| Message ID | 20190328063600.GC16096@xps-13 |
|---|---|
| State | Accepted |
| Commit | 6b3aa6cd70be4ab01cf7f386ad41e8206d0a242e |
| Headers | show |
| Series | [ovs-dev,v2] openvswitch: fix flow actions reallocation | expand |
On Wed, Mar 27, 2019 at 11:36 PM Andrea Righi <andrea.righi@canonical.com> wrote: > > The flow action buffer can be resized if it's not big enough to contain > all the requested flow actions. However, this resize doesn't take into > account the new requested size, the buffer is only increased by a factor > of 2x. This might be not enough to contain the new data, causing a > buffer overflow, for example: > > [ 42.044472] ============================================================================= > [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten > [ 42.046415] ----------------------------------------------------------------------------- > > [ 42.047715] Disabling lock debugging due to kernel taint > [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc > [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 > [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb > > [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ > [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... > [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... > [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... > [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... > [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ > > Fix by making sure the new buffer is properly resized to contain all the > requested data. > > BugLink: https://bugs.launchpad.net/bugs/1813244 > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > --- > Changes in v2: > - correctly resize to current_size+req_size (thanks to Pravin) > > net/openvswitch/flow_netlink.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c > index 691da853bef5..4bdf5e3ac208 100644 > --- a/net/openvswitch/flow_netlink.c > +++ b/net/openvswitch/flow_netlink.c > @@ -2306,14 +2306,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, > > struct sw_flow_actions *acts; > int new_acts_size; > - int req_size = NLA_ALIGN(attr_len); > + size_t req_size = NLA_ALIGN(attr_len); > int next_offset = offsetof(struct sw_flow_actions, actions) + > (*sfa)->actions_len; > > if (req_size <= (ksize(*sfa) - next_offset)) > goto out; > > - new_acts_size = ksize(*sfa) * 2; > + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); > > if (new_acts_size > MAX_ACTIONS_BUFSIZE) { > if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { > -- Looks good. Acked-by: Pravin B Shelar <pshelar@ovn.org> Thanks, Pravin.
From: Andrea Righi <andrea.righi@canonical.com> Date: Thu, 28 Mar 2019 07:36:00 +0100 > The flow action buffer can be resized if it's not big enough to contain > all the requested flow actions. However, this resize doesn't take into > account the new requested size, the buffer is only increased by a factor > of 2x. This might be not enough to contain the new data, causing a > buffer overflow, for example: > > [ 42.044472] ============================================================================= > [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten > [ 42.046415] ----------------------------------------------------------------------------- > > [ 42.047715] Disabling lock debugging due to kernel taint > [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc > [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 > [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb > > [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ > [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... > [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... > [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... > [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... > [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ > > Fix by making sure the new buffer is properly resized to contain all the > requested data. > > BugLink: https://bugs.launchpad.net/bugs/1813244 > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Applied and queued up for -stable. Althought next time I want to see a proper Fixes: tag.
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 691da853bef5..4bdf5e3ac208 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2306,14 +2306,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, struct sw_flow_actions *acts; int new_acts_size; - int req_size = NLA_ALIGN(attr_len); + size_t req_size = NLA_ALIGN(attr_len); int next_offset = offsetof(struct sw_flow_actions, actions) + (*sfa)->actions_len; if (req_size <= (ksize(*sfa) - next_offset)) goto out; - new_acts_size = ksize(*sfa) * 2; + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
The flow action buffer can be resized if it's not big enough to contain all the requested flow actions. However, this resize doesn't take into account the new requested size, the buffer is only increased by a factor of 2x. This might be not enough to contain the new data, causing a buffer overflow, for example: [ 42.044472] ============================================================================= [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten [ 42.046415] ----------------------------------------------------------------------------- [ 42.047715] Disabling lock debugging due to kernel taint [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Fix by making sure the new buffer is properly resized to contain all the requested data. BugLink: https://bugs.launchpad.net/bugs/1813244 Signed-off-by: Andrea Righi <andrea.righi@canonical.com> --- Changes in v2: - correctly resize to current_size+req_size (thanks to Pravin) net/openvswitch/flow_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)