From patchwork Wed Sep 11 21:18:36 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yifeng Sun <pkusunyifeng@gmail.com>
X-Patchwork-Id: 1161298
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="iAR5sKch"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46TFHh4VBbz9sNf
	for <incoming@patchwork.ozlabs.org>;
	Thu, 12 Sep 2019 07:23:12 +1000 (AEST)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 0A527DD9;
	Wed, 11 Sep 2019 21:18:54 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 52BDFE31
	for <dev@openvswitch.org>; Wed, 11 Sep 2019 21:18:50 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com
	[209.85.210.196])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4E03F81A
	for <dev@openvswitch.org>; Wed, 11 Sep 2019 21:18:49 +0000 (UTC)
Received: by mail-pf1-f196.google.com with SMTP id r12so14536852pfh.1
	for <dev@openvswitch.org>; Wed, 11 Sep 2019 14:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=+SBiUXPypMHIVhXJ4LS9GOtKrgL8sfhf8mpuuRyhFkU=;
	b=iAR5sKchfd0pkU7jSEWWw3ZHAbQzVbkI3l07dvLptwlFOMFOvnDNNYmqRY1Rzf+4pU
	ooT+CdNPKmRMf3+vv/fK/wmTi1SL5Ckw4IRKGhL83/+RptrigyMFQcuZoAebGE/JoxP7
	9jWgbEHmmmlJD/L4Kt6ooJSTEO9CJaXnARwwqwf2cfas2MNtgYna88NtNaKULrDTjM11
	IzNqcmy6wj8hwTIZWyXGX9oVr1GY3GpSrwXhSHG00JJ8QBK3oE0/zV/XCWVnbGEArs0A
	Wi7EZ3pJdvPWMsbZcX5/DukBN4dhbTpUukBjmXzR7a3Eko8PljlxRGvr0MkHksaEFw6+
	TAKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=+SBiUXPypMHIVhXJ4LS9GOtKrgL8sfhf8mpuuRyhFkU=;
	b=dtNz4BBMfMlf3y05MF2Xx1d9YZ8x8XJbAJa2nUd5M0XVqsznJWc0MVe3zb/BhLU03P
	llGFGfEsQeIysXxfnpVXZGrcjLNOmz+YUeVc1Acei8kpfV0qHY2XMDfQ/TK1XMnMeTE7
	sdDTyTuo+ISl4O4ohTIBQgW7QdmBImbMl0TeJVuwqrSmDBwDALoYeVgSn/GAJJXTzmns
	gbUGUvfXdPes12S0kFI2CNmwRph4qGnPOVhQt8Uww+cjQoT261wh31G1jM2eH7TI2Dtk
	eI2evIym1v4KIToR4Qy4QdRM1IRsrrl5SauDt7iFVvfc/moTxKNhPasyseWAqV3Cuh5i
	5sog==
X-Gm-Message-State: APjAAAXyLl93j0+xWJIxU3T9+ilU/80a4W2Os319GPEsIciomGkFXAYA
	+baBuC9qQDw6P/QBLJbneM5JITp1
X-Google-Smtp-Source: 
 APXvYqy06kJIAZSChRmBl9Odi5IkeEM+8sqb/dePFXmcitNfHkERkMQzrkSKx4a4S0YJYYOT9ZzPRA==
X-Received: by 2002:a63:5222:: with SMTP id
	g34mr1027286pgb.405.1568236728635;
	Wed, 11 Sep 2019 14:18:48 -0700 (PDT)
Received: from kern417.eng.vmware.com ([66.170.99.1])
	by smtp.gmail.com with ESMTPSA id
	k1sm24612487pfi.132.2019.09.11.14.18.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 11 Sep 2019 14:18:47 -0700 (PDT)
From: Yifeng Sun <pkusunyifeng@gmail.com>
To: dev@openvswitch.org
Date: Wed, 11 Sep 2019 14:18:36 -0700
Message-Id: <1568236716-18105-10-git-send-email-pkusunyifeng@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1568236716-18105-1-git-send-email-pkusunyifeng@gmail.com>
References: <1568236716-18105-1-git-send-email-pkusunyifeng@gmail.com>
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH 10/10] conntrack: Validate accessing of conntrack
	data in pkt_metadata
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Valgrind reported:

1305: ofproto-dpif - conntrack - ipv6

==26942== Conditional jump or move depends on uninitialised value(s)
==26942==    at 0x587C00: check_orig_tuple (conntrack.c:1006)
==26942==    by 0x587C00: process_one (conntrack.c:1141)
==26942==    by 0x587C00: conntrack_execute (conntrack.c:1220)
==26942==    by 0x47B00F: dp_execute_cb (dpif-netdev.c:7305)
==26942==    by 0x4AF756: odp_execute_actions (odp-execute.c:794)
==26942==    by 0x477532: dp_netdev_execute_actions (dpif-netdev.c:7349)
==26942==    by 0x477532: handle_packet_upcall (dpif-netdev.c:6630)
==26942==    by 0x477532: fast_path_processing (dpif-netdev.c:6726)
==26942==    by 0x47933C: dp_netdev_input__ (dpif-netdev.c:6814)
==26942==    by 0x479AB8: dp_netdev_input (dpif-netdev.c:6852)
==26942==    by 0x479AB8: dp_netdev_process_rxq_port (dpif-netdev.c:4287)
==26942==    by 0x47A6A9: dpif_netdev_run (dpif-netdev.c:5264)
==26942==    by 0x4324E7: type_run (ofproto-dpif.c:342)
==26942==    by 0x41C5FE: ofproto_type_run (ofproto.c:1734)
==26942==    by 0x40BAAC: bridge_run__ (bridge.c:2965)
==26942==    by 0x410CF3: bridge_run (bridge.c:3029)
==26942==    by 0x407614: main (ovs-vswitchd.c:127)
==26942==  Uninitialised value was created by a heap allocation
==26942==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26942==    by 0x532574: xmalloc (util.c:138)
==26942==    by 0x46CD62: dp_packet_new (dp-packet.c:153)
==26942==    by 0x4A0431: eth_from_flow_str (netdev-dummy.c:1644)
==26942==    by 0x4A0431: netdev_dummy_receive (netdev-dummy.c:1783)
==26942==    by 0x531990: process_command (unixctl.c:308)
==26942==    by 0x531990: run_connection (unixctl.c:342)
==26942==    by 0x531990: unixctl_server_run (unixctl.c:393)
==26942==    by 0x40761E: main (ovs-vswitchd.c:128)

1316: ofproto-dpif - conntrack - tcp port reuse

==24039== Conditional jump or move depends on uninitialised value(s)
==24039==    at 0x587BF5: check_orig_tuple (conntrack.c:1004)
==24039==    by 0x587BF5: process_one (conntrack.c:1141)
==24039==    by 0x587BF5: conntrack_execute (conntrack.c:1220)
==24039==    by 0x47B02F: dp_execute_cb (dpif-netdev.c:7306)
==24039==    by 0x4AF7A6: odp_execute_actions (odp-execute.c:794)
==24039==    by 0x47755B: dp_netdev_execute_actions (dpif-netdev.c:7350)
==24039==    by 0x47755B: handle_packet_upcall (dpif-netdev.c:6631)
==24039==    by 0x47755B: fast_path_processing (dpif-netdev.c:6727)
==24039==    by 0x47935C: dp_netdev_input__ (dpif-netdev.c:6815)
==24039==    by 0x479AD8: dp_netdev_input (dpif-netdev.c:6853)
==24039==    by 0x479AD8: dp_netdev_process_rxq_port
(dpif-netdev.c:4287)
==24039==    by 0x47A6C9: dpif_netdev_run (dpif-netdev.c:5264)
==24039==    by 0x4324F7: type_run (ofproto-dpif.c:342)
==24039==    by 0x41C5FE: ofproto_type_run (ofproto.c:1734)
==24039==    by 0x40BAAC: bridge_run__ (bridge.c:2965)
==24039==    by 0x410CF3: bridge_run (bridge.c:3029)
==24039==    by 0x407614: main (ovs-vswitchd.c:127)
==24039==  Uninitialised value was created by a heap allocation
==24039==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24039==    by 0x5325C4: xmalloc (util.c:138)
==24039==    by 0x46D144: dp_packet_new (dp-packet.c:153)
==24039==    by 0x46D144: dp_packet_new_with_headroom (dp-packet.c:163)
==24039==    by 0x51191E: eth_from_hex (packets.c:498)
==24039==    by 0x4A03B9: eth_from_packet (netdev-dummy.c:1609)
==24039==    by 0x4A03B9: netdev_dummy_receive (netdev-dummy.c:1765)
==24039==    by 0x5319E0: process_command (unixctl.c:308)
==24039==    by 0x5319E0: run_connection (unixctl.c:342)
==24039==    by 0x5319E0: unixctl_server_run (unixctl.c:393)
==24039==    by 0x40761E: main (ovs-vswitchd.c:128)

According to comments in pkt_metadata_init(), conntrack data is valid
only if pkt_metadata.ct_state != 0. This patch prevents
check_orig_tuple() get called when conntrack data is uninitialized.

Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Acked-by: William Tu <u9012063@gmail.com>
---
 lib/conntrack.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index e5266e579452..86c16b2fbe77 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1138,7 +1138,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
             handle_nat(pkt, conn, zone, ctx->reply, ctx->icmp_related);
         }
 
-    } else if (check_orig_tuple(ct, pkt, ctx, now, &conn, nat_action_info)) {
+    } else if (pkt->md.ct_state
+               && check_orig_tuple(ct, pkt, ctx, now, &conn, nat_action_info)) {
         create_new_conn = conn_update_state(ct, pkt, ctx, conn, now);
     } else {
         if (ctx->icmp_related) {