From patchwork Wed Apr 10 22:50:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Rose X-Patchwork-Id: 1083661 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MTTUdMVn"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44ffWy3Z1gz9s47 for ; Thu, 11 Apr 2019 08:50:53 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D76541E4D; Wed, 10 Apr 2019 22:50:48 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BE3251E4A for ; Wed, 10 Apr 2019 22:50:31 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id AE30B174 for ; Wed, 10 Apr 2019 22:50:27 +0000 (UTC) Received: by mail-pl1-f194.google.com with SMTP id t16so2301805plo.0 for ; Wed, 10 Apr 2019 15:50:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=pNumB+89CKFPZZwr0M7AxxssQMi16DpvPuuQ+VtqoIc=; b=MTTUdMVnZRwgfJwBTm4nPVG4YqY/PoJOFtIMIZCTxXtwkig/AeQGh0VyDt6w9/b52J j0mvkRuoFt3lSuk9BDpgi7XZcJ3M678c+iBdW/0GE/IfaA0+Bi9eCvsGTFt7HS3n3Zgy Lvrp2vF2LYLgz2K2Y0TaB+hzifw+tQ1oDaxpdyolCxyqNsXyIP+/vKmwU7gJO1e4LWJP sUTpLcg97we0I2x4LdJklNTq01UJ/TDNYJHg2HP/6JFNaLOYnYm7Q7Ya2MEh9JmlK158 iHNngWiTDu2dhPx1M7nw9qldPG+pU8O6Oy/cqKzCu+p6tp0zXvZ6ypcSyLjE4K+g0la+ 1t+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=pNumB+89CKFPZZwr0M7AxxssQMi16DpvPuuQ+VtqoIc=; b=KxbA/IpO/eea/AGabHZIU40W5EECltI0bBg3hhusBHOG1F0gSSefzlLEoYw8vfTBH3 wX/vVxaTDn2121d4wo9JQN2CNSHq/uVo4ariBgwJKhBXQTgrs7ivYqaFTD2cxjEYWKfY qgG9qhjuJ+fQzoTWx5vrverBb81EEuN9u3giDxJY6c9uTkd7mgsgRY9vHddXwMRlPnAP EIlsGTgvQZI48RauBHKoKISsK9C7l+PyhFWUOzn+ffGpL7rpjZ3Sw6sbIBWgnTck3DRu sIP5Ze3HZNFs7S1sma6fSKWKIMTnlr7oGcY5VZz2/WuJU1DFfiJ83d5eKwkBy78YBZL3 6J1g== X-Gm-Message-State: APjAAAX4umHMwCJ6hC7S9vZkxElqLz85BFKo6UWUjq/VXtPk3r/UumWX P2PKoCQT2+hMhau9oBESVWH+zenV X-Google-Smtp-Source: APXvYqw07f0gMYxYTZQiaXJzuzM4q+qy0JA9VWMsvpt0pIb1gmwD4d+ciqYaRBrJCfeOACXXX+Yjcg== X-Received: by 2002:a17:902:846:: with SMTP id 64mr46753502plk.266.1554936626026; Wed, 10 Apr 2019 15:50:26 -0700 (PDT) Received: from gizo.domain (97-115-83-152.ptld.qwest.net. [97.115.83.152]) by smtp.gmail.com with ESMTPSA id f7sm65079710pga.56.2019.04.10.15.50.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 15:50:25 -0700 (PDT) From: Greg Rose To: dev@openvswitch.org Date: Wed, 10 Apr 2019 15:50:22 -0700 Message-Id: <1554936622-4811-1-git-send-email-gvrose8192@gmail.com> X-Mailer: git-send-email 1.8.3.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: james.page@canonical.com, Andrea Righi , juerg.haefliger@canonical.com Subject: [ovs-dev] [PATCH] datapath: fix flow actions reallocation X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org From: Andrea Righi Upstream commit: commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb Author: Andrea Righi Date: Thu Mar 28 07:36:00 2019 +0100 openvswitch: fix flow actions reallocation The flow action buffer can be resized if it's not big enough to contain all the requested flow actions. However, this resize doesn't take into account the new requested size, the buffer is only increased by a factor of 2x. This might be not enough to contain the new data, causing a buffer overflow, for example: [ 42.044472] ============================================================================= [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten [ 42.046415] ----------------------------------------------------------------------------- [ 42.047715] Disabling lock debugging due to kernel taint [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Fix by making sure the new buffer is properly resized to contain all the requested data. BugLink: https://bugs.launchpad.net/bugs/1813244 Signed-off-by: Andrea Righi Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Cc: Andrea Righi Signed-off-by: Greg Rose Acked-by: William Tu --- datapath/flow_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c index e5e469a..13e6e33 100644 --- a/datapath/flow_netlink.c +++ b/datapath/flow_netlink.c @@ -2311,14 +2311,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, struct sw_flow_actions *acts; int new_acts_size; - int req_size = NLA_ALIGN(attr_len); + size_t req_size = NLA_ALIGN(attr_len); int next_offset = offsetof(struct sw_flow_actions, actions) + (*sfa)->actions_len; if (req_size <= (ksize(*sfa) - next_offset)) goto out; - new_acts_size = ksize(*sfa) * 2; + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {