
 ? __kernel_text_address+0xe/0x30
 ? unwind_get_return_address+0x56/0xa0
 ? create_prof_cpu_mask+0x20/0x20
 ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
 ? prep_compound_page+0x198/0x2a0
 ? __kasan_check_byte+0x10/0x40
 ? kasan_unpoison+0x40/0x70
 ? ksize+0x44/0x60
 ? reserve_sfa_size+0x75/0x380 [openvswitch]
 __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
 ? __zone_watermark_ok+0x420/0x420
 ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
 ? __alloc_pages+0x1a9/0x3e0
 ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
 ? unwind_next_frame+0x991/0x1e40
 ? __mod_node_page_state+0x99/0x120
 ? __mod_lruvec_page_state+0x2e3/0x470
 ? __kasan_kmalloc_large+0x90/0xe0
 ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
 ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
 ...

Cc: stable@vger.kernel.org
Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
---
 net/openvswitch/flow_netlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 7176156d3844..4c09cf8a0ab2 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
 	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
 
 	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
-		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
+		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
 			OVS_NLERR(log, "Flow action size exceeds max %u",
 				  MAX_ACTIONS_BUFSIZE);
 			return ERR_PTR(-EMSGSIZE);


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [ovs-dev] [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
  2022-04-15  8:08 [PATCH] openvswitch: fix OOB access in reserve_sfa_size() Paolo Valerio
@ 2022-04-15 10:25 ` Eelco Chaudron
  2022-04-15 11:00 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Eelco Chaudron @ 2022-04-15 10:25 UTC (permalink / raw)
  To: Paolo Valerio
  Cc: netdev, dev, Jakub Kicinski, Paolo Abeni, David S. Miller, stable



On 15 Apr 2022, at 10:08, Paolo Valerio wrote:

> Given a sufficiently large number of actions, while copying and
> reserving memory for a new action of a new flow, if next_offset is
> greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
> not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
> bytes increasing actions_len by req_size. This can then lead to an OOB
> write access, especially when further actions need to be copied.
>
> Fix it by rearranging the flow action size check.
>
> KASAN splat below:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
> Write of size 65360 at addr ffff888147e4001c by task handler15/836
>
> CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
> ...
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x45/0x5a
>  print_report.cold+0x5e/0x5db
>  ? __lock_text_start+0x8/0x8
>  ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  kasan_report+0xb5/0x130
>  ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  kasan_check_range+0xf5/0x1d0
>  memcpy+0x39/0x60
>  reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  __add_action+0x24/0x120 [openvswitch]
>  ovs_nla_add_action+0xe/0x20 [openvswitch]
>  ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
>  ? __kernel_text_address+0xe/0x30
>  ? unwind_get_return_address+0x56/0xa0
>  ? create_prof_cpu_mask+0x20/0x20
>  ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
>  ? prep_compound_page+0x198/0x2a0
>  ? __kasan_check_byte+0x10/0x40
>  ? kasan_unpoison+0x40/0x70
>  ? ksize+0x44/0x60
>  ? reserve_sfa_size+0x75/0x380 [openvswitch]
>  __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
>  ? __zone_watermark_ok+0x420/0x420
>  ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
>  ? __alloc_pages+0x1a9/0x3e0
>  ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
>  ? unwind_next_frame+0x991/0x1e40
>  ? __mod_node_page_state+0x99/0x120
>  ? __mod_lruvec_page_state+0x2e3/0x470
>  ? __kasan_kmalloc_large+0x90/0xe0
>  ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
>  ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
>  ...
>
> Cc: stable@vger.kernel.org
> Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
> Signed-off-by: Paolo Valerio <pvalerio@redhat.com>

Change looks fine to me.

Acked-by: Eelco Chaudron <echaudro@redhat.com>

> ---
>  net/openvswitch/flow_netlink.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> index 7176156d3844..4c09cf8a0ab2 100644
> --- a/net/openvswitch/flow_netlink.c
> +++ b/net/openvswitch/flow_netlink.c
> @@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
>  	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
>
>  	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
> -		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
> +		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
>  			OVS_NLERR(log, "Flow action size exceeds max %u",
>  				  MAX_ACTIONS_BUFSIZE);
>  			return ERR_PTR(-EMSGSIZE);
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
  2022-04-15  8:08 [PATCH] openvswitch: fix OOB access in reserve_sfa_size() Paolo Valerio
  2022-04-15 10:25 ` [ovs-dev] " Eelco Chaudron
@ 2022-04-15 11:00 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-04-15 11:00 UTC (permalink / raw)
  To: Paolo Valerio; +Cc: netdev, dev, pshelar, davem, kuba, pabeni, stable

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Fri, 15 Apr 2022 10:08:41 +0200 you wrote:
> Given a sufficiently large number of actions, while copying and
> reserving memory for a new action of a new flow, if next_offset is
> greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
> not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
> bytes increasing actions_len by req_size. This can then lead to an OOB
> write access, especially when further actions need to be copied.
> 
> [...]

Here is the summary with links:
  - openvswitch: fix OOB access in reserve_sfa_size()
    https://git.kernel.org/netdev/net/c/cefa91b2332d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-04-15 11:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-15  8:08 [PATCH] openvswitch: fix OOB access in reserve_sfa_size() Paolo Valerio
2022-04-15 10:25 ` [ovs-dev] " Eelco Chaudron
2022-04-15 11:00 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox