[PATCH 4.14 25/43] openvswitch: fix OOB access in reserve_sfa_size()

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Paolo Valerio <pvalerio@redhat.com>,
	Eelco Chaudron <echaudro@redhat.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 25/43] openvswitch: fix OOB access in reserve_sfa_size()
Date: Tue, 26 Apr 2022 10:21:07 +0200	[thread overview]
Message-ID: <20220426081735.261088738@linuxfoundation.org> (raw)
In-Reply-To: <20220426081734.509314186@linuxfoundation.org>

From: Paolo Valerio <pvalerio@redhat.com>

commit cefa91b2332d7009bc0be5d951d6cbbf349f90f8 upstream.

Given a sufficiently large number of actions, while copying and
reserving memory for a new action of a new flow, if next_offset is
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
bytes increasing actions_len by req_size. This can then lead to an OOB
write access, especially when further actions need to be copied.

Fix it by rearranging the flow action size check.

KASAN splat below:

==================================================================
BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
Write of size 65360 at addr ffff888147e4001c by task handler15/836

CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
...
Call Trace:
 <TASK>
 dump_stack_lvl+0x45/0x5a
 print_report.cold+0x5e/0x5db
 ? __lock_text_start+0x8/0x8
 ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
 kasan_report+0xb5/0x130
 ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
 kasan_check_range+0xf5/0x1d0
 memcpy+0x39/0x60
 reserve_sfa_size+0x1ba/0x380 [openvswitch]
 __add_action+0x24/0x120 [openvswitch]
 ovs_nla_add_action+0xe/0x20 [openvswitch]
 ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
 ? __kernel_text_address+0xe/0x30
 ? unwind_get_return_address+0x56/0xa0
 ? create_prof_cpu_mask+0x20/0x20
 ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
 ? prep_compound_page+0x198/0x2a0
 ? __kasan_check_byte+0x10/0x40
 ? kasan_unpoison+0x40/0x70
 ? ksize+0x44/0x60
 ? reserve_sfa_size+0x75/0x380 [openvswitch]
 __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
 ? __zone_watermark_ok+0x420/0x420
 ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
 ? __alloc_pages+0x1a9/0x3e0
 ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
 ? unwind_next_frame+0x991/0x1e40
 ? __mod_node_page_state+0x99/0x120
 ? __mod_lruvec_page_state+0x2e3/0x470
 ? __kasan_kmalloc_large+0x90/0xe0
 ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
 ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
 ...

Cc: stable@vger.kernel.org
Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/openvswitch/flow_netlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -1977,7 +1977,7 @@ static struct nlattr *reserve_sfa_size(s
 	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
 
 	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
-		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
+		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
 			OVS_NLERR(log, "Flow action size exceeds max %u",
 				  MAX_ACTIONS_BUFSIZE);
 			return ERR_PTR(-EMSGSIZE);

next prev parent reply	other threads:[~2022-04-26  8:28 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-26  8:20 [PATCH 4.14 00/43] 4.14.277-rc1 review Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 01/43] etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 02/43] mm: page_alloc: fix building error on -Werror=array-compare Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 03/43] tracing: Have traceon and traceoff trigger honor the instance Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 04/43] tracing: Dump stacktrace trigger to the corresponding instance Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 05/43] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 06/43] gfs2: assign rgrp glock before compute_bitstructs Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 07/43] ALSA: usb-audio: Clear MIDI port active flag after draining Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 08/43] tcp: fix race condition when creating child sockets from syncookies Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 09/43] tcp: Fix potential use-after-free due to double kfree() Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 10/43] dmaengine: imx-sdma: Fix error checking in sdma_event_remap Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 11/43] net/packet: fix packet_sock xmit return value checking Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 12/43] netlink: reset network and mac headers in netlink_dump() Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 13/43] ARM: vexpress/spc: Avoid negative array index when !SMP Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 14/43] platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 15/43] ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 16/43] vxlan: fix error return code in vxlan_fdb_append Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 17/43] cifs: Check the IOCB_DIRECT flag, not O_DIRECT Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 18/43] brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 19/43] drm/msm/mdp5: check the return of kzalloc() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 20/43] net: macb: Restart tx only if queue pointer is lagging Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 21/43] stat: fix inconsistency between struct stat and struct compat_stat Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 22/43] ata: pata_marvell: Check the bmdma_addr beforing reading Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 23/43] dma: at_xdmac: fix a missing check on list iterator Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 24/43] powerpc/perf: Fix power9 event alternatives Greg Kroah-Hartman
2022-04-26  8:21 ` Greg Kroah-Hartman [this message]
2022-04-26  8:21 ` [PATCH 4.14 26/43] ASoC: soc-dapm: fix two incorrect uses of list iterator Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 27/43] e1000e: Fix possible overflow in LTR decoding Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 28/43] ARC: entry: fix syscall_trace_exit argument Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 29/43] ext4: fix symlink file size not match to file content Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 30/43] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 31/43] ext4: fix overhead calculation to account for the reserved gdt blocks Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 32/43] ext4: force overhead calculation if the s_overhead_cluster makes no sense Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 33/43] staging: ion: Prevent incorrect reference counting behavour Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 34/43] block/compat_ioctl: fix range check in BLKGETSIZE Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 35/43] ax25: add refcount in ax25_dev to avoid UAF bugs Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 36/43] ax25: fix reference count leaks of ax25_dev Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 37/43] ax25: fix UAF bugs of net_device caused by rebinding operation Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 38/43] ax25: Fix refcount leaks caused by ax25_cb_del() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 39/43] ax25: fix UAF bug in ax25_send_control() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 40/43] ax25: fix NPD bug in ax25_disconnect Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 41/43] ax25: Fix NULL pointer dereferences in ax25 timers Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 42/43] ax25: Fix UAF bugs " Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 43/43] Revert "net: micrel: fix KS8851_MLL Kconfig" Greg Kroah-Hartman
2022-04-26 16:20 ` [PATCH 4.14 00/43] 4.14.277-rc1 review Jon Hunter
2022-04-26 20:11 ` Guenter Roeck
2022-04-27  8:52 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220426081735.261088738@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=echaudro@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pvalerio@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox