From patchwork Fri Nov 29 06:13:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linhaifeng X-Patchwork-Id: 1202347 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47PPMz6drTz9s7T for ; Fri, 29 Nov 2019 17:13:51 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 5616C884F4; Fri, 29 Nov 2019 06:13:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aylwLPhUxVQi; Fri, 29 Nov 2019 06:13:47 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id DABCD88216; Fri, 29 Nov 2019 06:13:47 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A43B5C1DD5; Fri, 29 Nov 2019 06:13:47 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id DDD0FC0881 for ; Fri, 29 Nov 2019 06:13:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 41AD1203A9 for ; Fri, 29 Nov 2019 06:13:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V+CkzhxAv-wB for ; Fri, 29 Nov 2019 06:13:41 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from huawei.com (szxga08-in.huawei.com [45.249.212.255]) by silver.osuosl.org (Postfix) with ESMTPS id 3DAAA2039D for ; Fri, 29 Nov 2019 06:13:41 +0000 (UTC) Received: from dggeml406-hub.china.huawei.com (unknown [172.30.72.56]) by Forcepoint Email with ESMTP id 0648393A3B63E9986C75; Fri, 29 Nov 2019 14:13:37 +0800 (CST) Received: from DGGEML522-MBS.china.huawei.com ([169.254.8.18]) by dggeml406-hub.china.huawei.com ([10.3.17.50]) with mapi id 14.03.0439.000; Fri, 29 Nov 2019 14:13:35 +0800 From: Linhaifeng To: "dev@openvswitch.org" , "blp@ovn.org" Thread-Topic: [PATCH] ofproto: fix stack-buffer-overflow Thread-Index: AdWme6wrMJpp9u3/SYaIFAJcYgBzMg== Date: Fri, 29 Nov 2019 06:13:35 +0000 Message-ID: <4099DE2E54AFAD489356C6C9161D5333971D17D8@dggeml522-mbs.china.huawei.com> Accept-Language: en-GB, zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.133.215.248] MIME-Version: 1.0 X-CFilter-Loop: Reflected Subject: [ovs-dev] [PATCH] ofproto: fix stack-buffer-overflow X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Should use flow->actions not &flow->actions. here is ASAN report: ================================================================= ==57189==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffff428fa0e8 at pc 0xffff7f61a520 bp 0xffff428f9420 sp 0xffff428f9498 READ of size 196 at 0xffff428fa0e8 thread T150 (revalidator22) #0 0xffff7f61a51f in __interceptor_memcpy (/lib64/libasan.so.4+0xa251f) #1 0xaaaad26a3b2b in ofpbuf_put lib/ofpbuf.c:426 #2 0xaaaad26a30cb in ofpbuf_clone_data_with_headroom lib/ofpbuf.c:248 #3 0xaaaad26a2e77 in ofpbuf_clone_with_headroom lib/ofpbuf.c:218 #4 0xaaaad26a2dc3 in ofpbuf_clone lib/ofpbuf.c:208 #5 0xaaaad23e3993 in ukey_set_actions ofproto/ofproto-dpif-upcall.c:1640 #6 0xaaaad23e3f03 in ukey_create__ ofproto/ofproto-dpif-upcall.c:1696 #7 0xaaaad23e553f in ukey_create_from_dpif_flow ofproto/ofproto-dpif-upcall.c:1806 #8 0xaaaad23e65fb in ukey_acquire ofproto/ofproto-dpif-upcall.c:1984 #9 0xaaaad23eb583 in revalidate ofproto/ofproto-dpif-upcall.c:2625 #10 0xaaaad23dee5f in udpif_revalidator ofproto/ofproto-dpif-upcall.c:1076 #11 0xaaaad26b84ef in ovsthread_wrapper lib/ovs-thread.c:708 #12 0xffff7e74a8bb in start_thread (/lib64/libpthread.so.0+0x78bb) #13 0xffff7e0665cb in thread_start (/lib64/libc.so.6+0xd55cb) Address 0xffff428fa0e8 is located in stack of thread T150 (revalidator22) at offset 328 in frame #0 0xaaaad23e4cab in ukey_create_from_dpif_flow ofproto/ofproto-dpif-upcall.c:1762 This frame has 4 object(s): [32, 96) 'actions' [128, 192) 'buf' [224, 328) 'full_flow' [384, 2432) 'stub' <== Memory access at offset 328 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) Thread T150 (revalidator22) created by T0 here: #0 0xffff7f5b0f7f in __interceptor_pthread_create (/lib64/libasan.so.4+0x38f7f) #1 0xaaaad26b891f in ovs_thread_create lib/ovs-thread.c:792 #2 0xaaaad23dc62f in udpif_start_threads ofproto/ofproto-dpif-upcall.c:639 #3 0xaaaad23daf87 in ofproto_set_flow_table ofproto/ofproto-dpif-upcall.c:446 #4 0xaaaad230ff7f in dpdk_evs_cfg_set vswitchd/bridge.c:1134 #5 0xaaaad2310097 in bridge_reconfigure vswitchd/bridge.c:1148 #6 0xaaaad23279d7 in bridge_run vswitchd/bridge.c:3944 #7 0xaaaad23365a3 in main vswitchd/ovs-vswitchd.c:240 #8 0xffff7dfb1adf in __libc_start_main (/lib64/libc.so.6+0x20adf) #9 0xaaaad230a3d3 (/usr/sbin/ovs-vswitchd-2.7.0-1.1.RC5.001.asan+0x26f3d3) SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.4+0xa251f) in __interceptor_memcpy Shadow bytes around the buggy address: 0x200fe851f3c0: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 0x200fe851f3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fe851f3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fe851f3f0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 0x200fe851f400: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 =>0x200fe851f410: 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 0x200fe851f420: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x200fe851f430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fe851f440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fe851f450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fe851f460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==57189==ABORTING Signed-off-by: Linhaifeng Acked-by: Numan Siddique --- ofproto/ofproto-dpif-upcall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.19.1 diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c index dc30824771..c2fc527a31 100644 --- a/ofproto/ofproto-dpif-upcall.c +++ b/ofproto/ofproto-dpif-upcall.c @@ -1796,7 +1796,7 @@ ukey_create_from_dpif_flow(const struct udpif *udpif, } reval_seq = seq_read(udpif->reval_seq) - 1; /* Ensure revalidation. */ - ofpbuf_use_const(&actions, &flow->actions, flow->actions_len); + ofpbuf_use_const(&actions, flow->actions, flow->actions_len); *ukey = ukey_create__(flow->key, flow->key_len, flow->mask, flow->mask_len, flow->ufid_present, &flow->ufid, flow->pmd_id, &actions,