From patchwork Fri Apr 15 08:08:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Valerio X-Patchwork-Id: 562185 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5DDDC433F5 for ; Fri, 15 Apr 2022 08:08:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244545AbiDOILU (ORCPT ); Fri, 15 Apr 2022 04:11:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235107AbiDOILS (ORCPT ); Fri, 15 Apr 2022 04:11:18 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9F679A207B for ; Fri, 15 Apr 2022 01:08:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650010129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vpehKJ0zTwJUI6+hRmJYUW5SCsbqvW8TRk+pqvNLRAw=; b=Smr6uKvGFGI/bZc10o45+xxJKUABQOq2txrY0MPRw9O/hqXeuKZbcxij1svWA5+x7SbMT9 pKp3XsNqjeBa9breGeV8f6wUgDr76GR1wMJrK6W5vsnZV6SUCIFcZx3IYwz85axHxnkJIQ Rv4KqXHDatHGcvEFwJY5EvyLuhNVKXk= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-518-929JpM_TPtCHHGEw44HH5A-1; Fri, 15 Apr 2022 04:08:48 -0400 X-MC-Unique: 929JpM_TPtCHHGEw44HH5A-1 Received: by mail-wm1-f72.google.com with SMTP id i184-20020a1c3bc1000000b0038e4c5968b5so5769818wma.0 for ; Fri, 15 Apr 2022 01:08:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:from:to:cc:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=vpehKJ0zTwJUI6+hRmJYUW5SCsbqvW8TRk+pqvNLRAw=; b=JP0GIFlP4wmKuHf7NnUZxUsC2akGEzilHuq3WW70FTdUk+FjcYzXKNZd7A+HZuWV5s g41IKmR2x3QlsSHYat9tA4iUfZmjl3NXqhiZijDbPRmVsfc/tPujfaNGjSUNy5E5/3Rv YXU5YC3O5N92g7IT1JnlaBrA/wGd4TJAvwL4AmffBUbzIon1ub96ExC9fBUS4TMO498P MNG24LKCyFWb8cJuy88YcIcDRRtYFUKXrKaewEfLKqAUNlSrgj+/sxx7UC36fmbG5Yh6 55Z/UzlODiqqWmSEh38QjMDOhtc+kEUBv6tCXF2G3qrwACFnwxchSHoPKa1Q/0ur8FKS 3dlQ== X-Gm-Message-State: AOAM533epzxfVqzccPo3F8UOx+TqcOR/H6Ux2C+jMV0aQPj2/e0BdOd5 VhQ4Ad1WOUf8hLuB3Mxx/ZbQOVrQerMEAdL/mipkx3Gg0HgOr5TdJQVACv0IECRWIKjTaWt0Ted fsd5rtqirTBb5uoVw X-Received: by 2002:adf:e3c8:0:b0:207:a128:6205 with SMTP id k8-20020adfe3c8000000b00207a1286205mr4580094wrm.370.1650010127103; Fri, 15 Apr 2022 01:08:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfK3tLgQgE9GRjr8IzikqTBblXrumiDHFMUj55H/EGUOYj4hX0V7PE0ksW+1mqLz16rohDmw== X-Received: by 2002:adf:e3c8:0:b0:207:a128:6205 with SMTP id k8-20020adfe3c8000000b00207a1286205mr4580078wrm.370.1650010126913; Fri, 15 Apr 2022 01:08:46 -0700 (PDT) Received: from localhost (net-2-39-43-66.cust.vodafonedsl.it. [2.39.43.66]) by smtp.gmail.com with ESMTPSA id o40-20020a05600c512800b0038ebf2858cbsm8609134wms.16.2022.04.15.01.08.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 01:08:46 -0700 (PDT) Subject: [PATCH] openvswitch: fix OOB access in reserve_sfa_size() From: Paolo Valerio To: netdev@vger.kernel.org, dev@openvswitch.org Cc: Pravin B Shelar , "David S. Miller" , Jakub Kicinski , Paolo Abeni , stable@vger.kernel.org Date: Fri, 15 Apr 2022 10:08:41 +0200 Message-ID: <165001012108.2147631.5880395764325229829.stgit@fed.void> User-Agent: StGit/1.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, if next_offset is greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE bytes increasing actions_len by req_size. This can then lead to an OOB write access, especially when further actions need to be copied. Fix it by rearranging the flow action size check. KASAN splat below: ================================================================== BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch] Write of size 65360 at addr ffff888147e4001c by task handler15/836 CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27 ... Call Trace: dump_stack_lvl+0x45/0x5a print_report.cold+0x5e/0x5db ? __lock_text_start+0x8/0x8 ? reserve_sfa_size+0x1ba/0x380 [openvswitch] kasan_report+0xb5/0x130 ? reserve_sfa_size+0x1ba/0x380 [openvswitch] kasan_check_range+0xf5/0x1d0 memcpy+0x39/0x60 reserve_sfa_size+0x1ba/0x380 [openvswitch] __add_action+0x24/0x120 [openvswitch] ovs_nla_add_action+0xe/0x20 [openvswitch] ovs_ct_copy_action+0x29d/0x1130 [openvswitch] ? __kernel_text_address+0xe/0x30 ? unwind_get_return_address+0x56/0xa0 ? create_prof_cpu_mask+0x20/0x20 ? ovs_ct_verify+0xf0/0xf0 [openvswitch] ? prep_compound_page+0x198/0x2a0 ? __kasan_check_byte+0x10/0x40 ? kasan_unpoison+0x40/0x70 ? ksize+0x44/0x60 ? reserve_sfa_size+0x75/0x380 [openvswitch] __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch] ? __zone_watermark_ok+0x420/0x420 ? validate_set.constprop.0+0xc90/0xc90 [openvswitch] ? __alloc_pages+0x1a9/0x3e0 ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0 ? unwind_next_frame+0x991/0x1e40 ? __mod_node_page_state+0x99/0x120 ? __mod_lruvec_page_state+0x2e3/0x470 ? __kasan_kmalloc_large+0x90/0xe0 ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch] ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch] ... Cc: stable@vger.kernel.org Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation") Signed-off-by: Paolo Valerio --- net/openvswitch/flow_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 7176156d3844..4c09cf8a0ab2 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2465,7 +2465,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { - if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { + if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { OVS_NLERR(log, "Flow action size exceeds max %u", MAX_ACTIONS_BUFSIZE); return ERR_PTR(-EMSGSIZE);