Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp273862img; Wed, 27 Mar 2019 22:47:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqxpjkaEdVYNoIsDxBdNXCV/rXElYRDP5ew8Pm56Yo/CX97UUDqLqPbP5no0csa+hZfzRXck X-Received: by 2002:a17:902:9881:: with SMTP id s1mr11655495plp.99.1553752066863; Wed, 27 Mar 2019 22:47:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553752066; cv=none; d=google.com; s=arc-20160816; b=gLZn6sA4JT5vB3qaX20PKWYNtlis01OMhQ9uaJsBnu9qMjDgczmL06iZdItek1baXG gq0+fOEzT7k5bSkTS/wXpl4ZxVtbGJ6hjej7tNhV/P86z7uZ1rzHxFOv4Jbv419aHTE6 SoyVe6QxLDcLJxj8nkSo7ZOzzpbK0LtmwfpJCAKv/sHGKJIyiB6HI3P645dspbhBGBht TwSnOY5b1+IBanuNUDNljBuVqUI1BYtDCmMsCwmfFZeE7Csvk1odhdyTbUw0cCekS/In 1g6f7kR8DXO+lA64TZrfh/eCB4URMfkmOpbNN+TH3uYigh5VyxqgqzAltSQ02wvdr0QB Brfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=lnWusSuUPplv3PCMitfxLczSv9S6cRhR/+Mv7BdgHE4=; b=yWNHCZIdGvSCdBGL0SU0UMx1qrNK1iJAP0uYbzYQqnURwHvJH0McgP7LQ6vXOx+aZt egmDbnuf2wD9RLtTCWPkQ5vBIeXSAGdJI5nhM2xiUiHArz+pA3XaW6HL2LgabWQoz9UK 1JP5aJHqs8mfM5JIkFRPs/iHF+hBItU2Jcvk9yikqz7uMwzsJZ3l9bfkjGrTqcKqPiAv NzzWjMfMkMiEndCBb1uW/ziIvgd3PvNG+gL7ZR2WMuDFkUMA04wtccA28f7M8gvkyVCw E3eFjngWrZgt23pob/NY8TS4mp8wXRJSeb4b4GgJu+2WM8CSxJAaUqEvaFI8vzOMW+rO RIcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 186si20775284pfe.262.2019.03.27.22.47.30; Wed, 27 Mar 2019 22:47:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726098AbfC1Fqa (ORCPT + 99 others); Thu, 28 Mar 2019 01:46:30 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:53596 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725853AbfC1Fq3 (ORCPT ); Thu, 28 Mar 2019 01:46:29 -0400 Received: from mail-wr1-f71.google.com ([209.85.221.71]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1h9Nru-00035F-NH for linux-kernel@vger.kernel.org; Thu, 28 Mar 2019 05:46:26 +0000 Received: by mail-wr1-f71.google.com with SMTP id u18so8464646wrp.19 for ; Wed, 27 Mar 2019 22:46:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=lnWusSuUPplv3PCMitfxLczSv9S6cRhR/+Mv7BdgHE4=; b=ub/s8w1ypO0r0hSmzQlCR/yCxW3lXDPihQi0IbkkouNpzvPCUifRdSfdSfJeAsf0Qi Yomx5J4cNHlcyyXRboMNBjOF79cWvQW04pyzo1PPXrhWAOPvYcARbEczlMt28Pq+1CuU 08YXDhHz5e+ordRG2Qt9QPCn8vtibwwbVlAfL8z6jpH77KEHtpWK79/zibRrND9DEW1x 7+PxNwnP4U2/c598MOynLQejZtPtum5judZea8MaUcGwFikMqhC8/U+xBNGqsKERdRBQ a+ued/SGww7OcrXUFAbz5wO7jMYB1HnjjMMU0jcIhdZIrWF9BBvNdwFiEkaSK5MiBiRY eUGQ== X-Gm-Message-State: APjAAAXmDQcXOOLg6Rh3gISx7fU+tUhr72j6t0nDAG7+w2UrT3FuUACr aOo/RyHmIZqPnAVeMW//lDs1LmdAVprSTuEM1I7mRzEFRHm8/yMa2ClzIVvz/pK8B87CSJ+vFp+ EOriz4OFQ12EnLtkfs/tbC8chmCPMJBpdJkiDT/JRdA== X-Received: by 2002:a7b:c769:: with SMTP id x9mr15218913wmk.103.1553751986399; Wed, 27 Mar 2019 22:46:26 -0700 (PDT) X-Received: by 2002:a7b:c769:: with SMTP id x9mr15218904wmk.103.1553751986164; Wed, 27 Mar 2019 22:46:26 -0700 (PDT) Received: from localhost (host141-127-dynamic.17-87-r.retail.telecomitalia.it. [87.17.127.141]) by smtp.gmail.com with ESMTPSA id w16sm29974146wrt.84.2019.03.27.22.46.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 27 Mar 2019 22:46:25 -0700 (PDT) Date: Thu, 28 Mar 2019 06:46:24 +0100 From: Andrea Righi To: Pravin Shelar Cc: "David S. Miller" , Linux Kernel Network Developers , ovs dev , linux-kernel@vger.kernel.org Subject: Re: [PATCH] openvswitch: fix flow actions reallocation Message-ID: <20190328054623.GB16096@xps-13> References: <20190327221148.GA16096@xps-13> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 27, 2019 at 08:43:54PM -0700, Pravin Shelar wrote: > On Wed, Mar 27, 2019 at 3:11 PM Andrea Righi wrote: > > > > The flow action buffer can be resized if it's not big enough to contain > > all the requested flow actions. However, this resize doesn't take into > > account the new requested size, the buffer is only increased by a factor > > of 2x. This might be not enough to contain the new data, causing a > > buffer overflow, for example: > > > > [ 42.044472] ============================================================================= > > [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten > > [ 42.046415] ----------------------------------------------------------------------------- > > > > [ 42.047715] Disabling lock debugging due to kernel taint > > [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc > > [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 > > [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb > > > > [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ > > [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... > > [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... > > [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... > > [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... > > [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ > > > > Fix by making sure the new buffer is properly resized to contain all the > > requested data. > > > > BugLink: https://bugs.launchpad.net/bugs/1813244 > > Signed-off-by: Andrea Righi > > This must be rare combination of action that trigger this case. It is pretty rare indeed, but the test case reported in the BugLink can trigger it 100% of the times. > > > --- > > net/openvswitch/flow_netlink.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c > > index 691da853bef5..e6f789badaa3 100644 > > --- a/net/openvswitch/flow_netlink.c > > +++ b/net/openvswitch/flow_netlink.c > > @@ -2306,14 +2306,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, > > > > struct sw_flow_actions *acts; > > int new_acts_size; > > - int req_size = NLA_ALIGN(attr_len); > > + size_t req_size = NLA_ALIGN(attr_len); > > int next_offset = offsetof(struct sw_flow_actions, actions) + > > (*sfa)->actions_len; > > > > if (req_size <= (ksize(*sfa) - next_offset)) > > goto out; > > > > - new_acts_size = ksize(*sfa) * 2; > > + new_acts_size = max(req_size, ksize(*sfa) * 2); > > > Don't we need to compare current_action_size+req_size and > current_action_size*2 here ? You are right! We should compare next_offset+req_size and ksize(*sfa)*2. Will send a new patch soon, thanks! -Andrea > > > if (new_acts_size > MAX_ACTIONS_BUFSIZE) { > > if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { > > -- > > 2.19.1 > >