Netdev List
 help / color / mirror / Atom feed
From: Eelco Chaudron <echaudro@redhat.com>
To: Paolo Valerio <pvalerio@redhat.com>
Cc: netdev@vger.kernel.org, dev@openvswitch.org,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	stable@vger.kernel.org
Subject: Re: [ovs-dev] [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
Date: Fri, 15 Apr 2022 12:25:53 +0200	[thread overview]
Message-ID: <B291EC2A-DC76-47F3-90E8-885699779FDF@redhat.com> (raw)
In-Reply-To: <165001012108.2147631.5880395764325229829.stgit@fed.void>



On 15 Apr 2022, at 10:08, Paolo Valerio wrote:

> Given a sufficiently large number of actions, while copying and
> reserving memory for a new action of a new flow, if next_offset is
> greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
> not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
> bytes increasing actions_len by req_size. This can then lead to an OOB
> write access, especially when further actions need to be copied.
>
> Fix it by rearranging the flow action size check.
>
> KASAN splat below:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
> Write of size 65360 at addr ffff888147e4001c by task handler15/836
>
> CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
> ...
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x45/0x5a
>  print_report.cold+0x5e/0x5db
>  ? __lock_text_start+0x8/0x8
>  ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  kasan_report+0xb5/0x130
>  ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  kasan_check_range+0xf5/0x1d0
>  memcpy+0x39/0x60
>  reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  __add_action+0x24/0x120 [openvswitch]
>  ovs_nla_add_action+0xe/0x20 [openvswitch]
>  ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
>  ? __kernel_text_address+0xe/0x30
>  ? unwind_get_return_address+0x56/0xa0
>  ? create_prof_cpu_mask+0x20/0x20
>  ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
>  ? prep_compound_page+0x198/0x2a0
>  ? __kasan_check_byte+0x10/0x40
>  ? kasan_unpoison+0x40/0x70
>  ? ksize+0x44/0x60
>  ? reserve_sfa_size+0x75/0x380 [openvswitch]
>  __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
>  ? __zone_watermark_ok+0x420/0x420
>  ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
>  ? __alloc_pages+0x1a9/0x3e0
>  ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
>  ? unwind_next_frame+0x991/0x1e40
>  ? __mod_node_page_state+0x99/0x120
>  ? __mod_lruvec_page_state+0x2e3/0x470
>  ? __kasan_kmalloc_large+0x90/0xe0
>  ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
>  ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
>  ...
>
> Cc: stable@vger.kernel.org
> Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
> Signed-off-by: Paolo Valerio <pvalerio@redhat.com>

Change looks fine to me.

Acked-by: Eelco Chaudron <echaudro@redhat.com>

> ---
>  net/openvswitch/flow_netlink.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> index 7176156d3844..4c09cf8a0ab2 100644
> --- a/net/openvswitch/flow_netlink.c
> +++ b/net/openvswitch/flow_netlink.c
> @@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
>  	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
>
>  	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
> -		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
> +		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
>  			OVS_NLERR(log, "Flow action size exceeds max %u",
>  				  MAX_ACTIONS_BUFSIZE);
>  			return ERR_PTR(-EMSGSIZE);
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev


  reply	other threads:[~2022-04-15 10:26 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-15  8:08 [PATCH] openvswitch: fix OOB access in reserve_sfa_size() Paolo Valerio
2022-04-15 10:25 ` Eelco Chaudron [this message]
2022-04-15 11:00 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B291EC2A-DC76-47F3-90E8-885699779FDF@redhat.com \
    --to=echaudro@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dev@openvswitch.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pvalerio@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox