leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
72f17baf23
linux/net
History
Stefano Brivio 72f17baf23 openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found 
If an OVS_ATTR_NESTED attribute type is found while walking
through netlink attributes, we call nlattr_set() recursively
passing the length table for the following nested attributes, if
different from the current one.

However, once we're done with those sub-nested attributes, we
should continue walking through attributes using the current
table, instead of using the one related to the sub-nested
attributes.

For example, given this sequence:

1  OVS_KEY_ATTR_PRIORITY
2  OVS_KEY_ATTR_TUNNEL
3	OVS_TUNNEL_KEY_ATTR_ID
4	OVS_TUNNEL_KEY_ATTR_IPV4_SRC
5	OVS_TUNNEL_KEY_ATTR_IPV4_DST
6	OVS_TUNNEL_KEY_ATTR_TTL
7	OVS_TUNNEL_KEY_ATTR_TP_SRC
8	OVS_TUNNEL_KEY_ATTR_TP_DST
9  OVS_KEY_ATTR_IN_PORT
10 OVS_KEY_ATTR_SKB_MARK
11 OVS_KEY_ATTR_MPLS

we switch to the 'ovs_tunnel_key_lens' table on attribute #3,
and we don't switch back to 'ovs_key_lens' while setting
attributes #9 to #11 in the sequence. As OVS_KEY_ATTR_MPLS
evaluates to 21, and the array size of 'ovs_tunnel_key_lens' is
15, we also get this kind of KASan splat while accessing the
wrong table:

[ 7654.586496] ==================================================================
[ 7654.594573] BUG: KASAN: global-out-of-bounds in nlattr_set+0x164/0xde9 [openvswitch]
[ 7654.603214] Read of size 4 at addr ffffffffc169ecf0 by task handler29/87430
[ 7654.610983]
[ 7654.612644] CPU: 21 PID: 87430 Comm: handler29 Kdump: loaded Not tainted 3.10.0-866.el7.test.x86_64 #1
[ 7654.623030] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
[ 7654.631379] Call Trace:
[ 7654.634108]  [<ffffffffb65a7c50>] dump_stack+0x19/0x1b
[ 7654.639843]  [<ffffffffb53ff373>] print_address_description+0x33/0x290
[ 7654.647129]  [<ffffffffc169b37b>] ? nlattr_set+0x164/0xde9 [openvswitch]
[ 7654.654607]  [<ffffffffb53ff812>] kasan_report.part.3+0x242/0x330
[ 7654.661406]  [<ffffffffb53ff9b4>] __asan_report_load4_noabort+0x34/0x40
[ 7654.668789]  [<ffffffffc169b37b>] nlattr_set+0x164/0xde9 [openvswitch]
[ 7654.676076]  [<ffffffffc167ef68>] ovs_nla_get_match+0x10c8/0x1900 [openvswitch]
[ 7654.684234]  [<ffffffffb61e9cc8>] ? genl_rcv+0x28/0x40
[ 7654.689968]  [<ffffffffb61e7733>] ? netlink_unicast+0x3f3/0x590
[ 7654.696574]  [<ffffffffc167dea0>] ? ovs_nla_put_tunnel_info+0xb0/0xb0 [openvswitch]
[ 7654.705122]  [<ffffffffb4f41b50>] ? unwind_get_return_address+0xb0/0xb0
[ 7654.712503]  [<ffffffffb65d9355>] ? system_call_fastpath+0x1c/0x21
[ 7654.719401]  [<ffffffffb4f41d79>] ? update_stack_state+0x229/0x370
[ 7654.726298]  [<ffffffffb4f41d79>] ? update_stack_state+0x229/0x370
[ 7654.733195]  [<ffffffffb53fe4b5>] ? kasan_unpoison_shadow+0x35/0x50
[ 7654.740187]  [<ffffffffb53fe62a>] ? kasan_kmalloc+0xaa/0xe0
[ 7654.746406]  [<ffffffffb53fec32>] ? kasan_slab_alloc+0x12/0x20
[ 7654.752914]  [<ffffffffb53fe711>] ? memset+0x31/0x40
[ 7654.758456]  [<ffffffffc165bf92>] ovs_flow_cmd_new+0x2b2/0xf00 [openvswitch]

[snip]

[ 7655.132484] The buggy address belongs to the variable:
[ 7655.138226]  ovs_tunnel_key_lens+0xf0/0xffffffffffffd400 [openvswitch]
[ 7655.145507]
[ 7655.147166] Memory state around the buggy address:
[ 7655.152514]  ffffffffc169eb80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
[ 7655.160585]  ffffffffc169ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 7655.168644] >ffffffffc169ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
[ 7655.176701]                                                              ^
[ 7655.184372]  ffffffffc169ed00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 05
[ 7655.192431]  ffffffffc169ed80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
[ 7655.200490] ==================================================================

Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Fixes: 982b527004 ("openvswitch: Fix mask generation for nested attributes.")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-04 12:51:02 -04:00
..
6lowpan
9p net/9p/client.c: fix potential refcnt problem of trans module 2018-04-05 21:36:23 -07:00
802
8021q vlan: also check phy_driver ts_info for vlan's real device 2018-04-01 20:53:50 -04:00
appletalk net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
atm net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
ax25 net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-01 19:49:34 -04:00
bluetooth Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 2018-04-08 17:19:15 -04:00
bpf
bridge bridge: check iface upper dev when setting master via ioctl 2018-04-29 21:08:02 -04:00
caif net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN" 2018-04-19 13:37:10 -04:00
can net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ceph libceph: validate con->state at the top of try_write() 2018-04-26 17:39:08 +02:00
core ethtool: fix a potential missing-check bug 2018-05-01 14:18:47 -04:00
dcb
dccp dccp: fix tasklet usage 2018-05-03 15:14:57 -04:00
decnet net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
dns_resolver KEYS: DNS: limit the length of option strings 2018-04-17 15:17:41 -04:00
dsa net: dsa: Discard frames from unused ports 2018-04-08 10:34:49 -04:00
ethernet
hsr
ieee802154 inet: frags: fix ip6frag_low_thresh boundary 2018-04-04 12:04:59 -04:00
ife net: sched: ife: check on metadata length 2018-04-22 21:12:00 -04:00
ipv4 tcp: restore autocorking 2018-05-03 11:28:50 -04:00
ipv6 ipv6: Revert "ipv6: Allow non-gateway ECMP for IPv6" 2018-05-02 16:33:02 -04:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-23 11:31:58 -04:00
kcm net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
key net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
l2tp l2tp: check sockaddr length in pppol2tp_connect() 2018-04-23 21:10:43 -04:00
l3mdev
lapb
llc llc: fix NULL pointer deref for SOCK_ZAPPED 2018-04-22 14:56:22 -04:00
mac80211 We have a fair number of patches, but many of them are from the 2018-03-29 16:23:26 -04:00
mac802154 net/mac802154: disambiguate mac80215 vs mac802154 trace events 2018-03-28 22:55:18 +02:00
mpls net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ncsi net/ncsi: check for null return from call to nla_nest_start 2018-03-27 10:38:26 -04:00
netfilter netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2 2018-04-19 16:19:28 +02:00
netlabel
netlink netlink: fix uninit-value in netlink_sendmsg 2018-04-07 22:32:31 -04:00
netrom net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-02-19 18:46:11 -05:00
nsh
openvswitch openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found 2018-05-04 12:51:02 -04:00
packet packet: fix bitfield update race 2018-04-24 13:17:08 -04:00
phonet net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
psample
qrtr net: qrtr: add MODULE_ALIAS_NETPROTO macro 2018-04-17 09:58:00 -04:00
rds rds: do not leak kernel memory to user land 2018-05-03 11:26:14 -04:00
rfkill
rose net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
rxrpc rxrpc: Fix undefined packet handling 2018-04-04 11:04:08 -04:00
sched net_sched: fq: take care of throttled flows before reuse 2018-05-02 16:37:38 -04:00
sctp sctp: fix the issue that the cookie-ack with auth can't get processed 2018-05-02 11:15:33 -04:00
smc smc: fix sendpage() call 2018-05-03 14:47:31 -04:00
strparser strparser: Do not call mod_delayed_work with a timeout of LONG_MAX 2018-04-22 21:09:16 -04:00
sunrpc rpc_pipefs: fix double-dput() 2018-04-15 23:49:27 -04:00
switchdev
tipc tipc: fix bug in function tipc_nl_node_dump_monitor 2018-04-27 11:03:56 -04:00
tls net/tls: Don't recursively call push_record during tls_write_space callbacks 2018-05-01 18:57:52 -04:00
unix af_unix: remove redundant lockdep class 2018-04-04 11:13:40 -04:00
vmw_vsock VSOCK: make af_vsock.ko removable again 2018-04-17 09:44:30 -04:00
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2018-03-31 23:33:04 -04:00
x25 net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-01 19:49:34 -04:00
compat.c net: support compat 64-bit time in {s,g}etsockopt 2018-04-27 19:46:06 -04:00
Kconfig
Makefile
socket.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2018-04-05 11:56:35 -07:00
sysctl_net.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00