From patchwork Wed Mar 27 22:11:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Righi X-Patchwork-Id: 1067469 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44V2KY1Rqnz9sNx for ; Thu, 28 Mar 2019 09:12:00 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5B9321014; Wed, 27 Mar 2019 22:11:58 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id A589F1012 for ; Wed, 27 Mar 2019 22:11:57 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id B7ABB75B for ; Wed, 27 Mar 2019 22:11:53 +0000 (UTC) Received: from mail-wr1-f72.google.com ([209.85.221.72]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1h9Glz-0005Uf-HQ for dev@openvswitch.org; Wed, 27 Mar 2019 22:11:51 +0000 Received: by mail-wr1-f72.google.com with SMTP id b16so4363502wrq.10 for ; Wed, 27 Mar 2019 15:11:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=WXjYdAUAnz6+/eYr5Y7Yrp7ylVTll3WJTmB9qgkkyAw=; b=j+PgeaqgNO/Ji71eoGaTx7LxpBZ3dy+dY5agFKKbz8ntV73IZLi+AVERu1qspvyyyg hoovlVHTTDQc93Es+MAYQ11VsLd10NN9e8yCdwU+8YWRBQsul5ThX7PuTLm/0fhumHru mhm1TSLjXRKWS/JQ1u8Yaj7spWjWeEUUZki7eQ9AfdMSuQ7yRF2+ojfO+d+GI2OKWVzn 6Yr0vuT2z5cuXdPC0pDdAIRMSsuMQLH+n+NXYVs/3L5yGIJ5XDcAOmVGwCn60mRlV654 xHfSydu80AJ1xFwvd+WfculYwTOaNeDzf9IrPeUTAq06rzEqoiTyCZrNWDT2jBojS6Bi yXjA== X-Gm-Message-State: APjAAAXEEKxY9MVelIhVQzD0HxXbbAgPpDXPGdFV+4eO8//ctaMfAQJw qtMlus0RzDxoC3O2mjoEDboZJecOcgUcfmbZWoBrocvhTfxceChjDqVvt7FkiQ8zG6jpi/CVdpq tYa+GJ7mXwqm9qqvoxFbCCLeop2AluQ== X-Received: by 2002:adf:e692:: with SMTP id r18mr26623164wrm.231.1553724711241; Wed, 27 Mar 2019 15:11:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqwLjebGTxkNWh5ddJr8xfJP3+1SU4iS1hyl/Xn/2kqvtWKIT2j4IFVTagZuYXFHiPFvAiOs/A== X-Received: by 2002:adf:e692:: with SMTP id r18mr26623150wrm.231.1553724710969; Wed, 27 Mar 2019 15:11:50 -0700 (PDT) Received: from localhost (host141-127-dynamic.17-87-r.retail.telecomitalia.it. [87.17.127.141]) by smtp.gmail.com with ESMTPSA id o17sm22708991wrw.73.2019.03.27.15.11.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 27 Mar 2019 15:11:50 -0700 (PDT) Date: Wed, 27 Mar 2019 23:11:49 +0100 From: Andrea Righi To: Pravin B Shelar Message-ID: <20190327221148.GA16096@xps-13> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: dev@openvswitch.org, netdev@vger.kernel.org, "David S. Miller" , linux-kernel@vger.kernel.org Subject: [ovs-dev] [PATCH] openvswitch: fix flow actions reallocation X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org The flow action buffer can be resized if it's not big enough to contain all the requested flow actions. However, this resize doesn't take into account the new requested size, the buffer is only increased by a factor of 2x. This might be not enough to contain the new data, causing a buffer overflow, for example: [ 42.044472] ============================================================================= [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten [ 42.046415] ----------------------------------------------------------------------------- [ 42.047715] Disabling lock debugging due to kernel taint [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Fix by making sure the new buffer is properly resized to contain all the requested data. BugLink: https://bugs.launchpad.net/bugs/1813244 Signed-off-by: Andrea Righi --- net/openvswitch/flow_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 691da853bef5..e6f789badaa3 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2306,14 +2306,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, struct sw_flow_actions *acts; int new_acts_size; - int req_size = NLA_ALIGN(attr_len); + size_t req_size = NLA_ALIGN(attr_len); int next_offset = offsetof(struct sw_flow_actions, actions) + (*sfa)->actions_len; if (req_size <= (ksize(*sfa) - next_offset)) goto out; - new_acts_size = ksize(*sfa) * 2; + new_acts_size = max(req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {