[ovs-dev] [PATCH] ofproto: fix stack-buffer-overflow
Ben Pfaff
blp at ovn.org
Mon Dec 2 20:21:10 UTC 2019
On Fri, Nov 29, 2019 at 04:15:59PM +0530, Numan Siddique wrote:
> On Fri, Nov 29, 2019 at 11:44 AM Linhaifeng <haifeng.lin at huawei.com> wrote:
> >
> > Should use flow->actions not &flow->actions.
> >
> > here is ASAN report:
> > =================================================================
> > ==57189==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffff428fa0e8 at pc 0xffff7f61a520 bp 0xffff428f9420 sp 0xffff428f9498 READ of size 196 at 0xffff428fa0e8 thread T150 (revalidator22)
> > #0 0xffff7f61a51f in __interceptor_memcpy (/lib64/libasan.so.4+0xa251f)
> > #1 0xaaaad26a3b2b in ofpbuf_put lib/ofpbuf.c:426
> > #2 0xaaaad26a30cb in ofpbuf_clone_data_with_headroom lib/ofpbuf.c:248
> > #3 0xaaaad26a2e77 in ofpbuf_clone_with_headroom lib/ofpbuf.c:218
> > #4 0xaaaad26a2dc3 in ofpbuf_clone lib/ofpbuf.c:208
> > #5 0xaaaad23e3993 in ukey_set_actions ofproto/ofproto-dpif-upcall.c:1640
> > #6 0xaaaad23e3f03 in ukey_create__ ofproto/ofproto-dpif-upcall.c:1696
> > #7 0xaaaad23e553f in ukey_create_from_dpif_flow ofproto/ofproto-dpif-upcall.c:1806
> > #8 0xaaaad23e65fb in ukey_acquire ofproto/ofproto-dpif-upcall.c:1984
> > #9 0xaaaad23eb583 in revalidate ofproto/ofproto-dpif-upcall.c:2625
> > #10 0xaaaad23dee5f in udpif_revalidator ofproto/ofproto-dpif-upcall.c:1076
> > #11 0xaaaad26b84ef in ovsthread_wrapper lib/ovs-thread.c:708
> > #12 0xffff7e74a8bb in start_thread (/lib64/libpthread.so.0+0x78bb)
> > #13 0xffff7e0665cb in thread_start (/lib64/libc.so.6+0xd55cb)
> >
> > Address 0xffff428fa0e8 is located in stack of thread T150 (revalidator22) at offset 328 in frame
> > #0 0xaaaad23e4cab in ukey_create_from_dpif_flow ofproto/ofproto-dpif-upcall.c:1762
> >
> > This frame has 4 object(s):
> > [32, 96) 'actions'
> > [128, 192) 'buf'
> > [224, 328) 'full_flow'
> > [384, 2432) 'stub' <== Memory access at offset 328 partially underflows this variable
> > HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
> > (longjmp and C++ exceptions *are* supported) Thread T150 (revalidator22) created by T0 here:
> > #0 0xffff7f5b0f7f in __interceptor_pthread_create (/lib64/libasan.so.4+0x38f7f)
> > #1 0xaaaad26b891f in ovs_thread_create lib/ovs-thread.c:792
> > #2 0xaaaad23dc62f in udpif_start_threads ofproto/ofproto-dpif-upcall.c:639
> > #3 0xaaaad23daf87 in ofproto_set_flow_table ofproto/ofproto-dpif-upcall.c:446
> > #4 0xaaaad230ff7f in dpdk_evs_cfg_set vswitchd/bridge.c:1134
> > #5 0xaaaad2310097 in bridge_reconfigure vswitchd/bridge.c:1148
> > #6 0xaaaad23279d7 in bridge_run vswitchd/bridge.c:3944
> > #7 0xaaaad23365a3 in main vswitchd/ovs-vswitchd.c:240
> > #8 0xffff7dfb1adf in __libc_start_main (/lib64/libc.so.6+0x20adf)
> > #9 0xaaaad230a3d3 (/usr/sbin/ovs-vswitchd-2.7.0-1.1.RC5.001.asan+0x26f3d3)
> >
> > SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.4+0xa251f) in __interceptor_memcpy Shadow bytes around the buggy address:
> > 0x200fe851f3c0: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00
> > 0x200fe851f3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 0x200fe851f3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 0x200fe851f3f0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
> > 0x200fe851f400: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
> > =>0x200fe851f410: 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2
> > 0x200fe851f420: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
> > 0x200fe851f430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 0x200fe851f440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 0x200fe851f450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 0x200fe851f460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes):
> > Addressable: 00
> > Partially addressable: 01 02 03 04 05 06 07
> > Heap left redzone: fa
> > Freed heap region: fd
> > Stack left redzone: f1
> > Stack mid redzone: f2
> > Stack right redzone: f3
> > Stack after return: f5
> > Stack use after scope: f8
> > Global redzone: f9
> > Global init order: f6
> > Poisoned by user: f7
> > Container overflow: fc
> > Array cookie: ac
> > Intra object redzone: bb
> > ASan internal: fe
> > Left alloca redzone: ca
> > Right alloca redzone: cb
> > ==57189==ABORTING
> >
> > Signed-off-by: Linhaifeng <haifeng.lin at huawei.com>
>
> Acked-by: Numan Siddique <numans at ovn.org>
Linhaifeng, this is a great catch. Thank you. I applied this to master
and backported it.
I also checked through the source tree for other, similar issues. I did
not find any.
More information about the dev
mailing list