[ovs-git] [openvswitch/ovs] 6ebb13: datapath: fix flow actions reallocation

Ben Pfaff noreply at github.com
Mon Apr 15 16:32:30 UTC 2019 

  Branch: refs/heads/branch-2.5
  Home:   https://github.com/openvswitch/ovs
  Commit: 6ebb130853abee5b3ebcd6141f05f1f3aabc1f7e
      https://github.com/openvswitch/ovs/commit/6ebb130853abee5b3ebcd6141f05f1f3aabc1f7e
  Author: Andrea Righi <andrea.righi at canonical.com>
  Date:   2019-04-15 (Mon, 15 Apr 2019)

  Changed paths:
    M datapath/flow_netlink.c

  Log Message:
  -----------
  datapath: fix flow actions reallocation

Upstream commit:
    commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb
    Author: Andrea Righi <andrea.righi at canonical.com>
    Date:   Thu Mar 28 07:36:00 2019 +0100

    openvswitch: fix flow actions reallocation

    The flow action buffer can be resized if it's not big enough to contain
    all the requested flow actions. However, this resize doesn't take into
    account the new requested size, the buffer is only increased by a factor
    of 2x. This might be not enough to contain the new data, causing a
    buffer overflow, for example:

    [   42.044472] =============================================================================
    [   42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
    [   42.046415] -----------------------------------------------------------------------------

    [   42.047715] Disabling lock debugging due to kernel taint
    [   42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
    [   42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
    [   42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb

    [   42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc                          ........
    [   42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00  kkkkkkkk....l...
    [   42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6  l...........x...
    [   42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00   ...............
    [   42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [   42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [   42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [   42.059061] Redzone 8bf2c4a5: 00 00 00 00                                      ....
    [   42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

    Fix by making sure the new buffer is properly resized to contain all the
    requested data.

    BugLink: https://bugs.launchpad.net/bugs/1813244
    Signed-off-by: Andrea Righi <andrea.righi at canonical.com>
    Acked-by: Pravin B Shelar <pshelar at ovn.org>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Cc: Andrea Righi <andrea.righi at canonical.com>
Acked-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>

More information about the git mailing list