Re: [ovs-dev] [PATCH v2] dynamic-string: fix a crash in ds_clone()
On 8/13/21 4:39 AM, Sriharsha Basavapatna via dev wrote: > On Fri, Aug 13, 2021 at 4:07 AM Ilya Maximets wrote: >> >> On 8/12/21 8:33 AM, Sriharsha Basavapatna via dev wrote: >>> In netdev_offload_dpdk_flow_create() when an offload request fails, >>> dump_flow() is called to log a warning message. The 's_tnl' string >>> in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally >>> via ds_put_format(). If it is not initialized, it crashes later in >>> dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. >>> >>> To fix this, check if memory for the src string has been allocated, >>> before copying it to the dst string. >>> >>> Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") >>> Signed-off-by: Sriharsha Basavapatna >>> >>> --- >>> >>> v1->v2: fix ds_clone(); ds_cstr() not needed in callers. >> >> Thanks! This version looks good to me. I'd add a few more generic >> words to the commit message, so it will be easier to understand the >> change on older branches, but I can do that before applying the patch. > > Yes, please feel free to update the commit message, thanks ! Thanks! Applied to master and backported down to 2.12. Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v2] dynamic-string: fix a crash in ds_clone()
On Fri, Aug 13, 2021 at 4:07 AM Ilya Maximets wrote: > > On 8/12/21 8:33 AM, Sriharsha Basavapatna via dev wrote: > > In netdev_offload_dpdk_flow_create() when an offload request fails, > > dump_flow() is called to log a warning message. The 's_tnl' string > > in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally > > via ds_put_format(). If it is not initialized, it crashes later in > > dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. > > > > To fix this, check if memory for the src string has been allocated, > > before copying it to the dst string. > > > > Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") > > Signed-off-by: Sriharsha Basavapatna > > > > --- > > > > v1->v2: fix ds_clone(); ds_cstr() not needed in callers. > > Thanks! This version looks good to me. I'd add a few more generic > words to the commit message, so it will be easier to understand the > change on older branches, but I can do that before applying the patch. Yes, please feel free to update the commit message, thanks ! > > There supposed to be a separate patch for correct initialization of > s_tnl in the lib/netdev-offload-dpdk.c, as Gaetan suggested. We need > to initialize them with DS_EMPTY_INITIALIZER. Though it will not be > different from the actual memory initialization point of view, it's > a more correct way to work with dynamic string. Something like this: > > @@ -1324,7 +1325,11 @@ netdev_offload_dpdk_mark_rss(struct flow_patterns > *patterns, > struct netdev *netdev, > uint32_t flow_mark) > { > -struct flow_actions actions = { .actions = NULL, .cnt = 0 }; > +struct flow_actions actions = { > +.actions = NULL, > +.cnt = 0, > +.s_tnl = DS_EMPTY_INITIALIZER, > +}; > const struct rte_flow_attr flow_attr = { > .group = 0, > .priority = 0, > --- > > And the same for other initializations of 'struct flow_actions' and > 'struct flow_patterns'. I also noticed that free_flow_patterns() > doesn't destroy the s_tnl, i.e. leaks it. This can be fixed in the > same patch along with correct initialization. > > Could you prepare this kind of patch? Sure, I'll send out a separate patch for this. Thanks, -Harsha > > Best regards, Ilya Maximets. -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v2] dynamic-string: fix a crash in ds_clone()
On 8/12/21 8:33 AM, Sriharsha Basavapatna via dev wrote: > In netdev_offload_dpdk_flow_create() when an offload request fails, > dump_flow() is called to log a warning message. The 's_tnl' string > in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally > via ds_put_format(). If it is not initialized, it crashes later in > dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. > > To fix this, check if memory for the src string has been allocated, > before copying it to the dst string. > > Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") > Signed-off-by: Sriharsha Basavapatna > > --- > > v1->v2: fix ds_clone(); ds_cstr() not needed in callers. Thanks! This version looks good to me. I'd add a few more generic words to the commit message, so it will be easier to understand the change on older branches, but I can do that before applying the patch. There supposed to be a separate patch for correct initialization of s_tnl in the lib/netdev-offload-dpdk.c, as Gaetan suggested. We need to initialize them with DS_EMPTY_INITIALIZER. Though it will not be different from the actual memory initialization point of view, it's a more correct way to work with dynamic string. Something like this: @@ -1324,7 +1325,11 @@ netdev_offload_dpdk_mark_rss(struct flow_patterns *patterns, struct netdev *netdev, uint32_t flow_mark) { -struct flow_actions actions = { .actions = NULL, .cnt = 0 }; +struct flow_actions actions = { +.actions = NULL, +.cnt = 0, +.s_tnl = DS_EMPTY_INITIALIZER, +}; const struct rte_flow_attr flow_attr = { .group = 0, .priority = 0, --- And the same for other initializations of 'struct flow_actions' and 'struct flow_patterns'. I also noticed that free_flow_patterns() doesn't destroy the s_tnl, i.e. leaks it. This can be fixed in the same patch along with correct initialization. Could you prepare this kind of patch? Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v2] dynamic-string: fix a crash in ds_clone()
In netdev_offload_dpdk_flow_create() when an offload request fails, dump_flow() is called to log a warning message. The 's_tnl' string in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally via ds_put_format(). If it is not initialized, it crashes later in dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. To fix this, check if memory for the src string has been allocated, before copying it to the dst string. Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") Signed-off-by: Sriharsha Basavapatna --- v1->v2: fix ds_clone(); ds_cstr() not needed in callers. --- lib/dynamic-string.c | 4 1 file changed, 4 insertions(+) diff --git a/lib/dynamic-string.c b/lib/dynamic-string.c index 6f7b610a9..fd0127ed1 100644 --- a/lib/dynamic-string.c +++ b/lib/dynamic-string.c @@ -460,6 +460,10 @@ ds_chomp(struct ds *ds, int c) void ds_clone(struct ds *dst, struct ds *source) { +if (!source->allocated) { +ds_init(dst); +return; +} dst->length = source->length; dst->allocated = dst->length; dst->string = xmalloc(dst->allocated + 1); -- 2.30.0.349.g30b29f044a -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev