From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Eelco Chaudron <echaudro@redhat.com>,
Simon Horman <horms@kernel.org>,
Ilya Maximets <i.maximets@ovn.org>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
aconole@redhat.com, netdev@vger.kernel.org, dev@openvswitch.org
Subject: [PATCH AUTOSEL 6.1 19/46] openvswitch: Stricter validation for the userspace action
Date: Tue, 3 Jun 2025 21:03:37 -0400 [thread overview]
Message-ID: <20250604010404.5109-19-sashal@kernel.org> (raw)
In-Reply-To: <20250604010404.5109-1-sashal@kernel.org>
From: Eelco Chaudron <echaudro@redhat.com>
[ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ]
This change enhances the robustness of validate_userspace() by ensuring
that all Netlink attributes are fully contained within the parent
attribute. The previous use of nla_parse_nested_deprecated() could
silently skip trailing or malformed attributes, as it stops parsing at
the first invalid entry.
By switching to nla_parse_deprecated_strict(), we make sure only fully
validated attributes are copied for later use.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
**YES** This commit should be backported to stable kernel trees. ##
Analysis **Commit Overview:** The commit changes `validate_userspace()`
function in `net/openvswitch/flow_netlink.c` by replacing
`nla_parse_nested_deprecated()` with `nla_parse_deprecated_strict()` to
ensure stricter validation of Netlink attributes for the userspace
action. **Specific Code Changes:** The key change is on lines 3052-3054:
```c // Before: error = nla_parse_nested_deprecated(a,
OVS_USERSPACE_ATTR_MAX, attr, userspace_policy, NULL); // After: error =
nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, nla_data(attr),
nla_len(attr), userspace_policy, NULL); ``` **Why This Should Be
Backported:** 1. **Security Enhancement:** This commit addresses a
parsing vulnerability where malformed attributes could be silently
ignored. The original `nla_parse_nested_deprecated()` stops parsing at
the first invalid entry, potentially allowing trailing malformed data to
bypass validation. 2. **Robustness Fix:** The change ensures all netlink
attributes are fully contained within the parent attribute bounds,
preventing potential buffer over-reads or under-reads that could lead to
security issues. 3. **Pattern Consistency:** Looking at the git blame
output (lines 3085-3087), we can see that
`nla_parse_deprecated_strict()` was already introduced in 2019 by commit
8cb081746c031 and is used elsewhere in the same file for similar
validation (e.g., `validate_and_copy_check_pkt_len()` function). 4.
**Low Risk:** This is a small, contained change that only affects input
validation - it doesn't change functionality or introduce new features.
The change is defensive and follows existing patterns in the codebase.
5. **Similar Precedent:** This commit is very similar to the validated
"Similar Commit #2" which was marked for backporting (status: YES). That
commit also dealt with netlink attribute validation safety in
openvswitch (`validate_set()` function) and was considered suitable for
stable trees. 6. **Critical Subsystem:** Open vSwitch is a critical
networking component used in virtualization and container environments.
Input validation issues in this subsystem could potentially be exploited
for privilege escalation or denial of service. 7. **Clear Intent:** The
commit message explicitly states this "enhances robustness" and ensures
"only fully validated attributes are copied for later use," indicating
this is a defensive security improvement. **Risk Assessment:** - Very
low regression risk - No API changes - Only affects error handling paths
- Follows established validation patterns in the same codebase This
commit fits perfectly into the stable tree criteria: it's an important
security/robustness fix, has minimal risk of regression, is well-
contained, and addresses a clear validation vulnerability in a critical
kernel subsystem.
net/openvswitch/flow_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 0ed3953dbe529..38a7346fc895a 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -3033,7 +3033,8 @@ static int validate_userspace(const struct nlattr *attr)
struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1];
int error;
- error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr,
+ error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX,
+ nla_data(attr), nla_len(attr),
userspace_policy, NULL);
if (error)
return error;
--
2.39.5
next prev parent reply other threads:[~2025-06-04 1:04 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-04 1:03 [PATCH AUTOSEL 6.1 01/46] net: macb: Check return value of dma_set_mask_and_coherent() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 02/46] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 03/46] tipc: use kfree_sensitive() for aead cleanup Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 04/46] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 05/46] i2c: designware: Invoke runtime suspend on quick slave re-registration Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 06/46] emulex/benet: correct command version selection in be_cmd_get_stats() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 07/46] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 08/46] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 09/46] sctp: Do not wake readers in __sctp_write_space() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 10/46] cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 11/46] i2c: tegra: check msg length in SMBUS block read Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 12/46] i2c: npcm: Add clock toggle recovery Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 13/46] net: dlink: add synchronization for stats update Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 14/46] wifi: ath11k: Fix QMI memory reuse logic Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 15/46] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 16/46] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 17/46] x86/sgx: Prevent attempts to reclaim poisoned pages Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 18/46] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Sasha Levin
2025-06-04 1:03 ` Sasha Levin [this message]
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 20/46] net: atlantic: generate software timestamp just before the doorbell Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 21/46] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 22/46] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 23/46] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 24/46] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 25/46] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 26/46] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 27/46] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 28/46] wifi: mac80211: do not offer a mesh path if forwarding is disabled Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 29/46] bpftool: Fix cgroup command to only show cgroup bpf programs Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 30/46] clk: rockchip: rk3036: mark ddrphy as critical Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 31/46] libbpf: Add identical pointer detection to btf_dedup_is_equiv() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 32/46] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 33/46] iommu/amd: Ensure GA log notifier callbacks finish running before module unload Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 34/46] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 35/46] net: bridge: mcast: update multicast contex when vlan state is changed Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 36/46] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 37/46] vxlan: Do not treat dst cache initialization errors as fatal Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 38/46] software node: Correct a OOB check in software_node_get_reference_args() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 39/46] pinctrl: mcp23s08: Reset all pins to input at probe Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 40/46] scsi: lpfc: Use memcpy() for BIOS version Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 41/46] sock: Correct error checking condition for (assign|release)_proto_idx() Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 42/46] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 43/46] ice: fix check for existing switch rule Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 44/46] bpf, sockmap: Fix data lost during EAGAIN retries Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 45/46] net: ethernet: cortina: Use TOE/TSO on all TCP Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 46/46] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250604010404.5109-19-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aconole@redhat.com \
--cc=dev@openvswitch.org \
--cc=echaudro@redhat.com \
--cc=horms@kernel.org \
--cc=i.maximets@ovn.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox