[ovs-git] [openvswitch/ovs] 8d2441: ofp-actions: Fix use-after-free in bundle action.

GitHub noreply at github.com
Thu Mar 3 22:19:56 UTC 2016


  Branch: refs/heads/branch-2.3
  Home:   https://github.com/openvswitch/ovs
  Commit: 8d24418b8f320278cd7f4e6c726dba920b892ae1
      https://github.com/openvswitch/ovs/commit/8d24418b8f320278cd7f4e6c726dba920b892ae1
  Author: Joe Stringer <joe at ovn.org>
  Date:   2016-03-03 (Thu, 03 Mar 2016)

  Changed paths:
    M lib/bundle.c

  Log Message:
  -----------
  ofp-actions: Fix use-after-free in bundle action.

Upstream commit 19b58f3cbcb3191432eefba3a504376399cc07a7.

If the actions list in an incoming flow mod is long enough, and there is
a bundle() action with 3 or more slaves, then it is possible for a
reallocation to occur after placing the ofpact_bundle into the ofpacts
buffer, while slave ports into the buffer. If the memory freed by this
reallocation is then passed to another thread, then that thread may
modify the value that bundle->n_slaves points to. If this occurs quickly
enough before the main thread finishes copying all of the slaves, then
the iteration may continue beyond the originally intended number of
slaves, copying (and swapping) an undetermined number of 2-byte chunks
from the openflow message. Finally, the length of the ofpact will be
updated based on how much data was written to the buffer, which may be
significantly longer than intended.

In many cases, the freed memory may not be allocated to another thread
and be left untouched. In some milder bug cases, this will lead to
'bundle' actions using more memory than required. In more serious cases,
this length may then exceed the maximum length of an OpenFlow action,
which is then stored (truncated) into the 16-bit length field in the
ofpact header. Later execution of ofpacts_verify() would then use this
length to iterate through the ofpacts, and may dereference memory in
unintended ways, causing crashes or infinite loops by attempting to
parse/validate arbitrary data as ofpact objects.

Fix the issue by updating 'bundle' within the iteration, immediately
after (potentially) expanding the bundle.

Thanks to Jarno Rajahalme for his keen pair of eyes on finding this
issue.

VMWare-BZ: #1614715
Fixes: f25d0cf3c366 ("Introduce ofpacts, an abstraction of OpenFlow actions.")
Signed-off-by: Joe Stringer <joe at ovn.org>
Acked-by: Jarno Rajahalme <jarno at ovn.org>


  Commit: ad0099ef0554bea7df4006e71756020947c52c66
      https://github.com/openvswitch/ovs/commit/ad0099ef0554bea7df4006e71756020947c52c66
  Author: Joe Stringer <joe at ovn.org>
  Date:   2016-03-03 (Thu, 03 Mar 2016)

  Changed paths:
    M lib/ofp-actions.c

  Log Message:
  -----------
  ofp-actions: Prevent integer overflow in decode.

Upstream commit 5308056f53406e75d211f73a2847f9ebdf9c91c8.

When decoding a variable-length action, if the length of the action
exceeds the length storable in a uint16_t then something has gone
terribly wrong. Assert that this is not the case.

Signed-off-by: Joe Stringer <joe at ovn.org>
Acked-by: Jarno Rajahalme <jarno at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/4c4061722785...ad0099ef0554


More information about the git mailing list