Bug 1806881
| Summary: | [OVN][ovn-controller] Buffer overread in pinctrl_compose_ipv6 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Dumitru Ceara <dceara> | |
| Component: | ovn2.13 | Assignee: | Dumitru Ceara <dceara> | |
| Status: | CLOSED ERRATA | QA Contact: | Jianlin Shi <jishi> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | FDP 20.A | CC: | ctrautma, jishi, ralongi | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ovn2.13-2.13.0-7.el8fdp ovn2.13-2.13.0-7.el7fdp | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1806884 (view as bug list) | Environment: | ||
| Last Closed: | 2020-11-10 15:23:30 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1806884 | |||
|
Description
Dumitru Ceara
2020-02-25 09:19:09 UTC
Fix posted upstream for review by Ben Pfaff: https://patchwork.ozlabs.org/patch/1243716/ reproduced on commit 2c9cdc64590cddc47cc25cd803248c045f868e65:
clone repo: git://pkgs.devel.redhat.com/rpms/ovn2.13
reset to commit: git reset 2c9cdc64590cddc47cc25cd803248c045f868e65 --hard
rhpkg prep
yum install libasan
cd ovn-2.13.0/ovs-8ae6a5f98c3ad57d10220596054f6a0c4d6ea358
./configure CFLAGS="-fsanitize=address"
make -j 10
cd ..
./configure CFLAGS="-fsanitize=address" --with-ovs-source=/root/ovn2.13/ovn-2.13.0/ovs-8ae6a5f98c3ad57d10220596054f6a0c4d6ea358/
make -j 10
make check TESTSUITEFLAGS="-k mld"
AddressSanitizer in tests/testsuite.dir/116/asan.29550:
==29550==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fc1b5f409b6 at pc 0x000000674d88
2 bp 0x7fc1b5f40680 sp 0x7fc1b5f40670
READ of size 1 at 0x7fc1b5f409b6 thread T1 (ovn_pinctrl0)
#0 0x674d81 in packet_rh_present (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x674d81)
#1 0x6757c8 in packet_set_ipv6 (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x6757c8)
#2 0x43b885 in pinctrl_compose_ipv6 (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x43b885)
#3 0x43f908 in ip_mcast_querier_send_mld (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x433
f908)
#4 0x4401b2 in ip_mcast_querier_send (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x4401b22
)
#5 0x4402d3 in ip_mcast_querier_run (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x4402d3)
#6 0x43424a in pinctrl_handler (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x43424a)
#7 0x639b40 in ovsthread_wrapper (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x639b40)
#8 0x7fc1b939d2dd in start_thread (/lib64/libpthread.so.0+0x82dd)
#9 0x7fc1b8b43132 in __GI___clone (/lib64/libc.so.6+0xfc132)
Address 0x7fc1b5f409b6 is located in stack of thread T1 (ovn_pinctrl0) at offset 326 in frame
#0 0x43f6e5 in ip_mcast_querier_send_mld (/root/ovn2.13/ovn-2.13.0/controller/ovn-controller+0x433
f6e5)
verified on commit 523f20f0752bba1dcee38d895e573ec526eb5bf6:
set /bin/sh './tests/testsuite' -C tests AUTOTEST_PATH=/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//utilities:/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//vswitchd:/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//ovsdb:/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//vtep:tests:::controller-vtep:northd:utilities:controller:ic; \
"$@" -k mld || (test X'' = Xyes && "$@" --recheck)
## ---------------------- ##
## ovn 2.13.0 test suite. ##
## ---------------------- ##
116: ovn -- MLD snoop/querier/relay ok
## ------------- ##
## Test results. ##
## ------------- ##
1 test was successful.
make[2]: Leaving directory '/root/ovn2.13/ovn-2.13.0'
make[1]: Leaving directory '/root/ovn2.13/ovn-2.13.0'
[root@hp-dl380pg8-12 ovn-2.13.0]# git log -1
commit 523f20f0752bba1dcee38d895e573ec526eb5bf6 (HEAD -> rhel8, origin/fast-datapath-rhel-8)
Author: Numan Siddique <nusiddiq>
Date: Fri Mar 13 01:08:26 2020 +0530
Rebase to ovn2.13-2.13.0-4.el7fdn
Squashed commit of the following:
commit 03e2ace701b7412e71face1de2ca3f577b9436a6
Author: Numan Siddique <nusiddiq>
Date: Fri Mar 13 01:05:21 2020 +0530
Backport "ovn-northd: Add lflows to by pass the svc monitor packets from conntrack".
Resolves: #1813046
Signed-off-by: Numan Siddique <nusiddiq>
Verified on the latest commit:
[root@hp-dl380pg8-13 ovn2.13]# git log --oneline -1 .
b601c51 (HEAD -> rhel8, origin/fast-datapath-rhel-8) Rebase to ovn2.13-2.13.0-18.el7fdn
make tests/atlocal
make[2]: Entering directory '/root/ovn2.13/ovn-2.13.0'
make[2]: 'tests/atlocal' is up to date.
make[2]: Leaving directory '/root/ovn2.13/ovn-2.13.0'
make check-local
make[2]: Entering directory '/root/ovn2.13/ovn-2.13.0'
set /bin/sh './tests/testsuite' -C tests AUTOTEST_PATH=/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//utilities:/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//vswitchd:/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//ovsdb:/root/ovn2.13/ovn-2.13.0/openvswitch-2.13.0//vtep:tests:::controller-vtep:northd:utilities:controller:ic; \
"$@" -k mld || (test X'' = Xyes && "$@" --recheck)
## ---------------------- ##
## ovn 2.13.0 test suite. ##
## ---------------------- ##
116: ovn -- MLD snoop/querier/relay ok
## ------------- ##
## Test results. ##
## ------------- ##
1 test was successful.
make[2]: Leaving directory '/root/ovn2.13/ovn-2.13.0'
make[1]: Leaving directory '/root/ovn2.13/ovn-2.13.0'
All these bugs have been verified and have shipped in FDP 20.G or earlier. |