[PATCH openEuler-1.0-LTS] net: openvswitch: limit the number of recursions from action sets - Kernel

2 Mar 2024

From: Aaron Conole aconole@redhat.com
mainline inclusion
from mainline-v6.8-rc3
commit 6e2f90d31fe09f2b852de25125ca875aabd81367
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I91L17
CVE: CVE-2024-1151
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The ovs module allows for some actions to recursively contain an action
list for complex scenarios, such as sampling, checking lengths, etc.
When these actions are copied into the internal flow table, they are
evaluated to validate that such actions make sense, and these calls
happen recursively.
The ovs-vswitchd userspace won't emit more than 16 recursion levels
deep.  However, the module has no such limit and will happily accept
limits larger than 16 levels nested.  Prevent this by tracking the
number of recursions happening and manually limiting it to 16 levels
nested.
The initial implementation of the sample action would track this depth
and prevent more than 3 levels of recursion, but this was removed to
support the clone use case, rather than limited at the current userspace
limit.
Fixes: 798c166173ff ("openvswitch: Optimize sample action for the clone use cases")
Signed-off-by: Aaron Conole aconole@redhat.com
Reviewed-by: Simon Horman horms@kernel.org
Link: https://lore.kernel.org/r/20240207132416.1488485-2-aconole@redhat.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Conflicts:
    net/openvswitch/flow_netlink.c
Signed-off-by: Dong Chenchen dongchenchen2@huawei.com
---
 net/openvswitch/flow_netlink.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 5af7254bd749..0c2848facef3 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -60,6 +60,7 @@ struct ovs_len_tbl {
#define OVS_ATTR_NESTED -1
 #define OVS_ATTR_VARIABLE -2
+#define OVS_COPY_ACTIONS_MAX_DEPTH 16
static bool actions_may_change_flow(const struct nlattr *actions)
 {
@@ -2393,13 +2394,14 @@ static inline void add_nested_action_end(struct sw_flow_actions *sfa,
 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
    			  const struct sw_flow_key *key,
    			  struct sw_flow_actions **sfa,
-				  __be16 eth_type, __be16 vlan_tci, bool log);
+				  __be16 eth_type, __be16 vlan_tci, bool log,
+				  u32 depth);
static int validate_and_copy_sample(struct net *net, const struct nlattr *attr,
    			    const struct sw_flow_key *key,
    			    struct sw_flow_actions **sfa,
    			    __be16 eth_type, __be16 vlan_tci,
-				    bool log, bool last)
+				    bool log, bool last, u32 depth)
 {
    const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1];
    const struct nlattr *probability, *actions;
@@ -2450,7 +2452,8 @@ static int validate_and_copy_sample(struct net *net, const struct nlattr *attr,
    	return err;
err = __ovs_nla_copy_actions(net, actions, key, sfa,
-				     eth_type, vlan_tci, log);
+				     eth_type, vlan_tci, log,
+				     depth + 1);
if (err)
    	return err;
@@ -2465,7 +2468,7 @@ static int validate_and_copy_clone(struct net *net,
    			   const struct sw_flow_key *key,
    			   struct sw_flow_actions **sfa,
    			   __be16 eth_type, __be16 vlan_tci,
-				   bool log, bool last)
+				   bool log, bool last, u32 depth)
 {
    int start, err;
    u32 exec;
@@ -2485,7 +2488,8 @@ static int validate_and_copy_clone(struct net *net,
    	return err;
err = __ovs_nla_copy_actions(net, attr, key, sfa,
-				     eth_type, vlan_tci, log);
+				     eth_type, vlan_tci, log,
+				     depth + 1);
    if (err)
    	return err;
@@ -2855,12 +2859,16 @@ static int copy_action(const struct nlattr *from,
 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
    			  const struct sw_flow_key *key,
    			  struct sw_flow_actions **sfa,
-				  __be16 eth_type, __be16 vlan_tci, bool log)
+				  __be16 eth_type, __be16 vlan_tci,
+				  bool log, u32 depth)
 {
    u8 mac_proto = ovs_key_mac_proto(key);
    const struct nlattr *a;
    int rem, err;
+	if (depth > OVS_COPY_ACTIONS_MAX_DEPTH)
+		return -EOVERFLOW;
+
    nla_for_each_nested(a, attr, rem) {
    	/* Expected argument lengths, (u32)-1 for variable length. */
    	static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = {
@@ -3008,7 +3016,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
err = validate_and_copy_sample(net, a, key, sfa,
    					       eth_type, vlan_tci,
-						       log, last);
+						       log, last, depth);
    		if (err)
    			return err;
    		skip_copy = true;
@@ -3078,7 +3086,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
err = validate_and_copy_clone(net, a, key, sfa,
    					      eth_type, vlan_tci,
-						      log, last);
+						      log, last, depth);
    		if (err)
    			return err;
    		skip_copy = true;
@@ -3105,7 +3113,8 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
 /* 'key' must be the masked key. */
 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
    		 const struct sw_flow_key *key,
-			 struct sw_flow_actions **sfa, bool log)
+			 struct sw_flow_actions **sfa, bool log
+			 u32 depth)
 {
    int err;
@@ -3115,7 +3124,7 @@ int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
(*sfa)->orig_len = nla_len(attr);
    err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type,
-				     key->eth.vlan.tci, log);
+				     key->eth.vlan.tci, log, 0);
    if (err)
    	ovs_nla_free_flow_actions(*sfa);
-- 
2.25.1


    