From: Greg KH <greg@kroah.com>
To: Ilya Maximets <i.maximets@ovn.org>
Cc: Sasha Levin <sashal@kernel.org>,
patches@lists.linux.dev, stable@vger.kernel.org,
Eelco Chaudron <echaudro@redhat.com>,
Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>,
aconole@redhat.com, netdev@vger.kernel.org, dev@openvswitch.org
Subject: Re: [PATCH AUTOSEL 6.15 044/118] openvswitch: Stricter validation for the userspace action
Date: Wed, 4 Jun 2025 10:03:29 +0200 [thread overview]
Message-ID: <2025060449-arena-exceeding-a090@gregkh> (raw)
In-Reply-To: <38ef1815-5bc1-4391-b487-05a18e84c94e@ovn.org>
On Wed, Jun 04, 2025 at 09:57:20AM +0200, Ilya Maximets wrote:
> On 6/4/25 2:49 AM, Sasha Levin wrote:
> > From: Eelco Chaudron <echaudro@redhat.com>
> >
> > [ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ]
> >
> > This change enhances the robustness of validate_userspace() by ensuring
> > that all Netlink attributes are fully contained within the parent
> > attribute. The previous use of nla_parse_nested_deprecated() could
> > silently skip trailing or malformed attributes, as it stops parsing at
> > the first invalid entry.
> >
> > By switching to nla_parse_deprecated_strict(), we make sure only fully
> > validated attributes are copied for later use.
> >
> > Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
> > Reviewed-by: Simon Horman <horms@kernel.org>
> > Acked-by: Ilya Maximets <i.maximets@ovn.org>
> > Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com
> > Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> >
> > **YES** This commit should be backported to stable kernel trees. ##
> > Analysis **Commit Overview:** The commit changes `validate_userspace()`
> > function in `net/openvswitch/flow_netlink.c` by replacing
> > `nla_parse_nested_deprecated()` with `nla_parse_deprecated_strict()` to
> > ensure stricter validation of Netlink attributes for the userspace
> > action. **Specific Code Changes:** The key change is on lines 3052-3054:
> > ```c // Before: error = nla_parse_nested_deprecated(a,
> > OVS_USERSPACE_ATTR_MAX, attr, userspace_policy, NULL); // After: error =
> > nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, nla_data(attr),
> > nla_len(attr), userspace_policy, NULL); ``` **Why This Should Be
> > Backported:** 1. **Security Enhancement:** This commit addresses a
> > parsing vulnerability where malformed attributes could be silently
> > ignored. The original `nla_parse_nested_deprecated()` stops parsing at
> > the first invalid entry, potentially allowing trailing malformed data to
> > bypass validation. 2. **Robustness Fix:** The change ensures all netlink
> > attributes are fully contained within the parent attribute bounds,
> > preventing potential buffer over-reads or under-reads that could lead to
> > security issues. 3. **Pattern Consistency:** Looking at the git blame
> > output (lines 3085-3087), we can see that
> > `nla_parse_deprecated_strict()` was already introduced in 2019 by commit
> > 8cb081746c031 and is used elsewhere in the same file for similar
> > validation (e.g., `validate_and_copy_check_pkt_len()` function). 4.
> > **Low Risk:** This is a small, contained change that only affects input
> > validation - it doesn't change functionality or introduce new features.
> > The change is defensive and follows existing patterns in the codebase.
> > 5. **Similar Precedent:** This commit is very similar to the validated
> > "Similar Commit #2" which was marked for backporting (status: YES). That
> > commit also dealt with netlink attribute validation safety in
> > openvswitch (`validate_set()` function) and was considered suitable for
> > stable trees. 6. **Critical Subsystem:** Open vSwitch is a critical
> > networking component used in virtualization and container environments.
> > Input validation issues in this subsystem could potentially be exploited
> > for privilege escalation or denial of service. 7. **Clear Intent:** The
> > commit message explicitly states this "enhances robustness" and ensures
> > "only fully validated attributes are copied for later use," indicating
> > this is a defensive security improvement. **Risk Assessment:** - Very
> > low regression risk - No API changes - Only affects error handling paths
> > - Follows established validation patterns in the same codebase This
> > commit fits perfectly into the stable tree criteria: it's an important
> > security/robustness fix, has minimal risk of regression, is well-
> > contained, and addresses a clear validation vulnerability in a critical
> > kernel subsystem.
>
> This change is one of two patches created for userspace action. With an
> intentional split - one for net and one for net-next First one was the
> actual fix that addressed a real bug:
> 6beb6835c1fb ("openvswitch: Fix unsafe attribute parsing in output_userspace()")
> https://lore.kernel.org/netdev/0bd65949df61591d9171c0dc13e42cea8941da10.1746541734.git.echaudro@redhat.com/
>
> This second change (this patch) was intended for -next only as it doesn't
> fix any real issue, but affects uAPI, and so should NOT be backported.
Why would you break the user api in a newer kernel? That feels wrong,
as any change should be able to be backported without any problems.
If this is a userspace break, why isn't it reverted?
confused,
greg k-h
next prev parent reply other threads:[~2025-06-04 8:03 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250604005049.4147522-1-sashal@kernel.org>
2025-06-04 0:48 ` [PATCH AUTOSEL 6.15 002/118] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Sasha Levin
2025-06-04 0:48 ` [PATCH AUTOSEL 6.15 003/118] tipc: use kfree_sensitive() for aead cleanup Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 009/118] emulex/benet: correct command version selection in be_cmd_get_stats() Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 029/118] net: phy: mediatek: do not require syscon compatible for pio property Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 035/118] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 036/118] tcp: remove zero TCP TS samples for autotuning Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 037/118] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 038/118] tcp: add receive queue awareness in tcp_rcv_space_adjust() Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 040/118] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 041/118] net: page_pool: Don't recycle into cache " Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 042/118] xfrm: validate assignment of maximal possible SEQ number Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 043/118] net: phy: marvell-88q2xxx: Enable temperature measurement in probe again Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 044/118] openvswitch: Stricter validation for the userspace action Sasha Levin
2025-06-04 7:57 ` Ilya Maximets
2025-06-04 8:03 ` Greg KH [this message]
2025-06-04 8:19 ` Ilya Maximets
2025-06-04 8:28 ` Greg KH
2025-06-04 8:47 ` Ilya Maximets
2025-06-05 14:23 ` Jakub Kicinski
2025-06-05 14:45 ` Greg KH
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 045/118] net: atlantic: generate software timestamp just before the doorbell Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 048/118] bpf: Pass the same orig_call value to trampoline functions Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 049/118] net: stmmac: generate software timestamp just before the doorbell Sasha Levin
2025-06-04 0:49 ` [PATCH AUTOSEL 6.15 054/118] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Sasha Levin
2025-06-04 0:50 ` [PATCH AUTOSEL 6.15 085/118] net: bridge: mcast: update multicast contex when vlan state is changed Sasha Levin
2025-06-04 0:50 ` [PATCH AUTOSEL 6.15 086/118] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Sasha Levin
2025-06-04 0:50 ` [PATCH AUTOSEL 6.15 088/118] bnxt_en: Remove unused field "ref_count" in struct bnxt_ulp Sasha Levin
2025-06-04 0:50 ` [PATCH AUTOSEL 6.15 105/118] usbnet: asix AX88772: leave the carrier control to phylink Sasha Levin
2025-06-04 0:50 ` [PATCH AUTOSEL 6.15 107/118] bpf, sockmap: Fix data lost during EAGAIN retries Sasha Levin
2025-06-04 0:50 ` [PATCH AUTOSEL 6.15 109/118] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025060449-arena-exceeding-a090@gregkh \
--to=greg@kroah.com \
--cc=aconole@redhat.com \
--cc=dev@openvswitch.org \
--cc=echaudro@redhat.com \
--cc=horms@kernel.org \
--cc=i.maximets@ovn.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox