Re: [ovs-dev] [PATCH 1/2] tun_metadata: Fix coredump caused by use-after-free bug

Mon, 06 Apr 2020 17:23:25 -0700 

On Mon, Apr 6, 2020 at 8:47 AM William Tu <u9012...@gmail.com> wrote:
>
> On Thu, Mar 26, 2020 at 12:58:21PM -0700, Yifeng Sun wrote:
> > Tun_metadata can be referened by flow and frozen_state at the same
> > time. When ovs-vswitchd handles TLV table mod message, the involved
> > tun_metadata gets freed. The call trace to free tun_metadata is
> > shown as below:
> >
> > ofproto_run
> > - handle_openflow
> >   - handle_single_part_openflow
> >     - handle_tlv_table_mod
> >       - tun_metadata_table_mod
> >         - tun_metadata_postpone_free
> >
> > Unfortunately, this tun_metadata can be still used by some frozen_state,
> > and later on when frozen_state tries to access its tun_metadata table,
> > ovs-vswitchd crashes. The call trace to access tun_metadata from
> > frozen_state is shown as below:
> >
> > udpif_upcall_handler
> > - recv_upcalls
> >   - process_upcall
> >     - frozen_metadata_to_flow
> >
> > This patch fixes it by introducing a reference count to tun_metadata.
> > Whenever a pointer of tun_metadata is passed between flow and
> > frozen_state, we increase its reference count. Reference count
> > is decreased at deallocation.
> >
> > In present code, pointer of tun_metadata can be passed between flows.
> > It is safe because of RCU mechanism.
> >
> > VMware-BZ: #2526222
> > Signed-off-by: Yifeng Sun <pkusunyif...@gmail.com>
> > ---

Hi Yifeng,

Instead of introducing the ref count, how about just using the latest tun_tab?
The patch below also fixes the use-after-free coredump.

diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index 8dfa05b71df4..9046f7d79952 100644
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -1535,6 +1535,7 @@ process_upcall(struct udpif *udpif, struct upcall *upcall,
             }

             frozen_metadata_to_flow(&state->metadata, &frozen_flow);
+            frozen_flow.tunnel.metadata.tab =
ofproto_get_tun_tab(&upcall->ofproto->up);
             flow_get_metadata(&frozen_flow, &am->pin.up.base.flow_metadata);

             ofproto_dpif_send_async_msg(upcall->ofproto, am);
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to