Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp2428167ybg; Thu, 30 Jul 2020 21:51:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJza1KEXE7nixJNljWAwSpNxHxcttffPnQy0B7jTS+KNAMf/DfSf/D4tnO7/FKumOLiaxMiN X-Received: by 2002:aa7:d58c:: with SMTP id r12mr2266745edq.160.1596171062803; Thu, 30 Jul 2020 21:51:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596171062; cv=none; d=google.com; s=arc-20160816; b=014BHgjiI9gXXM8tZ35y07aWA054jDWaTPi6qTZFhJS+v8ooLu+GD2DT3UGzYKDGMm 2ZSBqOy4pZX/T74pwrrko3DCK6uknr5aD99SJwvmx/YTWQhoW9+ccZjylHG9AedIM0lq H3EO3713ONFEs1pDbKbLOWdJtVtSVqzSjeSwTnIud8RIZvk6PQgnd29tRAc61mJI8fgY 0/vb4zIUH5kfH0lu+dniTuc6QO8zhhAhmcW/zE1d1eKrhXoCAtZcWyok13X3zy64XX1c y5RMp6KIHIvHVWZFj5Vnx3/Q8qi3PKfMsMEGDW2gewHAmOmWatDHXycWCbqO0sG+HVbQ LVHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=6BmyvzPtmL92uqePz7MKoJvHsqbaPFKy91FuGn4J6aM=; b=NzeH/rvjXgyppjs3R7TPaZCPx1dnFgxjjQixXodHRSZuVZPZPH0RC3wuA+WtwQKb8k +WqLg68Am2RCnoIsS7guF3ys5hAN17UUKzrsHavIfkiBlLwYy34tElDNvnY2n+8l95W/ Ir7AAtdGrMYWBnWlRGqJ9Vb9RK7rMq2dX/Pg5oPocZBt/R4UD6bXzGZ4ET+dsMgGbPkW BfpzEbIrgR0z/0JfBrEd3GMmhQRgHr3Y+QOXuLUrPz6mWzSB6ZPZw54TnUDHFB52WdBg 17QdZfYvLxsLAfFtK2Ar27oHLeSBRSZKM3xwC08/p1fWHCmwKxN4ZTVPX2jacIZTg2Gl ReCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=i6l58DtE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j21si156671edy.312.2020.07.30.21.50.35; Thu, 30 Jul 2020 21:51:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=i6l58DtE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726482AbgGaEuW (ORCPT + 99 others); Fri, 31 Jul 2020 00:50:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725800AbgGaEuV (ORCPT ); Fri, 31 Jul 2020 00:50:21 -0400 Received: from mail-qv1-xf42.google.com (mail-qv1-xf42.google.com [IPv6:2607:f8b0:4864:20::f42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DE37C061574; Thu, 30 Jul 2020 21:50:21 -0700 (PDT) Received: by mail-qv1-xf42.google.com with SMTP id s15so9162953qvv.7; Thu, 30 Jul 2020 21:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=6BmyvzPtmL92uqePz7MKoJvHsqbaPFKy91FuGn4J6aM=; b=i6l58DtETKYbDvaDzHN27Ly/UzsYlzhN5HqPyYRcuuC538WNatf1azS+mQWlENzmOr R4gZK7IHf0+5a3RRbN4Wtbh9qZE3XLCKXnPDSORWmPC0vrcGXd9is3gDtvIx4YKQvXl7 zcEnfibUoAmj8hITpXbSwA4b/4p4yYnR6gAlFuFXbYqcYtEtAe/vcoAdADVN065tE7qw WXAcNf1L2s/lshu2sxBwrJPi/5vmb1qWKfKCCiwy+SGFIyzqXsqGGggbJjp+v3yVaN/S DG4seX2tBXQq2T9HOqI51HDoLJozcYTOv7lGE2BBY7BFO9tr3f3KJ9npT0hWjKubS1nk +tyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=6BmyvzPtmL92uqePz7MKoJvHsqbaPFKy91FuGn4J6aM=; b=kkJpLUPRCx/izdeg2tShOV4adqocXReDJFiCj+DAmJdewZo0mbsWzsKGY/8ZcNRsGJ itFCLGntIn49H4N/nKbkwU6EVT/ntUJQAexYqSV2Ae85yjwcxSX/6ySzviqYvdqRRmjc yu5hs0SSEdTOs01laz4tU5mTdbILGLlbqCoJ+73uRTs30jJ6gMBkpU6GMzvcYRA25hlO UyQBuVZjoJNORRQt/c1Lku2d8CeqfTEG4UJFizsBGol2O+mrWt7y+AanBoTXUTUp/yZ0 /I8CZlC88q7eqy0qEfQ8gU997IO5rFCL5duGeCFRc+YQtYThihnKopACZYAqIdVOc/e2 Hc0A== X-Gm-Message-State: AOAM533QYZdg5gIXDfvyhKKJu7Uc0A7tthS+WhFRfATdaGbpyZ4yZPI6 tAHBeZnwYX3OHz8GYTXX5A== X-Received: by 2002:a0c:83c4:: with SMTP id k62mr2410066qva.19.1596171020491; Thu, 30 Jul 2020 21:50:20 -0700 (PDT) Received: from localhost.localdomain (c-76-119-149-155.hsd1.ma.comcast.net. [76.119.149.155]) by smtp.gmail.com with ESMTPSA id c7sm7801798qta.95.2020.07.30.21.50.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jul 2020 21:50:20 -0700 (PDT) From: Peilin Ye To: Pravin B Shelar Cc: Peilin Ye , "David S. Miller" , Jakub Kicinski , Dan Carpenter , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org Subject: [Linux-kernel-mentees] [PATCH net] openvswitch: Prevent kernel-infoleak in ovs_ct_put_key() Date: Fri, 31 Jul 2020 00:48:38 -0400 Message-Id: <20200731044838.213975-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ovs_ct_put_key() is potentially copying uninitialized kernel stack memory into socket buffers, since the compiler may leave a 3-byte hole at the end of `struct ovs_key_ct_tuple_ipv4` and `struct ovs_key_ct_tuple_ipv6`. Fix it by initializing `orig` with memset(). Cc: stable@vger.kernel.org Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") Suggested-by: Dan Carpenter Signed-off-by: Peilin Ye --- Reference: https://lwn.net/Articles/417989/ $ pahole -C "ovs_key_ct_tuple_ipv4" net/openvswitch/conntrack.o struct ovs_key_ct_tuple_ipv4 { __be32 ipv4_src; /* 0 4 */ __be32 ipv4_dst; /* 4 4 */ __be16 src_port; /* 8 2 */ __be16 dst_port; /* 10 2 */ __u8 ipv4_proto; /* 12 1 */ /* size: 16, cachelines: 1, members: 5 */ /* padding: 3 */ /* last cacheline: 16 bytes */ }; $ pahole -C "ovs_key_ct_tuple_ipv6" net/openvswitch/conntrack.o struct ovs_key_ct_tuple_ipv6 { __be32 ipv6_src[4]; /* 0 16 */ __be32 ipv6_dst[4]; /* 16 16 */ __be16 src_port; /* 32 2 */ __be16 dst_port; /* 34 2 */ __u8 ipv6_proto; /* 36 1 */ /* size: 40, cachelines: 1, members: 5 */ /* padding: 3 */ /* last cacheline: 40 bytes */ }; net/openvswitch/conntrack.c | 38 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 4340f25fe390..98d393e70de3 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -276,10 +276,6 @@ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) ovs_ct_update_key(skb, NULL, key, false, false); } -#define IN6_ADDR_INITIALIZER(ADDR) \ - { (ADDR).s6_addr32[0], (ADDR).s6_addr32[1], \ - (ADDR).s6_addr32[2], (ADDR).s6_addr32[3] } - int ovs_ct_put_key(const struct sw_flow_key *swkey, const struct sw_flow_key *output, struct sk_buff *skb) { @@ -301,24 +297,30 @@ int ovs_ct_put_key(const struct sw_flow_key *swkey, if (swkey->ct_orig_proto) { if (swkey->eth.type == htons(ETH_P_IP)) { - struct ovs_key_ct_tuple_ipv4 orig = { - output->ipv4.ct_orig.src, - output->ipv4.ct_orig.dst, - output->ct.orig_tp.src, - output->ct.orig_tp.dst, - output->ct_orig_proto, - }; + struct ovs_key_ct_tuple_ipv4 orig; + + memset(&orig, 0, sizeof(orig)); + orig.ipv4_src = output->ipv4.ct_orig.src; + orig.ipv4_dst = output->ipv4.ct_orig.dst; + orig.src_port = output->ct.orig_tp.src; + orig.dst_port = output->ct.orig_tp.dst; + orig.ipv4_proto = output->ct_orig_proto; + if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, sizeof(orig), &orig)) return -EMSGSIZE; } else if (swkey->eth.type == htons(ETH_P_IPV6)) { - struct ovs_key_ct_tuple_ipv6 orig = { - IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.src), - IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.dst), - output->ct.orig_tp.src, - output->ct.orig_tp.dst, - output->ct_orig_proto, - }; + struct ovs_key_ct_tuple_ipv6 orig; + + memset(&orig, 0, sizeof(orig)); + memcpy(orig.ipv6_src, output->ipv6.ct_orig.src.s6_addr32, + sizeof(orig.ipv6_src)); + memcpy(orig.ipv6_dst, output->ipv6.ct_orig.dst.s6_addr32, + sizeof(orig.ipv6_dst)); + orig.src_port = output->ct.orig_tp.src; + orig.dst_port = output->ct.orig_tp.dst; + orig.ipv6_proto = output->ct_orig_proto; + if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, sizeof(orig), &orig)) return -EMSGSIZE; -- 2.25.1