Re: [ovs-dev] [PATCH] ofproto-dpif-trace: Fix access to an out-of-scope stack memory.

Fri, 03 May 2024 02:29:46 -0700 


On 3 May 2024, at 1:36, Ilya Maximets wrote:

> While tracing NAT actions, pointer to the action may be stored in the
> recirculation node for future reference.  However, while translating
> actions for the group bucket in xlate_group_bucket, the action list is
> allocated temporarily on stack.  So, in case the group translation
> leads to NAT, the stack pointer can be stored in the recirculation node
> and accessed later by the tracing mechanism when this stack memory is
> long gone:
>
>  ==396230==ERROR: AddressSanitizer: stack-use-after-return on address
>  0x191844 at pc 0x64222a bp 0xa5da10 sp 0xa5da08
>  READ of size 1 at 0x191844 thread T0
>   0 0x642229 in ofproto_trace_recirc_node ofproto/ofproto-dpif-trace.c:704:49
>   1 0x642229 in ofproto_trace ofproto/ofproto-dpif-trace.c:867:9
>   2 0x6434c1 in ofproto_unixctl_trace ofproto/ofproto-dpif-trace.c:489:9
>   3 0xc1e491 in process_command lib/unixctl.c:310:13
>   4 0xc1e491 in run_connection lib/unixctl.c:344:17
>   5 0xc1e491 in unixctl_server_run lib/unixctl.c:395:21
>   6 0x53eedf in main ovs/vswitchd/ovs-vswitchd.c:131:9
>   7 0x2be087 in __libc_start_call_main
>   8 0x2be14a in __libc_start_main@GLIBC_2.2.5
>   9 0x42dee4 in _start (vswitchd/ovs-vswitchd+0x42dee4)
>
>  Address 0x191844 is located in stack of thread T0 at offset 68 in frame
>   0 0x6d391f in xlate_group_bucket ofproto/ofproto-dpif-xlate.c:4751
>
>   This frame has 3 object(s):
>     [32, 1056) 'action_list_stub' (line 4760) <== Memory access at
>                                                   offset 68 is inside
>                                                   this variable
>     [1184, 1248) 'action_list' (line 4761)
>     [1280, 1344) 'action_set' (line 4762)
>
>  SUMMARY: AddressSanitizer: stack-use-after-return
>    ofproto/ofproto-dpif-trace.c:704:49 in ofproto_trace_recirc_node
>
> Fix that by copying the action.
>
> Fixes: d072d2de011b ("ofproto-dpif-trace: Improve NAT tracing.")
> Reported-by: Ales Musil <amu...@redhat.com>
> Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
> ---

Thanks for the patch, and adding a test case.

Acked-by: Eelco Chaudron <echau...@redhat.com>

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to