[ovs-git] [openvswitch/ovs] b68d6d: compat: ip6_gre: fix possible use-after-free in ip...

gvrose8192 noreply at github.com
Wed Jul 10 20:04:52 UTC 2019


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: b68d6deaa0e23b9083714ec1c89c10c7a62fa595
      https://github.com/openvswitch/ovs/commit/b68d6deaa0e23b9083714ec1c89c10c7a62fa595
  Author: Greg Rose <gvrose8192 at gmail.com>
  Date:   2019-07-10 (Wed, 10 Jul 2019)

  Changed paths:
    M datapath/linux/compat/ip6_gre.c

  Log Message:
  -----------
  compat: ip6_gre: fix possible use-after-free in ip6erspan_rcv

Upstream commit:
    commit 2a3cabae4536edbcb21d344e7aa8be7a584d2afb
    Author: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
    Date:   Sat Apr 6 17:16:53 2019 +0200

    net: ip6_gre: fix possible use-after-free in ip6erspan_rcv

    erspan_v6 tunnels run __iptunnel_pull_header on received skbs to remove
    erspan header. This can determine a possible use-after-free accessing
    pkt_md pointer in ip6erspan_rcv since the packet will be 'uncloned'
    running pskb_expand_head if it is a cloned gso skb (e.g if the packet has
    been sent though a veth device). Fix it resetting pkt_md pointer after
    __iptunnel_pull_header

    Fixes: 1d7e2ed22f8d ("net: erspan: refactor existing erspan code")
    Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Fixes: c387d8177f20 ("compat: Add ipv6 GRE and IPV6 Tunneling")
Cc: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
Acked-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


  Commit: 183b5bba434d7e1d8f3eef9565ad0ca06d28dfad
      https://github.com/openvswitch/ovs/commit/183b5bba434d7e1d8f3eef9565ad0ca06d28dfad
  Author: Greg Rose <gvrose8192 at gmail.com>
  Date:   2019-07-10 (Wed, 10 Jul 2019)

  Changed paths:
    M datapath/actions.c

  Log Message:
  -----------
  datapath: fix csum updates for MPLS actions

Upstream commit:
    commit 0e3183cd2a64843a95b62f8bd4a83605a4cf0615
    Author: John Hurley <john.hurley at netronome.com>
    Date:   Thu Jun 27 14:37:30 2019 +0100

    net: openvswitch: fix csum updates for MPLS actions

    Skbs may have their checksum value populated by HW. If this is a checksum
    calculated over the entire packet then the CHECKSUM_COMPLETE field is
    marked. Changes to the data pointer on the skb throughout the network
    stack still try to maintain this complete csum value if it is required
    through functions such as skb_postpush_rcsum.

    The MPLS actions in Open vSwitch modify a CHECKSUM_COMPLETE value when
    changes are made to packet data without a push or a pull. This occurs when
    the ethertype of the MAC header is changed or when MPLS lse fields are
    modified.

    The modification is carried out using the csum_partial function to get the
    csum of a buffer and add it into the larger checksum. The buffer is an
    inversion of the data to be removed followed by the new data. Because the
    csum is calculated over 16 bits and these values align with 16 bits, the
    effect is the removal of the old value from the CHECKSUM_COMPLETE and
    addition of the new value.

    However, the csum fed into the function and the outcome of the
    calculation are also inverted. This would only make sense if it was the
    new value rather than the old that was inverted in the input buffer.

    Fix the issue by removing the bit inverts in the csum_partial calculation.

    The bug was verified and the fix tested by comparing the folded value of
    the updated CHECKSUM_COMPLETE value with the folded value of a full
    software checksum calculation (reset skb->csum to 0 and run
    skb_checksum_complete(skb)). Prior to the fix the outcomes differed but
    after they produce the same result.

    Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel")
    Fixes: bc7cc5999fd3 ("openvswitch: update checksum in {push,pop}_mpls")
    Signed-off-by: John Hurley <john.hurley at netronome.com>
    Reviewed-by: Jakub Kicinski <jakub.kicinski at netronome.com>
    Reviewed-by: Simon Horman <simon.horman at netronome.com>
    Acked-by: Pravin B Shelar <pshelar at ovn.org>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Fixes: ccf4378615e9 ("datapath: Add basic MPLS support to kernel")
Fixes: b51367aad315 ("datapath: update checksum in {push,pop}_mpls")
Cc: John Hurley <john.hurley at netronome.com>
Acked-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/ec61d4707b44...183b5bba434d


More information about the git mailing list