Paolo Valerio 24f0f311a0 openvswitch: fix OOB access in reserve_sfa_size() ... commit cefa91b233 upstream. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, if next_offset is greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE bytes increasing actions_len by req_size. This can then lead to an OOB write access, especially when further actions need to be copied. Fix it by rearranging the flow action size check. KASAN splat below: ================================================================== BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch] Write of size 65360 at addr ffff888147e4001c by task handler15/836 CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27 ... Call Trace: <TASK> dump_stack_lvl+0x45/0x5a print_report.cold+0x5e/0x5db ? __lock_text_start+0x8/0x8 ? reserve_sfa_size+0x1ba/0x380 [openvswitch] kasan_report+0xb5/0x130 ? reserve_sfa_size+0x1ba/0x380 [openvswitch] kasan_check_range+0xf5/0x1d0 memcpy+0x39/0x60 reserve_sfa_size+0x1ba/0x380 [openvswitch] __add_action+0x24/0x120 [openvswitch] ovs_nla_add_action+0xe/0x20 [openvswitch] ovs_ct_copy_action+0x29d/0x1130 [openvswitch] ? __kernel_text_address+0xe/0x30 ? unwind_get_return_address+0x56/0xa0 ? create_prof_cpu_mask+0x20/0x20 ? ovs_ct_verify+0xf0/0xf0 [openvswitch] ? prep_compound_page+0x198/0x2a0 ? __kasan_check_byte+0x10/0x40 ? kasan_unpoison+0x40/0x70 ? ksize+0x44/0x60 ? reserve_sfa_size+0x75/0x380 [openvswitch] __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch] ? __zone_watermark_ok+0x420/0x420 ? validate_set.constprop.0+0xc90/0xc90 [openvswitch] ? __alloc_pages+0x1a9/0x3e0 ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0 ? unwind_next_frame+0x991/0x1e40 ? __mod_node_page_state+0x99/0x120 ? __mod_lruvec_page_state+0x2e3/0x470 ? __kasan_kmalloc_large+0x90/0xe0 ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch] ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch] ... Cc: stable@vger.kernel.org Fixes: f28cd2af22 ("openvswitch: fix flow actions reallocation") Signed-off-by: Paolo Valerio <pvalerio@redhat.com> Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2022-04-27 14:41:14 +02:00
..
6lowpan
9p	xen/9p: use alloc/free_pages_exact()	2022-03-07 09:48:55 +01:00
802	net: 802: Use memset_startat() to clear struct fields	2021-11-19 11:23:23 +00:00
8021q	vlan: move dev_put into vlan_dev_uninit	2022-02-09 13:33:39 +00:00
appletalk
atm	proc: remove PDE_DATA() completely	2022-01-22 08:33:37 +02:00
ax25	ax25: Fix UAF bugs in ax25 timers	2022-04-20 09:36:28 +02:00
batman-adv	ipv6: make mc_forwarding atomic	2022-04-13 19:27:12 +02:00
bluetooth	Bluetooth: Fix use after free in hci_send_acl	2022-04-13 19:27:22 +02:00
bpf	bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide	2022-04-13 19:27:40 +02:00
bpfilter
bridge	net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled	2022-02-16 20:35:00 -08:00
caif	Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2021-12-31 14:35:40 +00:00
can	can: isotp: stop timeout monitoring when no first frame was sent	2022-04-27 14:41:01 +02:00
ceph	libceph: optionally use bounce buffer on recv path in crc mode	2022-02-02 18:50:36 +01:00
core	net/sched: flower: fix parsing of ethertype following VLAN header	2022-04-20 09:36:12 +02:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-03 08:01:55 -08:00
dccp	dccp: Inline dccp_listen_start().	2021-11-23 20:16:22 -08:00
decnet	Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2021-12-31 14:35:40 +00:00
dns_resolver
dsa	net: dsa: hellcreek: Calculate checksums in tagger	2022-04-27 14:41:02 +02:00
ethernet	gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers	2021-11-24 17:21:42 -08:00
ethtool	ethtool: use phydev variable	2022-01-06 12:33:35 +00:00
hsr	net: Write lock dev_base_lock without disabling bottom halves.	2021-11-29 12:12:36 +00:00
ieee802154	net: ieee802154: Return meaningful error codes from the netlink helpers	2022-01-27 08:20:47 +01:00
ife
ipv4	esp: limit skb_page_frag_refill use to a single page	2022-04-27 14:40:58 +02:00
ipv6	ipv6: make ip6_rt_gc_expire an atomic_t	2022-04-27 14:41:01 +02:00
iucv	net: Don't include filter.h from net/sock.h	2021-12-29 08:48:14 -08:00
kcm	net: Don't include filter.h from net/sock.h	2021-12-29 08:48:14 -08:00
key	af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register	2022-03-10 07:39:47 +01:00
l2tp	l2tp: add netns refcount tracker to l2tp_dfs_seq_data	2021-12-10 06:38:27 -08:00
l3mdev	l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu	2022-04-27 14:41:01 +02:00
lapb
llc	llc: only change llc->dev when bind() succeeds	2022-03-28 10:03:22 +02:00
mac80211	mac80211: fix ht_capa printout in debugfs	2022-04-20 09:36:14 +02:00
mac802154
mctp	mctp: Use output netdev to allocate skb headroom	2022-04-13 19:27:29 +02:00
mpls	net: mpls: Fix GCC 12 warning	2022-02-10 15:29:39 +00:00
mptcp	mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb	2022-04-08 13:58:21 +02:00
ncsi	all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate	2022-01-15 08:47:31 -08:00
netfilter	netfilter: nf_tables: nft_parse_register can return a negative value	2022-04-20 09:36:16 +02:00
netlabel	netlabel: fix out-of-bounds memory accesses	2022-04-13 19:27:22 +02:00
netlink	netlink: reset network and mac headers in netlink_dump()	2022-04-27 14:41:02 +02:00
netrom	netrom: fix api breakage in nr_setsockopt()	2022-01-07 14:11:05 +00:00
nfc	nfc: nci: add flush_workqueue to prevent uaf	2022-04-20 09:36:17 +02:00
nsh
openvswitch	openvswitch: fix OOB access in reserve_sfa_size()	2022-04-27 14:41:14 +02:00
packet	net/packet: fix packet_sock xmit return value checking	2022-04-27 14:41:00 +02:00
phonet	phonet/pep: refuse to enable an unbound pipe	2021-12-20 11:49:51 +00:00
psample
qrtr	bus: mhi: core: Add an API for auto queueing buffers for DL channel	2021-12-17 17:17:14 +01:00
rds	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2021-12-16 16:13:19 -08:00
rfkill	rfkill: make new event layout opt-in	2022-04-08 13:57:27 +02:00
rose	net: Don't include filter.h from net/sock.h	2021-12-29 08:48:14 -08:00
rxrpc	rxrpc: Restore removed timer deletion	2022-04-27 14:40:59 +02:00
sched	net/sched: cls_u32: fix possible leak in u32_init_knode()	2022-04-27 14:41:01 +02:00
sctp	sctp: Initialize daddr on peeled off socket	2022-04-20 09:36:16 +02:00
smc	net/smc: Fix sock leak when release after smc_shutdown()	2022-04-27 14:41:00 +02:00
strparser	bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding	2021-11-09 01:05:28 +01:00
sunrpc	SUNRPC: Fix NFSD's request deferral on RDMA transports	2022-04-20 09:36:24 +02:00
switchdev	net: switchdev: add net device refcount tracker	2021-12-07 20:44:58 -08:00
tipc	tipc: fix the timer expires after interval 100ms	2022-04-08 13:58:22 +02:00
tls	net/tls: fix slab-out-of-bounds bug in decrypt_internal	2022-04-13 19:27:28 +02:00
unix	af_unix: Support POLLPRI for OOB.	2022-04-08 13:59:00 +02:00
vmw_vsock	vsock/virtio: enable VQs early on probe	2022-04-08 13:58:32 +02:00
wireless	nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size	2022-04-20 09:36:26 +02:00
x25	net/x25: Fix null-ptr-deref caused by x25_disconnect	2022-04-08 13:58:34 +02:00
xdp	xsk: Do not write NULL in SW ring at allocation failure	2022-04-08 13:59:03 +02:00
xfrm	Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0"	2022-03-06 08:38:28 +01:00
compat.c
devres.c
Kconfig	net: kunit: add a test for dev_addr_lists	2021-11-20 12:25:57 +00:00
Kconfig.debug	net: add networking namespace refcount tracker	2021-12-10 06:38:26 -08:00
Makefile
socket.c	net: fix documentation for kernel_getsockname	2022-02-14 14:01:19 +00:00
sysctl_net.c	sections: move and rename core_kernel_data() to is_kernel_core_data()	2021-11-09 10:02:50 -08:00