diff mbox series

[ovs-dev] openvswitch: fix OOB access in reserve_sfa_size()

Message ID 165001012108.2147631.5880395764325229829.stgit@fed.void
State Awaiting Upstream
Headers show
Series [ovs-dev] openvswitch: fix OOB access in reserve_sfa_size() | expand

Checks

Context Check Description
ovsrobot/intel-ovs-compilation fail test: fail

Commit Message

Paolo Valerio April 15, 2022, 8:08 a.m. UTC
Given a sufficiently large number of actions, while copying and
reserving memory for a new action of a new flow, if next_offset is
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
bytes increasing actions_len by req_size. This can then lead to an OOB
write access, especially when further actions need to be copied.

Fix it by rearranging the flow action size check.

KASAN splat below:

==================================================================
BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
Write of size 65360 at addr ffff888147e4001c by task handler15/836

CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
...
Call Trace:
 <TASK>
 dump_stack_lvl+0x45/0x5a
 print_report.cold+0x5e/0x5db
 ? __lock_text_start+0x8/0x8
 ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
 kasan_report+0xb5/0x130
 ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
 kasan_check_range+0xf5/0x1d0
 memcpy+0x39/0x60
 reserve_sfa_size+0x1ba/0x380 [openvswitch]
 __add_action+0x24/0x120 [openvswitch]
 ovs_nla_add_action+0xe/0x20 [openvswitch]
 ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
 ? __kernel_text_address+0xe/0x30
 ? unwind_get_return_address+0x56/0xa0
 ? create_prof_cpu_mask+0x20/0x20
 ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
 ? prep_compound_page+0x198/0x2a0
 ? __kasan_check_byte+0x10/0x40
 ? kasan_unpoison+0x40/0x70
 ? ksize+0x44/0x60
 ? reserve_sfa_size+0x75/0x380 [openvswitch]
 __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
 ? __zone_watermark_ok+0x420/0x420
 ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
 ? __alloc_pages+0x1a9/0x3e0
 ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
 ? unwind_next_frame+0x991/0x1e40
 ? __mod_node_page_state+0x99/0x120
 ? __mod_lruvec_page_state+0x2e3/0x470
 ? __kasan_kmalloc_large+0x90/0xe0
 ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
 ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
 ...

Cc: stable@vger.kernel.org
Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
---
 net/openvswitch/flow_netlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Eelco Chaudron April 15, 2022, 10:25 a.m. UTC | #1
On 15 Apr 2022, at 10:08, Paolo Valerio wrote:

> Given a sufficiently large number of actions, while copying and
> reserving memory for a new action of a new flow, if next_offset is
> greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
> not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
> bytes increasing actions_len by req_size. This can then lead to an OOB
> write access, especially when further actions need to be copied.
>
> Fix it by rearranging the flow action size check.
>
> KASAN splat below:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
> Write of size 65360 at addr ffff888147e4001c by task handler15/836
>
> CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
> ...
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x45/0x5a
>  print_report.cold+0x5e/0x5db
>  ? __lock_text_start+0x8/0x8
>  ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  kasan_report+0xb5/0x130
>  ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  kasan_check_range+0xf5/0x1d0
>  memcpy+0x39/0x60
>  reserve_sfa_size+0x1ba/0x380 [openvswitch]
>  __add_action+0x24/0x120 [openvswitch]
>  ovs_nla_add_action+0xe/0x20 [openvswitch]
>  ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
>  ? __kernel_text_address+0xe/0x30
>  ? unwind_get_return_address+0x56/0xa0
>  ? create_prof_cpu_mask+0x20/0x20
>  ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
>  ? prep_compound_page+0x198/0x2a0
>  ? __kasan_check_byte+0x10/0x40
>  ? kasan_unpoison+0x40/0x70
>  ? ksize+0x44/0x60
>  ? reserve_sfa_size+0x75/0x380 [openvswitch]
>  __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
>  ? __zone_watermark_ok+0x420/0x420
>  ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
>  ? __alloc_pages+0x1a9/0x3e0
>  ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
>  ? unwind_next_frame+0x991/0x1e40
>  ? __mod_node_page_state+0x99/0x120
>  ? __mod_lruvec_page_state+0x2e3/0x470
>  ? __kasan_kmalloc_large+0x90/0xe0
>  ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
>  ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
>  ...
>
> Cc: stable@vger.kernel.org
> Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
> Signed-off-by: Paolo Valerio <pvalerio@redhat.com>

Change looks fine to me.

Acked-by: Eelco Chaudron <echaudro@redhat.com>

> ---
>  net/openvswitch/flow_netlink.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> index 7176156d3844..4c09cf8a0ab2 100644
> --- a/net/openvswitch/flow_netlink.c
> +++ b/net/openvswitch/flow_netlink.c
> @@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
>  	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
>
>  	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
> -		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
> +		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
>  			OVS_NLERR(log, "Flow action size exceeds max %u",
>  				  MAX_ACTIONS_BUFSIZE);
>  			return ERR_PTR(-EMSGSIZE);
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
patchwork-bot+netdevbpf@kernel.org April 15, 2022, 11 a.m. UTC | #2
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Fri, 15 Apr 2022 10:08:41 +0200 you wrote:
> Given a sufficiently large number of actions, while copying and
> reserving memory for a new action of a new flow, if next_offset is
> greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
> not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
> bytes increasing actions_len by req_size. This can then lead to an OOB
> write access, especially when further actions need to be copied.
> 
> [...]

Here is the summary with links:
  - openvswitch: fix OOB access in reserve_sfa_size()
    https://git.kernel.org/netdev/net/c/cefa91b2332d

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 7176156d3844..4c09cf8a0ab2 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2465,7 +2465,7 @@  static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
 	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
 
 	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
-		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
+		if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
 			OVS_NLERR(log, "Flow action size exceeds max %u",
 				  MAX_ACTIONS_BUFSIZE);
 			return ERR_PTR(-EMSGSIZE);