lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <eac68895-5450-41ca-a30e-2273b9787e86@ovn.org>
Date: Thu, 4 Dec 2025 12:36:55 +0100
From: Ilya Maximets <i.maximets@....org>
To: Eelco Chaudron <echaudro@...hat.com>
Cc: i.maximets@....org, netdev@...r.kernel.org,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org,
 dev@...nvswitch.org, Aaron Conole <aconole@...hat.com>,
 Willy Tarreau <w@....eu>, LePremierHomme <kwqcheii@...ton.me>,
 Junvy Yang <zhuque@...cent.com>
Subject: Re: [PATCH net] net: openvswitch: fix middle attribute validation in
 push_nsh() action

On 12/4/25 12:03 PM, Eelco Chaudron wrote:
> 
> 
> On 4 Dec 2025, at 11:53, Ilya Maximets wrote:
> 
>> The push_nsh() action structure looks like this:
>>
>>  OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
>>
>> The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
>> nla_for_each_nested() inside __ovs_nla_copy_actions().  The innermost
>> OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
>> inside nsh_key_put_from_nlattr().  But nothing checks if the attribute
>> in the middle is OK.  We don't even check that this attribute is the
>> OVS_KEY_ATTR_NSH.  We just do a double unwrap with a pair of nla_data()
>> calls - first time directly while calling validate_push_nsh() and the
>> second time as part of the nla_for_each_nested() macro, which isn't
>> safe, potentially causing invalid memory access if the size of this
>> attribute is incorrect.  The failure may not be noticed during
>> validation due to larger netlink buffer, but cause trouble later during
>> action execution where the buffer is allocated exactly to the size:
>>
>>  BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
>>  Read of size 184 at addr ffff88816459a634 by task a.out/22624
>>
>>  CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
>>  Call Trace:
>>   <TASK>
>>   dump_stack_lvl+0x51/0x70
>>   print_address_description.constprop.0+0x2c/0x390
>>   kasan_report+0xdd/0x110
>>   kasan_check_range+0x35/0x1b0
>>   __asan_memcpy+0x20/0x60
>>   nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
>>   push_nsh+0x82/0x120 [openvswitch]
>>   do_execute_actions+0x1405/0x2840 [openvswitch]
>>   ovs_execute_actions+0xd5/0x3b0 [openvswitch]
>>   ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
>>   genl_family_rcv_msg_doit+0x1d6/0x2b0
>>   genl_family_rcv_msg+0x336/0x580
>>   genl_rcv_msg+0x9f/0x130
>>   netlink_rcv_skb+0x11f/0x370
>>   genl_rcv+0x24/0x40
>>   netlink_unicast+0x73e/0xaa0
>>   netlink_sendmsg+0x744/0xbf0
>>   __sys_sendto+0x3d6/0x450
>>   do_syscall_64+0x79/0x2c0
>>   entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>   </TASK>
>>
>> Let's add some checks that the attribute is properly sized and it's
>> the only one attribute inside the action.  Technically, there is no
>> real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
>> pushing an NSH header already, it just creates extra nesting, but
>> that's how uAPI works today.  So, keeping as it is.
>>
>> Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
>> Reported-by: Junvy Yang <zhuque@...cent.com>
>> Signed-off-by: Ilya Maximets <i.maximets@....org>
> 
> Thanks, Ilya, for fixing this. One small nit about logging, but overall it looks good to me.
> 
> Acked-by: Eelco Chaudron echaudro@...hat.com
> 
>> ---
>>  net/openvswitch/flow_netlink.c | 13 ++++++++++---
>>  1 file changed, 10 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
>> index 1cb4f97335d8..2d536901309e 100644
>> --- a/net/openvswitch/flow_netlink.c
>> +++ b/net/openvswitch/flow_netlink.c
>> @@ -2802,13 +2802,20 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
>>  	return err;
>>  }
>>
>> -static bool validate_push_nsh(const struct nlattr *attr, bool log)
>> +static bool validate_push_nsh(const struct nlattr *a, bool log)
>>  {
>> +	struct nlattr *nsh_key = nla_data(a);
>>  	struct sw_flow_match match;
>>  	struct sw_flow_key key;
>>
>> +	/* There must be one and only one NSH header. */
>> +	if (!nla_ok(nsh_key, nla_len(a)) ||
>> +	    nla_total_size(nla_len(nsh_key)) != nla_len(a) ||
>> +	    nla_type(nsh_key) != OVS_KEY_ATTR_NSH)
> 
> Should we consider adding some logging based on the log flag here? Not a blocker,
> just noticed that nsh_key_put_from_nlattr() logs similar validation cases and
> wondered if we want the same consistency.

Our logging is not really consistent, we do not log in the same case for the
validate_set(), for example.  And I'm not sure if the log here would be useful
as it is very unlikely we can hit this condition without manually crafting the
attribute to be wrong.  We'll have a log later about garbage trailing data,
which should prompt a user to look at what they are sending down.

In general, we should convert all the logging here into extack, as logs are
very inconvenient and not specific enough in most cases.

But I can add something like this, if needed:

  OVS_NLERR(log, "push_nsh: Expected a single NSH header");

What do you think?

Best regards, Ilya Maximets.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ