| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Aug 2017 16:35:03 -0700
From: Pravin Shelar <pshelar@....org>
To: Liping Zhang <zlpnobody@....com>
Cc: Pravin Shelar <pshelar@...ira.com>,
"David S. Miller" <davem@...emloft.net>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
Liping Zhang <zlpnobody@...il.com>,
Neil McKee <neil.mckee@...on.com>
Subject: Re: [PATCH net V2] openvswitch: fix skb_panic due to the incorrect
actions attrlen
On Tue, Aug 15, 2017 at 4:29 AM, Liping Zhang <zlpnobody@....com> wrote:
> From: Liping Zhang <zlpnobody@...il.com>
>
> For sw_flow_actions, the actions_len only represents the kernel part's
> size, and when we dump the actions to the userspace, we will do the
> convertions, so it's true size may become bigger than the actions_len.
>
> But unfortunately, for OVS_PACKET_ATTR_ACTIONS, we use the actions_len
> to alloc the skbuff, so the user_skb's size may become insufficient and
> oops will happen like this:
> skbuff: skb_over_panic: text:ffffffff8148fabf len:1749 put:157 head:
> ffff881300f39000 data:ffff881300f39000 tail:0x6d5 end:0x6c0 dev:<NULL>
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:129!
> [...]
> Call Trace:
> <IRQ>
> [<ffffffff8148be82>] skb_put+0x43/0x44
> [<ffffffff8148fabf>] skb_zerocopy+0x6c/0x1f4
> [<ffffffffa0290d36>] queue_userspace_packet+0x3a3/0x448 [openvswitch]
> [<ffffffffa0292023>] ovs_dp_upcall+0x30/0x5c [openvswitch]
> [<ffffffffa028d435>] output_userspace+0x132/0x158 [openvswitch]
> [<ffffffffa01e6890>] ? ip6_rcv_finish+0x74/0x77 [ipv6]
> [<ffffffffa028e277>] do_execute_actions+0xcc1/0xdc8 [openvswitch]
> [<ffffffffa028e3f2>] ovs_execute_actions+0x74/0x106 [openvswitch]
> [<ffffffffa0292130>] ovs_dp_process_packet+0xe1/0xfd [openvswitch]
> [<ffffffffa0292b77>] ? key_extract+0x63c/0x8d5 [openvswitch]
> [<ffffffffa029848b>] ovs_vport_receive+0xa1/0xc3 [openvswitch]
> [...]
>
> Also we can find that the actions_len is much little than the orig_len:
> crash> struct sw_flow_actions 0xffff8812f539d000
> struct sw_flow_actions {
> rcu = {
> next = 0xffff8812f5398800,
> func = 0xffffe3b00035db32
> },
> orig_len = 1384,
> actions_len = 592,
> actions = 0xffff8812f539d01c
> }
>
> So as a quick fix, use the orig_len instead of the actions_len to alloc
> the user_skb.
>
> Last, this oops happened on our system running a relative old kernel, but
> the same risk still exists on the mainline, since we use the wrong
> actions_len from the beginning.
>
> Fixes: ccea74457bbd ("openvswitch: include datapath actions with sampled-packet upcall to userspace")
> Cc: Neil McKee <neil.mckee@...on.com>
> Signed-off-by: Liping Zhang <zlpnobody@...il.com>
> ---
> V2: move actions_attrlen into ovs_skb_cb, which will make codes more
> clean, suggested by Pravin Shelar.
>
> net/openvswitch/actions.c | 2 ++
> net/openvswitch/datapath.c | 2 +-
> net/openvswitch/datapath.h | 3 +++
> 3 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> index e4610676299b..f849ef52853f 100644
> --- a/net/openvswitch/actions.c
> +++ b/net/openvswitch/actions.c
> @@ -921,6 +921,7 @@ static int output_userspace(struct datapath *dp, struct sk_buff *skb,
> /* Include actions. */
> upcall.actions = actions;
> upcall.actions_len = actions_len;
> + upcall.actions_attrlen = OVS_CB(skb)->acts_origlen;
OVS_CB acts_origlen should be accessible in upcall_msg_size (), is
there reason to add this member to struct dp_upcall_info?
Powered by blists - more mailing lists