CVE-2021-46955

In the Linux kernel, the following vulnerability has been resolved:

openvswitch: fix stack OOB read while fragmenting IPv4 packets

running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets:

BUG: KASAN: stack-out-of-bounds in ipdofragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367

CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dumpstack+0x92/0xc1 printaddressdescription.constprop.7+0x1a/0x150 kasanreport.cold.13+0x7f/0x111 ipdofragment+0x1b03/0x1f60 ovsfragment+0x5bf/0x840 [openvswitch] doexecuteactions+0x1bd5/0x2400 [openvswitch] ovsexecuteactions+0xc8/0x3d0 [openvswitch] ovspacketcmdexecute+0xa39/0x1150 [openvswitch] genlfamilyrcvmsgdoit.isra.15+0x227/0x2d0 genlrcvmsg+0x287/0x490 netlinkrcvskb+0x120/0x380 genlrcv+0x24/0x40 netlinkunicast+0x439/0x630 netlinksendmsg+0x719/0xbf0 socksendmsg+0xe2/0x110 _syssendmsg+0x5ba/0x890 syssendmsg+0xe9/0x160 _syssendmsg+0xd3/0x170 dosyscall64+0x33/0x40 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0

The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected

addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch]

this frame has 2 objects: [32, 144) 'ovsdst' [192, 424) 'ovsrt'

Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00

ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00

for IPv4 packets, ovsfragment() uses a temporary struct dstentry. Then, in the following call graph:

ipdofragment() ipskbdstmtu() ipdstmtumaybeforward() ipmtu_locked()

the pointer to struct dstentry is used as pointer to struct rtable: this turns the access to struct members like rtmtulocked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovsfragment(), similarly to what is done for IPv6 few lines below.