From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrea Righi <andrea.righi@canonical.com>,
Pravin B Shelar <pshelar@ovn.org>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 017/101] openvswitch: fix flow actions reallocation
Date: Mon, 15 Apr 2019 20:58:15 +0200 [thread overview]
Message-ID: <20190415183741.278608168@linuxfoundation.org> (raw)
In-Reply-To: <20190415183740.341577907@linuxfoundation.org>
[ Upstream commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb ]
The flow action buffer can be resized if it's not big enough to contain
all the requested flow actions. However, this resize doesn't take into
account the new requested size, the buffer is only increased by a factor
of 2x. This might be not enough to contain the new data, causing a
buffer overflow, for example:
[ 42.044472] =============================================================================
[ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
[ 42.046415] -----------------------------------------------------------------------------
[ 42.047715] Disabling lock debugging due to kernel taint
[ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
[ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
[ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb
[ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........
[ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l...
[ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x...
[ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ...............
[ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 ....
[ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
Fix by making sure the new buffer is properly resized to contain all the
requested data.
BugLink: https://bugs.launchpad.net/bugs/1813244
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index c7b6010b2c09..eab5e8eaddaa 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2306,14 +2306,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
struct sw_flow_actions *acts;
int new_acts_size;
- int req_size = NLA_ALIGN(attr_len);
+ size_t req_size = NLA_ALIGN(attr_len);
int next_offset = offsetof(struct sw_flow_actions, actions) +
(*sfa)->actions_len;
if (req_size <= (ksize(*sfa) - next_offset))
goto out;
- new_acts_size = ksize(*sfa) * 2;
+ new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
--
2.19.1
next prev parent reply other threads:[~2019-04-15 19:06 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 18:57 [PATCH 4.19 000/101] 4.19.35-stable review Greg Kroah-Hartman
2019-04-15 18:57 ` [PATCH 4.19 001/101] kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 002/101] drm/i915/gvt: do not let pin count of shadow mm go negative Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 003/101] powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 004/101] hv_netvsc: Fix unwanted wakeup after tx_disable Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 005/101] ibmvnic: Fix completion structure initialization Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 006/101] ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 007/101] ipv6: Fix dangling pointer when ipv6 fragment Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 008/101] ipv6: sit: reset ip header pointer in ipip6_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 009/101] kcm: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 010/101] net: ethtool: not call vzalloc for zero sized memory request Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 011/101] net-gro: Fix GRO flush when receiving a GSO packet Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 012/101] net/mlx5: Decrease default mr cache size Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 013/101] netns: provide pure entropy for net_hash_mix() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 014/101] net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 015/101] net/sched: act_sample: fix divide by zero in the traffic path Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 016/101] net/sched: fix ->get helper of the matchall cls Greg Kroah-Hartman
2019-04-15 18:58 ` Greg Kroah-Hartman [this message]
2019-04-15 18:58 ` [PATCH 4.19 018/101] qmi_wwan: add Olicard 600 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 019/101] r8169: disable ASPM again Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 020/101] sctp: initialize _pad of sockaddr_in before copying to user memory Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 021/101] tcp: Ensure DCTCP reacts to losses Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 022/101] tcp: fix a potential NULL pointer dereference in tcp_sk_exit Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 023/101] vrf: check accept_source_route on the original netdevice Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 024/101] net/mlx5e: Fix error handling when refreshing TIRs Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 025/101] net/mlx5e: Add a lock on tir list Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 026/101] nfp: validate the return code from dev_queue_xmit() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 027/101] nfp: disable netpoll on representors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 028/101] bnxt_en: Improve RX consumer index validity check Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 029/101] bnxt_en: Reset device on RX buffer errors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 030/101] net: ip_gre: fix possible use-after-free in erspan_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 031/101] net: ip6_gre: fix possible use-after-free in ip6erspan_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 032/101] net: core: netif_receive_skb_list: unlist skb before passing to pt->func Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 033/101] r8169: disable default rx interrupt coalescing on RTL8168 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 034/101] net: mlx5: Add a missing check on idr_find, free buf Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 035/101] net/mlx5e: Update xoff formula Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 036/101] net/mlx5e: Update xon formula Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 037/101] kbuild: deb-pkg: fix bindeb-pkg breakage when O= is used Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 038/101] kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 039/101] x86/vdso: Drop implicit common-page-size linker flag Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 040/101] lib/string.c: implement a basic bcmp Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 041/101] Revert "clk: meson: clean-up clock registration" Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 042/101] netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 043/101] netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 044/101] arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 045/101] tty: mark Siemens R3964 line discipline as BROKEN Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 046/101] tty: ldisc: add sysctl to prevent autoloading of ldiscs Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 047/101] hwmon: (w83773g) Select REGMAP_I2C to fix build error Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 048/101] ACPICA: Clear status of GPEs before enabling them Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 049/101] ACPICA: Namespace: remove address node from global list after method termination Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 050/101] ALSA: seq: Fix OOB-reads from strlcpy Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 051/101] ALSA: hda/realtek: Enable headset MIC of Acer TravelMate B114-21 with ALC233 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 052/101] ALSA: hda/realtek - Add quirk for Tuxedo XC 1509 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 053/101] ALSA: hda - Add two more machines to the power_save_blacklist Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 054/101] mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 055/101] arm64: dts: rockchip: fix rk3328 sdmmc0 write errors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 056/101] parisc: Detect QEMU earlier in boot process Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 057/101] parisc: regs_return_value() should return gpr28 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 058/101] parisc: also set iaoq_b in instruction_pointer_set() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 059/101] alarmtimer: Return correct remaining time Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 060/101] drm/i915/gvt: do not deliver a workload if its creation fails Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 061/101] drm/udl: add a release method and delay modeset teardown Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 062/101] kvm: svm: fix potential get_num_contig_pages overflow Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 063/101] include/linux/bitrev.h: fix constant bitrev Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 064/101] mm: writeback: use exact memcg dirty counts Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 065/101] ASoC: intel: Fix crash at suspend/resume after failed codec registration Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 066/101] ASoC: fsl_esai: fix channel swap issue when stream starts Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 067/101] Btrfs: do not allow trimming when a fs is mounted with the nologreplay option Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 068/101] btrfs: prop: fix zstd compression parameter validation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 069/101] btrfs: prop: fix vanished compression property after failed set Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 070/101] riscv: Fix syscall_get_arguments() and syscall_set_arguments() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 071/101] block: do not leak memory in bio_copy_user_iov() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 072/101] block: fix the return errno for direct IO Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 073/101] genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 074/101] genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 075/101] virtio: Honour may_reduce_num in vring_create_virtqueue Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 076/101] ARM: dts: rockchip: fix rk3288 cpu opp node reference Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 077/101] ARM: dts: am335x-evmsk: Correct the regulators for the audio codec Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 078/101] ARM: dts: am335x-evm: " Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 079/101] ARM: dts: at91: Fix typo in ISC_D0 on PC9 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 080/101] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 081/101] arm64: dts: rockchip: fix rk3328 rgmii high tx error rate Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 082/101] arm64: backtrace: Dont bother trying to unwind the userspace stack Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 083/101] xen: Prevent buffer overflow in privcmd ioctl Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 084/101] sched/fair: Do not re-read ->h_load_next during hierarchical load calculation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 085/101] xtensa: fix return_address Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 086/101] x86/asm: Remove dead __GNUC__ conditionals Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 087/101] x86/asm: Use stricter assembly constraints in bitops Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 088/101] x86/perf/amd: Resolve race condition when disabling PMC Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 089/101] x86/perf/amd: Resolve NMI latency issues for active PMCs Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 090/101] x86/perf/amd: Remove need to check "running" bit in NMI handler Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 091/101] PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 092/101] PCI: pciehp: Ignore Link State Changes after powering off a slot Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 093/101] dm integrity: change memcmp to strncmp in dm_integrity_ctr Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 094/101] dm: revert 8f50e358153d ("dm: limit the max bio size as BIO_MAX_PAGES * PAGE_SIZE") Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 095/101] dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 096/101] dm integrity: fix deadlock with overlapping I/O Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 097/101] arm64: dts: rockchip: fix vcc_host1_5v pin assign on rk3328-rock64 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 098/101] arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity " Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 099/101] ACPICA: AML interpreter: add region addresses in global list during initialization Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 100/101] KVM: x86: nVMX: close leak of L0s x2APIC MSRs (CVE-2019-3887) Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 101/101] KVM: x86: nVMX: fix x2APIC VTPR read intercept Greg Kroah-Hartman
2019-04-16 0:24 ` [PATCH 4.19 000/101] 4.19.35-stable review kernelci.org bot
2019-04-16 10:34 ` Jon Hunter
2019-04-16 11:21 ` Naresh Kamboju
2019-04-16 16:30 ` Guenter Roeck
2019-04-16 21:39 ` shuah
2019-04-16 22:16 ` Bharath Vedartham
2019-04-17 6:15 ` Greg Kroah-Hartman
2019-04-17 6:16 ` Greg Kroah-Hartman
2019-04-17 16:40 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190415183741.278608168@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrea.righi@canonical.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pshelar@ovn.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).