Re: [ovs-dev] [PATCH] ofproto-dpif-trace: Fix access to an out-of-scope stack memory.

Fri, 03 May 2024 07:12:40 -0700 

On 5/3/24 11:29, Eelco Chaudron wrote:
> 
> 
> On 3 May 2024, at 1:36, Ilya Maximets wrote:
> 
>> While tracing NAT actions, pointer to the action may be stored in the
>> recirculation node for future reference.  However, while translating
>> actions for the group bucket in xlate_group_bucket, the action list is
>> allocated temporarily on stack.  So, in case the group translation
>> leads to NAT, the stack pointer can be stored in the recirculation node
>> and accessed later by the tracing mechanism when this stack memory is
>> long gone:
>>
>>  ==396230==ERROR: AddressSanitizer: stack-use-after-return on address
>>  0x191844 at pc 0x64222a bp 0xa5da10 sp 0xa5da08
>>  READ of size 1 at 0x191844 thread T0
>>   0 0x642229 in ofproto_trace_recirc_node ofproto/ofproto-dpif-trace.c:704:49
>>   1 0x642229 in ofproto_trace ofproto/ofproto-dpif-trace.c:867:9
>>   2 0x6434c1 in ofproto_unixctl_trace ofproto/ofproto-dpif-trace.c:489:9
>>   3 0xc1e491 in process_command lib/unixctl.c:310:13
>>   4 0xc1e491 in run_connection lib/unixctl.c:344:17
>>   5 0xc1e491 in unixctl_server_run lib/unixctl.c:395:21
>>   6 0x53eedf in main ovs/vswitchd/ovs-vswitchd.c:131:9
>>   7 0x2be087 in __libc_start_call_main
>>   8 0x2be14a in __libc_start_main@GLIBC_2.2.5
>>   9 0x42dee4 in _start (vswitchd/ovs-vswitchd+0x42dee4)
>>
>>  Address 0x191844 is located in stack of thread T0 at offset 68 in frame
>>   0 0x6d391f in xlate_group_bucket ofproto/ofproto-dpif-xlate.c:4751
>>
>>   This frame has 3 object(s):
>>     [32, 1056) 'action_list_stub' (line 4760) <== Memory access at
>>                                                   offset 68 is inside
>>                                                   this variable
>>     [1184, 1248) 'action_list' (line 4761)
>>     [1280, 1344) 'action_set' (line 4762)
>>
>>  SUMMARY: AddressSanitizer: stack-use-after-return
>>    ofproto/ofproto-dpif-trace.c:704:49 in ofproto_trace_recirc_node
>>
>> Fix that by copying the action.
>>
>> Fixes: d072d2de011b ("ofproto-dpif-trace: Improve NAT tracing.")
>> Reported-by: Ales Musil <amu...@redhat.com>
>> Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
>> ---
> 
> Thanks for the patch, and adding a test case.
> 
> Acked-by: Eelco Chaudron <echau...@redhat.com>
> 

Thanks, Adrian and Eelco!

Applied and backported down to 2.17.

Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to