Re: Patch "openvswitch: Stricter validation for the userspace action" has been added to the 6.15-stable tree

Re: Patch "openvswitch: Stricter validation for the userspace action" has been added to the 6.15-stable tree

[Ilya Maximets]

On 6/20/25 4:32 AM, Sasha Levin wrote:
> This is a note to let you know that I've just added the patch titled
> 
>     openvswitch: Stricter validation for the userspace action
> 
> to the 6.15-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      openvswitch-stricter-validation-for-the-userspace-ac.patch
> and it can be found in the queue-6.15 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.

FWIW, backporting of this change was previously discussed here:
  https://lore.kernel.org/netdev/2025060520-slacking-swimmer-1b31@gregkh/

With the conclusion to drop it as it's not a bug fix and hence there is
no reason to backport it.

Best regards, Ilya Maximets.

> 
> 
> 
> commit 77c2ef6608f0cb47cbcc0d3e0a4371e35f70e125
> Author: Eelco Chaudron <echaudro@redhat.com>
> Date:   Mon May 12 10:08:24 2025 +0200
> 
>     openvswitch: Stricter validation for the userspace action
>     
>     [ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ]
>     
>     This change enhances the robustness of validate_userspace() by ensuring
>     that all Netlink attributes are fully contained within the parent
>     attribute. The previous use of nla_parse_nested_deprecated() could
>     silently skip trailing or malformed attributes, as it stops parsing at
>     the first invalid entry.
>     
>     By switching to nla_parse_deprecated_strict(), we make sure only fully
>     validated attributes are copied for later use.
>     
>     Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
>     Reviewed-by: Simon Horman <horms@kernel.org>
>     Acked-by: Ilya Maximets <i.maximets@ovn.org>
>     Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com
>     Signed-off-by: Jakub Kicinski <kuba@kernel.org>
>     Signed-off-by: Sasha Levin <sashal@kernel.org>
> 
> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> index 518be23e48ea9..ad64bb9ab5e25 100644
> --- a/net/openvswitch/flow_netlink.c
> +++ b/net/openvswitch/flow_netlink.c
> @@ -3049,7 +3049,8 @@ static int validate_userspace(const struct nlattr *attr)
>  	struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1];
>  	int error;
>  
> -	error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr,
> +	error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX,
> +					    nla_data(attr), nla_len(attr),
>  					    userspace_policy, NULL);
>  	if (error)
>  		return error;

Re: Patch "openvswitch: Stricter validation for the userspace action" has been added to the 6.15-stable tree

[Sasha Levin]

On Fri, Jun 20, 2025 at 10:04:44AM +0200, Ilya Maximets wrote:
>On 6/20/25 4:32 AM, Sasha Levin wrote:
>> This is a note to let you know that I've just added the patch titled
>>
>>     openvswitch: Stricter validation for the userspace action
>>
>> to the 6.15-stable tree which can be found at:
>>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>>
>> The filename of the patch is:
>>      openvswitch-stricter-validation-for-the-userspace-ac.patch
>> and it can be found in the queue-6.15 subdirectory.
>>
>> If you, or anyone else, feels it should not be added to the stable tree,
>> please let <stable@vger.kernel.org> know about it.
>
>FWIW, backporting of this change was previously discussed here:
>  https://lore.kernel.org/netdev/2025060520-slacking-swimmer-1b31@gregkh/
>
>With the conclusion to drop it as it's not a bug fix and hence there is
>no reason to backport it.

Dropped, thanks!

-- 
Thanks,
Sasha