From patchwork Fri Apr 5 07:31:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Righi X-Patchwork-Id: 1078114 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44bBPQ2GWkz9sPf; Fri, 5 Apr 2019 18:33:13 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hCJLX-0000fw-IA; Fri, 05 Apr 2019 07:33:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hCJLT-0000ep-5y for kernel-team@lists.ubuntu.com; Fri, 05 Apr 2019 07:33:03 +0000 Received: from mail-wr1-f72.google.com ([209.85.221.72]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hCJLS-0004Qy-SP for kernel-team@lists.ubuntu.com; Fri, 05 Apr 2019 07:33:02 +0000 Received: by mail-wr1-f72.google.com with SMTP id n6so3527375wrm.2 for ; Fri, 05 Apr 2019 00:33:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jjVBO6zxRXB3rypslqw/mVtEpiB9zjt46GFgzh6V5L4=; b=tNS7KXn77NAGKovrhlSofPDtpuXcpoSTWc4IMhIpCM0dsYKgCMz48z/UXpJBFoM3A9 YpPtIsKXihChiAxUQkQag5khwL1B6Ue7vN2M2K25xaJXOn4FXUTIEvfTkg7YynX38DXb HeV+Lln8E7RAOLCFFcVdO2YWBuIMUHYXHJxMjgGGOnuopW0OTfWW+al0FfvILqk5XCys wMifgXDG/rnUrLq9VxK0TBTIzhY1ZlL7pAPa2+8rs5190CbTjS5Io2RJ2sDbF+dXBXxe ccKcBqfcpl5ufOjQyiHEm2MbL/2C986k0tN2UF9tDWvo4BQ1syAN/FNkoE1La/cHFHwG OG4A== X-Gm-Message-State: APjAAAV7ekCEM1YPKY7eVJBYjakFLx9paFU0zo+0pCRJJPtVEUhS4sbX o1SqfpG+Wyzz0nC3DQG6imNX87ybZJfEX021KwyH72C0/SM8TgjGPnE/MNu64vupLlzTmYe1uBA FmA2upqYBpgaoFMJIr1CHDOqC4ZbHLuWZufmRaYkFnQ== X-Received: by 2002:adf:ec87:: with SMTP id z7mr5218938wrn.44.1554449582346; Fri, 05 Apr 2019 00:33:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqxbG0pXv1uHJW0HVMK9ZvHR3jgctQfgFfTGINl90zCgHV3gqsJL3+lD2bHksJ7kzj4Rox2ekQ== X-Received: by 2002:adf:ec87:: with SMTP id z7mr5218922wrn.44.1554449582111; Fri, 05 Apr 2019 00:33:02 -0700 (PDT) Received: from localhost.localdomain (host141-127-dynamic.17-87-r.retail.telecomitalia.it. [87.17.127.141]) by smtp.gmail.com with ESMTPSA id j11sm27225680wrw.85.2019.04.05.00.33.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Apr 2019 00:33:01 -0700 (PDT) From: Andrea Righi To: kernel-team@lists.ubuntu.com Subject: [SRU] [X/B/C/D] [PATCH v2 1/1] openvswitch: fix flow actions reallocation Date: Fri, 5 Apr 2019 09:31:53 +0200 Message-Id: <20190405073153.22320-2-andrea.righi@canonical.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190405073153.22320-1-andrea.righi@canonical.com> References: <20190405073153.22320-1-andrea.righi@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1813244 The flow action buffer can be resized if it's not big enough to contain all the requested flow actions. However, this resize doesn't take into account the new requested size, the buffer is only increased by a factor of 2x. This might be not enough to contain the new data, causing a buffer overflow, for example: [ 42.044472] ============================================================================= [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten [ 42.046415] ----------------------------------------------------------------------------- [ 42.047715] Disabling lock debugging due to kernel taint [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Fix by making sure the new buffer is properly resized to contain all the requested data. BugLink: https://bugs.launchpad.net/bugs/1813244 Signed-off-by: Andrea Righi Acked-by: Pravin B Shelar Signed-off-by: David S. Miller (cherry picked from commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb) Signed-off-by: Andrea Righi Acked-by: Juerg Haefliger Acked-by: Colin Ian King --- net/openvswitch/flow_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 691da853bef5..4bdf5e3ac208 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2306,14 +2306,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, struct sw_flow_actions *acts; int new_acts_size; - int req_size = NLA_ALIGN(attr_len); + size_t req_size = NLA_ALIGN(attr_len); int next_offset = offsetof(struct sw_flow_actions, actions) + (*sfa)->actions_len; if (req_size <= (ksize(*sfa) - next_offset)) goto out; - new_acts_size = ksize(*sfa) * 2; + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {