| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <65A94C49-E5B2-46FC-92CC-7BAA4F0B3E7E@redhat.com>
Date: Thu, 04 Dec 2025 14:22:32 +0100
From: Eelco Chaudron <echaudro@...hat.com>
To: Ilya Maximets <i.maximets@....org>
Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
linux-kernel@...r.kernel.org, dev@...nvswitch.org,
Aaron Conole <aconole@...hat.com>, Willy Tarreau <w@....eu>,
LePremierHomme <kwqcheii@...ton.me>, Junvy Yang <zhuque@...cent.com>
Subject: Re: [PATCH net] net: openvswitch: fix middle attribute validation in
push_nsh() action
On 4 Dec 2025, at 12:36, Ilya Maximets wrote:
> On 12/4/25 12:03 PM, Eelco Chaudron wrote:
>>
>>
>> On 4 Dec 2025, at 11:53, Ilya Maximets wrote:
>>
>>> The push_nsh() action structure looks like this:
>>>
>>> OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
>>>
>>> The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
>>> nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
>>> OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
>>> inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
>>> in the middle is OK. We don't even check that this attribute is the
>>> OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
>>> calls - first time directly while calling validate_push_nsh() and the
>>> second time as part of the nla_for_each_nested() macro, which isn't
>>> safe, potentially causing invalid memory access if the size of this
>>> attribute is incorrect. The failure may not be noticed during
>>> validation due to larger netlink buffer, but cause trouble later during
>>> action execution where the buffer is allocated exactly to the size:
>>>
>>> BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
>>> Read of size 184 at addr ffff88816459a634 by task a.out/22624
>>>
>>> CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
>>> Call Trace:
>>> <TASK>
>>> dump_stack_lvl+0x51/0x70
>>> print_address_description.constprop.0+0x2c/0x390
>>> kasan_report+0xdd/0x110
>>> kasan_check_range+0x35/0x1b0
>>> __asan_memcpy+0x20/0x60
>>> nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
>>> push_nsh+0x82/0x120 [openvswitch]
>>> do_execute_actions+0x1405/0x2840 [openvswitch]
>>> ovs_execute_actions+0xd5/0x3b0 [openvswitch]
>>> ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
>>> genl_family_rcv_msg_doit+0x1d6/0x2b0
>>> genl_family_rcv_msg+0x336/0x580
>>> genl_rcv_msg+0x9f/0x130
>>> netlink_rcv_skb+0x11f/0x370
>>> genl_rcv+0x24/0x40
>>> netlink_unicast+0x73e/0xaa0
>>> netlink_sendmsg+0x744/0xbf0
>>> __sys_sendto+0x3d6/0x450
>>> do_syscall_64+0x79/0x2c0
>>> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>> </TASK>
>>>
>>> Let's add some checks that the attribute is properly sized and it's
>>> the only one attribute inside the action. Technically, there is no
>>> real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
>>> pushing an NSH header already, it just creates extra nesting, but
>>> that's how uAPI works today. So, keeping as it is.
>>>
>>> Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
>>> Reported-by: Junvy Yang <zhuque@...cent.com>
>>> Signed-off-by: Ilya Maximets <i.maximets@....org>
>>
>> Thanks, Ilya, for fixing this. One small nit about logging, but overall it looks good to me.
>>
>> Acked-by: Eelco Chaudron echaudro@...hat.com
>>
>>> ---
>>> net/openvswitch/flow_netlink.c | 13 ++++++++++---
>>> 1 file changed, 10 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
>>> index 1cb4f97335d8..2d536901309e 100644
>>> --- a/net/openvswitch/flow_netlink.c
>>> +++ b/net/openvswitch/flow_netlink.c
>>> @@ -2802,13 +2802,20 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
>>> return err;
>>> }
>>>
>>> -static bool validate_push_nsh(const struct nlattr *attr, bool log)
>>> +static bool validate_push_nsh(const struct nlattr *a, bool log)
>>> {
>>> + struct nlattr *nsh_key = nla_data(a);
>>> struct sw_flow_match match;
>>> struct sw_flow_key key;
>>>
>>> + /* There must be one and only one NSH header. */
>>> + if (!nla_ok(nsh_key, nla_len(a)) ||
>>> + nla_total_size(nla_len(nsh_key)) != nla_len(a) ||
>>> + nla_type(nsh_key) != OVS_KEY_ATTR_NSH)
>>
>> Should we consider adding some logging based on the log flag here? Not a blocker,
>> just noticed that nsh_key_put_from_nlattr() logs similar validation cases and
>> wondered if we want the same consistency.
>
> Our logging is not really consistent, we do not log in the same case for the
> validate_set(), for example. And I'm not sure if the log here would be useful
> as it is very unlikely we can hit this condition without manually crafting the
> attribute to be wrong. We'll have a log later about garbage trailing data,
> which should prompt a user to look at what they are sending down.
>
> In general, we should convert all the logging here into extack, as logs are
> very inconvenient and not specific enough in most cases.
>
> But I can add something like this, if needed:
>
> OVS_NLERR(log, "push_nsh: Expected a single NSH header");
>
> What do you think?
Reading your feedback, I’m fine with leaving it as is.
//Eelco
Powered by blists - more mailing lists