Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2449406yba; Mon, 15 Apr 2019 11:53:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqzng+Ww0LDZViKTe9APX2XVFlWE68pHPdykoI6DMvzrgCCusxkq25NqjufH18VSCrPsZO80 X-Received: by 2002:a17:902:b617:: with SMTP id b23mr74508025pls.73.1555354380830; Mon, 15 Apr 2019 11:53:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555354380; cv=none; d=google.com; s=arc-20160816; b=Xzyu18W1zjWAz6zHuaQamJpMinP9F72MZLBbDRT2JDjvIrK6Sa6FTgUG6b4k3oxl38 vLVz4TQoFBFL4A9vOihiB0iWRHHS1bHQj2uJiNRPniVgej9EUq08qI1GZX1Ocud1ppHW o1nFPYoTgKRS9TM3KU9VSkpK8Q/a+7Zx3+0qguKfaKgMd2huClkJ0c++zVwASWR5XBH+ eJfnDjeBqRQWPWtQ3Yfb9gcLPBdKi7lwWmhtRSUBqNspeKIvSS4WausXYzN4WO3D9GxS V7ryORrVPXiVP2aje9RzC6zc3IxG1DTmZGsO6jzEghD3X/EzcgHNF5D4XgsjSRPYX7Pi 80Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U6nKFwC5ZP89k4gmS4Ex9kNJp5J+x05NKpRttM0bqVE=; b=ftJA5uzOmTQca6Oi4BmW/t85Od4d8nIJBSHMjgpkfTlKmd00s2zQGyPcVjA/JZ5aHH hncC/xRAGFMMHPsWA7O2ZnalV21Nm2x5qXt8cE0fMbAjOB5yltlfcqqc90gRIgtfO6mm owRHqiUevFUsFZCoJ65egw2PnXKEajzAszLgmiOKOpyKWOj1tH6p65OFHyN52tlqv5Zy rLinA8ryyKVfwI0fL5ohUeHSw5rsSpIc0s0MsTEx6O7H8zX4Lndq9d/8GzBwJSVedoz4 qNSv1JmlgwKdmg23JnsAhKrG8ZcwxAjKobMK3qRxxxsWjcBicnzNUL+TWo8tcSSOpMU7 TIgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cMlq4rdu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b9si39118622pfd.79.2019.04.15.11.52.44; Mon, 15 Apr 2019 11:53:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cMlq4rdu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728710AbfDOSqu (ORCPT + 99 others); Mon, 15 Apr 2019 14:46:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:49638 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728244AbfDOSqt (ORCPT ); Mon, 15 Apr 2019 14:46:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 226BE2073F; Mon, 15 Apr 2019 18:46:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555354008; bh=zA5+GzcEUBEsMVpKsq7yZg2/U80FhfeUMvIfhQg+7Ys=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cMlq4rduW+BNAXcmky2stbscBJsanTiSb6iBOUtzBE453eSbxZQFLrdvbXBdtM0y7 ydcOmOzYvlWeLho2NKbv05uq/6wJNfEh9Y3bumCnUfPk85xUDh3bNxm1IQ9Jz1iL5G awNo8oQNbWBb0rLjYJ3/cHMqgDEwzQymMxaiarHg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrea Righi , Pravin B Shelar , "David S. Miller" Subject: [PATCH 4.9 52/76] openvswitch: fix flow actions reallocation Date: Mon, 15 Apr 2019 20:44:16 +0200 Message-Id: <20190415183722.127520610@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190415183707.712011689@linuxfoundation.org> References: <20190415183707.712011689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrea Righi [ Upstream commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb ] The flow action buffer can be resized if it's not big enough to contain all the requested flow actions. However, this resize doesn't take into account the new requested size, the buffer is only increased by a factor of 2x. This might be not enough to contain the new data, causing a buffer overflow, for example: [ 42.044472] ============================================================================= [ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten [ 42.046415] ----------------------------------------------------------------------------- [ 42.047715] Disabling lock debugging due to kernel taint [ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc [ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 [ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb [ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ [ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... [ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... [ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... [ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... [ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Fix by making sure the new buffer is properly resized to contain all the requested data. BugLink: https://bugs.launchpad.net/bugs/1813244 Signed-off-by: Andrea Righi Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/openvswitch/flow_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -1853,14 +1853,14 @@ static struct nlattr *reserve_sfa_size(s struct sw_flow_actions *acts; int new_acts_size; - int req_size = NLA_ALIGN(attr_len); + size_t req_size = NLA_ALIGN(attr_len); int next_offset = offsetof(struct sw_flow_actions, actions) + (*sfa)->actions_len; if (req_size <= (ksize(*sfa) - next_offset)) goto out; - new_acts_size = ksize(*sfa) * 2; + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); if (new_acts_size > MAX_ACTIONS_BUFSIZE) { if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {