Message ID | 165001012108.2147631.5880395764325229829.stgit@fed.void |
---|---|
State | Awaiting Upstream |
Headers | show |
Series | [ovs-dev] openvswitch: fix OOB access in reserve_sfa_size() | expand |
Context | Check | Description |
---|---|---|
ovsrobot/intel-ovs-compilation | fail | test: fail |
On 15 Apr 2022, at 10:08, Paolo Valerio wrote: > Given a sufficiently large number of actions, while copying and > reserving memory for a new action of a new flow, if next_offset is > greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does > not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE > bytes increasing actions_len by req_size. This can then lead to an OOB > write access, especially when further actions need to be copied. > > Fix it by rearranging the flow action size check. > > KASAN splat below: > > ================================================================== > BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch] > Write of size 65360 at addr ffff888147e4001c by task handler15/836 > > CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27 > ... > Call Trace: > <TASK> > dump_stack_lvl+0x45/0x5a > print_report.cold+0x5e/0x5db > ? __lock_text_start+0x8/0x8 > ? reserve_sfa_size+0x1ba/0x380 [openvswitch] > kasan_report+0xb5/0x130 > ? reserve_sfa_size+0x1ba/0x380 [openvswitch] > kasan_check_range+0xf5/0x1d0 > memcpy+0x39/0x60 > reserve_sfa_size+0x1ba/0x380 [openvswitch] > __add_action+0x24/0x120 [openvswitch] > ovs_nla_add_action+0xe/0x20 [openvswitch] > ovs_ct_copy_action+0x29d/0x1130 [openvswitch] > ? __kernel_text_address+0xe/0x30 > ? unwind_get_return_address+0x56/0xa0 > ? create_prof_cpu_mask+0x20/0x20 > ? ovs_ct_verify+0xf0/0xf0 [openvswitch] > ? prep_compound_page+0x198/0x2a0 > ? __kasan_check_byte+0x10/0x40 > ? kasan_unpoison+0x40/0x70 > ? ksize+0x44/0x60 > ? reserve_sfa_size+0x75/0x380 [openvswitch] > __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch] > ? __zone_watermark_ok+0x420/0x420 > ? validate_set.constprop.0+0xc90/0xc90 [openvswitch] > ? __alloc_pages+0x1a9/0x3e0 > ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0 > ? unwind_next_frame+0x991/0x1e40 > ? __mod_node_page_state+0x99/0x120 > ? __mod_lruvec_page_state+0x2e3/0x470 > ? __kasan_kmalloc_large+0x90/0xe0 > ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch] > ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch] > ... > > Cc: stable@vger.kernel.org > Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation") > Signed-off-by: Paolo Valerio <pvalerio@redhat.com> Change looks fine to me. Acked-by: Eelco Chaudron <echaudro@redhat.com> > --- > net/openvswitch/flow_netlink.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c > index 7176156d3844..4c09cf8a0ab2 100644 > --- a/net/openvswitch/flow_netlink.c > +++ b/net/openvswitch/flow_netlink.c > @@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, > new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); > > if (new_acts_size > MAX_ACTIONS_BUFSIZE) { > - if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { > + if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { > OVS_NLERR(log, "Flow action size exceeds max %u", > MAX_ACTIONS_BUFSIZE); > return ERR_PTR(-EMSGSIZE); > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Fri, 15 Apr 2022 10:08:41 +0200 you wrote: > Given a sufficiently large number of actions, while copying and > reserving memory for a new action of a new flow, if next_offset is > greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does > not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE > bytes increasing actions_len by req_size. This can then lead to an OOB > write access, especially when further actions need to be copied. > > [...] Here is the summary with links: - openvswitch: fix OOB access in reserve_sfa_size() https://git.kernel.org/netdev/net/c/cefa91b2332d You are awesome, thank you!
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 7176156d3844..4c09cf8a0ab2 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { - if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { + if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { OVS_NLERR(log, "Flow action size exceeds max %u", MAX_ACTIONS_BUFSIZE); return ERR_PTR(-EMSGSIZE);
Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, if next_offset is greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE bytes increasing actions_len by req_size. This can then lead to an OOB write access, especially when further actions need to be copied. Fix it by rearranging the flow action size check. KASAN splat below: ================================================================== BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch] Write of size 65360 at addr ffff888147e4001c by task handler15/836 CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27 ... Call Trace: <TASK> dump_stack_lvl+0x45/0x5a print_report.cold+0x5e/0x5db ? __lock_text_start+0x8/0x8 ? reserve_sfa_size+0x1ba/0x380 [openvswitch] kasan_report+0xb5/0x130 ? reserve_sfa_size+0x1ba/0x380 [openvswitch] kasan_check_range+0xf5/0x1d0 memcpy+0x39/0x60 reserve_sfa_size+0x1ba/0x380 [openvswitch] __add_action+0x24/0x120 [openvswitch] ovs_nla_add_action+0xe/0x20 [openvswitch] ovs_ct_copy_action+0x29d/0x1130 [openvswitch] ? __kernel_text_address+0xe/0x30 ? unwind_get_return_address+0x56/0xa0 ? create_prof_cpu_mask+0x20/0x20 ? ovs_ct_verify+0xf0/0xf0 [openvswitch] ? prep_compound_page+0x198/0x2a0 ? __kasan_check_byte+0x10/0x40 ? kasan_unpoison+0x40/0x70 ? ksize+0x44/0x60 ? reserve_sfa_size+0x75/0x380 [openvswitch] __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch] ? __zone_watermark_ok+0x420/0x420 ? validate_set.constprop.0+0xc90/0xc90 [openvswitch] ? __alloc_pages+0x1a9/0x3e0 ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0 ? unwind_next_frame+0x991/0x1e40 ? __mod_node_page_state+0x99/0x120 ? __mod_lruvec_page_state+0x2e3/0x470 ? __kasan_kmalloc_large+0x90/0xe0 ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch] ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch] ... Cc: stable@vger.kernel.org Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation") Signed-off-by: Paolo Valerio <pvalerio@redhat.com> --- net/openvswitch/flow_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)