Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-02-20 12:35:52 +0100
committerTakashi Iwai <tiwai@suse.de>2019-02-20 12:36:02 +0100
commit8967b2376640cad4c6acb2f692c6fa9e4e7efc58 (patch)
treed774ef17655078e2e1c72b86263ba89168424a8c
parent5f9b897381b0ce5e0b44ada8c571f077849cdd47 (diff)
openvswitch: Avoid OOB read when parsing flow nlattrs
(bsc#1051510).
-rw-r--r--patches.fixes/openvswitch-Avoid-OOB-read-when-parsing-flow-nlattrs.patch39
-rw-r--r--series.conf1
2 files changed, 40 insertions, 0 deletions
diff --git a/patches.fixes/openvswitch-Avoid-OOB-read-when-parsing-flow-nlattrs.patch b/patches.fixes/openvswitch-Avoid-OOB-read-when-parsing-flow-nlattrs.patch
new file mode 100644
index 0000000000..8e6ce7936d
--- /dev/null
+++ b/patches.fixes/openvswitch-Avoid-OOB-read-when-parsing-flow-nlattrs.patch
@@ -0,0 +1,39 @@
+From 04a4af334b971814eedf4e4a413343ad3287d9a9 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Mon, 14 Jan 2019 09:16:56 +0000
+Subject: [PATCH] openvswitch: Avoid OOB read when parsing flow nlattrs
+Git-commit: 04a4af334b971814eedf4e4a413343ad3287d9a9
+Patch-mainline: v5.0-rc3
+References: bsc#1051510
+
+For nested and variable attributes, the expected length of an attribute
+is not known and marked by a negative number. This results in an OOB
+read when the expected length is later used to check if the attribute is
+all zeros. Fix this by using the actual length of the attribute rather
+than the expected length.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/openvswitch/flow_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 435a4bdf8f89..691da853bef5 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
+ return -EINVAL;
+ }
+
+- if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
++ if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
+ attrs |= 1 << type;
+ a[type] = nla;
+ }
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 32761c6ffc..dafd068374 100644
--- a/series.conf
+++ b/series.conf
@@ -20275,6 +20275,7 @@
patches.fixes/blockdev-Fix-livelocks-on-loop-device.patch
patches.drivers/scsi-qedi-add-ep_state-for-login-completion-on-un-reachable-targets
patches.fixes/acpi-nfit-fix-race-accessing-memdev-in-nfit_get_smbios_id.patch
+ patches.fixes/openvswitch-Avoid-OOB-read-when-parsing-flow-nlattrs.patch
patches.drivers/amd-xgbe-Fix-mdio-access-for-non-zero-ports-and-clau.patch
patches.fixes/bpf-fix-inner-map-masking-to-prevent-oob-under-specu.patch
patches.fixes/pstore-ram-Avoid-allocation-and-leak-of-platform-dat.patch