Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4556105imu; Tue, 29 Jan 2019 03:44:30 -0800 (PST) X-Google-Smtp-Source: ALg8bN7ACi+PHcOt7oyXVMd1Q4LbMNBG4UvKCQ/SXFVcvA5dBQgOCZiXZpRECsSzNoh3FC9RhB+F X-Received: by 2002:a65:610d:: with SMTP id z13mr23714294pgu.427.1548762270463; Tue, 29 Jan 2019 03:44:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548762270; cv=none; d=google.com; s=arc-20160816; b=Boir5j6TOLh4u7ijwKXsJ05spjfdekAGayQVEK8vS4Jd/i7jPTTeaeAGK7UlMG0gmo hAzmu8zlfEuo0ANXhRJ5DO3kXwKqjg1OUHoBOW6A4jplnZpQN7dZW16p5MqNbmGS4yv/ THkcegVkCENjFbzOMrG4o6otUqhsKt6jGuxfZca/F/XAEF19PsVEjuBoGzdVHTk5VZe9 yenIxSZlVJ+6q4ecoC6WCx4bmPhVU5oXqEYWEubzSVzc+Es4prpGbUhaCDSAcA0bAxHV wX+aEc1KqmUTnQ1fZZhsT2DTtKTDE6fNRQdmmoQFtgm/OKnbcEvAap4ok6aTDiW29HiS R0pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KAolDSxvJNVqlJWMU1fpcTs7mlj33b9yAK8UyK1w01I=; b=IZOh8TWfpXDRoHCzKKBer0QfYbykQgQ8/52+xT3pCtwSJymw3PoM68gtumKM4nCX1V bpyZeZLRzS0ua/ofE2fkdIDocX765nuM94uPOei0y0Ema4nKKrML15lECgHLgamswwE5 0Fwe6V1FQrdjqjXE3qEcoIj5/J6ienInoKJx9fjq76sRR8+tWXbAYtvwFM94D6gdv8qy Rv1qPvUX1D2F4DghT2NRSfI/3T5aIXaRBjxUfBMPmhG46vQoJ5jc8Kbka1s5E3iB7j00 man05lG7F/chHEwxY2XHLNcbx6nqBbxJe/uZ5OH72IE5QVzjfXyH9A5kiqxyGRIDBY5J 9jvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fzB8MgrD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c13si28977704pgi.531.2019.01.29.03.44.14; Tue, 29 Jan 2019 03:44:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fzB8MgrD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730336AbfA2Ln2 (ORCPT + 99 others); Tue, 29 Jan 2019 06:43:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:33324 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730297AbfA2Ln0 (ORCPT ); Tue, 29 Jan 2019 06:43:26 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DD6F020856; Tue, 29 Jan 2019 11:43:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548762206; bh=6GsylGdz2pKvxwKBX1DxYX3rpprimmSMpQrw6u7JzCk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fzB8MgrDg5bsWPptmp+ajABpBoZCxAVbQqRlEiYtqTFlgoUYUeLs/ky2GavND7zIv VnOyZjpsQjMkLJPpMA95i5iWz2cK70uglfHzdJTMduETKfW5OQNC0oRbRHnq07j61V iqO5dFqafIUaidrRR8qIzIHBaHcpz92siAphQ6Z8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ross Lagerwall , Pravin B Shelar , "David S. Miller" Subject: [PATCH 4.19 009/103] openvswitch: Avoid OOB read when parsing flow nlattrs Date: Tue, 29 Jan 2019 12:34:46 +0100 Message-Id: <20190129113200.073654498@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190129113159.567154026@linuxfoundation.org> References: <20190129113159.567154026@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ross Lagerwall [ Upstream commit 04a4af334b971814eedf4e4a413343ad3287d9a9 ] For nested and variable attributes, the expected length of an attribute is not known and marked by a negative number. This results in an OOB read when the expected length is later used to check if the attribute is all zeros. Fix this by using the actual length of the attribute rather than the expected length. Signed-off-by: Ross Lagerwall Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/openvswitch/flow_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const st return -EINVAL; } - if (!nz || !is_all_zero(nla_data(nla), expected_len)) { + if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { attrs |= 1 << type; a[type] = nla; }