Bug 2058227
| Summary: | Fix buffer overflow on large labels | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Balazs Nemeth <bnemeth> | |
| Component: | iproute | Assignee: | Andrea Claudi <aclaudi> | |
| Status: | CLOSED ERRATA | QA Contact: | Li Shuang <shuali> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.6 | CC: | aclaudi, jiji, mleitner, network-qe, shuali | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | 8.7 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | iproute-5.18.0-1.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2058228 2099364 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-08 10:52:53 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2074607 | |||
| Bug Blocks: | 2099364 | |||
*** Bug 2058226 has been marked as a duplicate of this bug. *** Reproduce with iproute-tc-5.15.0-4.el8.x86_64: # sh repro.sh + rep1=eth0 + rep2=eth1 + ct_label=12345678123456781234567812345678/12345678123456781234567812345678 + tc qdisc add dev eth0 ingress + tc qdisc add dev eth1 ingress + tc filter add dev eth0 ingress prio 1 chain 0 protocol arp flower action mirred egress redirect dev eth1 + tc filter add dev eth1 ingress prio 1 chain 0 protocol arp flower action mirred egress redirect dev eth0 + tc filter add dev eth0 ingress prio 2 chain 0 protocol ip flower ct_state -trk action ct action goto chain 1 + tc filter add dev eth1 ingress prio 2 chain 0 protocol ip flower ct_state -trk action ct action goto chain 1 + tc filter add dev eth0 ingress prio 1 chain 1 protocol ip flower ct_state +trk+new action ct label 12345678123456781234567812345678/12345678123456781234567812345678 commit action mirred egress redirect dev eth1 + tc filter add dev eth1 ingress prio 1 chain 1 protocol ip flower ct_state +trk+new action ct label 12345678123456781234567812345678/12345678123456781234567812345678 commit action mirred egress redirect dev eth0 + tc filter add dev eth0 ingress prio 1 chain 1 protocol ip flower ct_state +trk+est ct_label 12345678123456781234567812345678/12345678123456781234567812345678 action mirred egress redirect dev eth1 + tc filter add dev eth1 ingress prio 1 chain 1 protocol ip flower ct_state +trk+est ct_label 12345678123456781234567812345678/12345678123456781234567812345678 action mirred egress redirect dev eth0 + tc -s filter show dev eth0 ingress filter protocol arp pref 1 flower chain 0 filter protocol arp pref 1 flower chain 0 handle 0x1 eth_type arp in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth1) stolen index 1 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 2 flower chain 0 filter protocol ip pref 2 flower chain 0 handle 0x1 eth_type ipv4 ct_state -trk in_hw in_hw_count 1 action order 1: ct zone 0 pipe index 1 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed action order 2: gact action goto chain 1 random type none pass val 0 index 1 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 1 flower chain 1 filter protocol ip pref 1 flower chain 1 handle 0x1 eth_type ipv4 ct_state +trk+new not_in_hw action order 1: ct commit zone 0 label 12345678123456781234567812345678/12345678123456781234567812345678 pipe index 3 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 action order 2: mirred (Egress Redirect to device eth1) stolen index 3 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 filter protocol ip pref 1 flower chain 1 handle 0x2 eth_type ipv4 ct_state +trk+est ct_label 12345678123456781234567812345678/123456781234567812345678123456 <--- incomplete ct_label mask due to buffer overflow in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth1) stolen index 5 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed + tc -s filter show dev eth1 ingress filter protocol arp pref 1 flower chain 0 filter protocol arp pref 1 flower chain 0 handle 0x1 eth_type arp in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth0) stolen index 2 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 2 flower chain 0 filter protocol ip pref 2 flower chain 0 handle 0x1 eth_type ipv4 ct_state -trk in_hw in_hw_count 1 action order 1: ct zone 0 pipe index 2 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed action order 2: gact action goto chain 1 random type none pass val 0 index 2 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 1 flower chain 1 filter protocol ip pref 1 flower chain 1 handle 0x1 eth_type ipv4 ct_state +trk+new not_in_hw action order 1: ct commit zone 0 label 12345678123456781234567812345678/12345678123456781234567812345678 pipe index 4 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 action order 2: mirred (Egress Redirect to device eth0) stolen index 4 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 filter protocol ip pref 1 flower chain 1 handle 0x2 eth_type ipv4 ct_state +trk+est ct_label 12345678123456781234567812345678/123456781234567812345678123456 <--- incomplete ct_label mask due to buffer overflow in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth0) stolen index 6 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed + tc qdisc del dev eth0 ingress + tc qdisc del dev eth1 ingress # rpm -q iproute-tc iproute-tc-5.15.0-4.el8.x86_64 Verify with iproute-tc-5.18.0-1.el8.x86_64: # sh repro.sh + rep1=eth0 + rep2=eth1 + ct_label=12345678123456781234567812345678/12345678123456781234567812345678 + tc qdisc add dev eth0 ingress + tc qdisc add dev eth1 ingress + tc filter add dev eth0 ingress prio 1 chain 0 protocol arp flower action mirred egress redirect dev eth1 + tc filter add dev eth1 ingress prio 1 chain 0 protocol arp flower action mirred egress redirect dev eth0 + tc filter add dev eth0 ingress prio 2 chain 0 protocol ip flower ct_state -trk action ct action goto chain 1 + tc filter add dev eth1 ingress prio 2 chain 0 protocol ip flower ct_state -trk action ct action goto chain 1 + tc filter add dev eth0 ingress prio 1 chain 1 protocol ip flower ct_state +trk+new action ct label 12345678123456781234567812345678/12345678123456781234567812345678 commit action mirred egress redirect dev eth1 + tc filter add dev eth1 ingress prio 1 chain 1 protocol ip flower ct_state +trk+new action ct label 12345678123456781234567812345678/12345678123456781234567812345678 commit action mirred egress redirect dev eth0 + tc filter add dev eth0 ingress prio 1 chain 1 protocol ip flower ct_state +trk+est ct_label 12345678123456781234567812345678/12345678123456781234567812345678 action mirred egress redirect dev eth1 + tc filter add dev eth1 ingress prio 1 chain 1 protocol ip flower ct_state +trk+est ct_label 12345678123456781234567812345678/12345678123456781234567812345678 action mirred egress redirect dev eth0 + tc -s filter show dev eth0 ingress filter protocol arp pref 1 flower chain 0 filter protocol arp pref 1 flower chain 0 handle 0x1 eth_type arp in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth1) stolen index 1 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 2 flower chain 0 filter protocol ip pref 2 flower chain 0 handle 0x1 eth_type ipv4 ct_state -trk in_hw in_hw_count 1 action order 1: ct zone 0 pipe index 1 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed action order 2: gact action goto chain 1 random type none pass val 0 index 1 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 1 flower chain 1 filter protocol ip pref 1 flower chain 1 handle 0x1 eth_type ipv4 ct_state +trk+new not_in_hw action order 1: ct commit zone 0 label 12345678123456781234567812345678/12345678123456781234567812345678 pipe index 3 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 action order 2: mirred (Egress Redirect to device eth1) stolen index 3 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 filter protocol ip pref 1 flower chain 1 handle 0x2 eth_type ipv4 ct_state +trk+est ct_label 12345678123456781234567812345678/12345678123456781234567812345678 <--- complete ct_label mask in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth1) stolen index 5 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed + tc -s filter show dev eth1 ingress filter protocol arp pref 1 flower chain 0 filter protocol arp pref 1 flower chain 0 handle 0x1 eth_type arp in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth0) stolen index 2 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 2 flower chain 0 filter protocol ip pref 2 flower chain 0 handle 0x1 eth_type ipv4 ct_state -trk in_hw in_hw_count 1 action order 1: ct zone 0 pipe index 2 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed action order 2: gact action goto chain 1 random type none pass val 0 index 2 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed filter protocol ip pref 1 flower chain 1 filter protocol ip pref 1 flower chain 1 handle 0x1 eth_type ipv4 ct_state +trk+new not_in_hw action order 1: ct commit zone 0 label 12345678123456781234567812345678/12345678123456781234567812345678 pipe index 4 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 action order 2: mirred (Egress Redirect to device eth0) stolen index 4 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 filter protocol ip pref 1 flower chain 1 handle 0x2 eth_type ipv4 ct_state +trk+est ct_label 12345678123456781234567812345678/12345678123456781234567812345678 <--- complete ct_label mask in_hw in_hw_count 1 action order 1: mirred (Egress Redirect to device eth0) stolen index 6 ref 1 bind 1 installed 0 sec used 0 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 used_hw_stats delayed + tc qdisc del dev eth0 ingress + tc qdisc del dev eth1 ingress # rpm -q iproute-tc iproute-tc-5.18.0-1.el8.x86_64 Nominating for 8.6.z so OCP 4.11 can benefit from it. WDYT Andrea? I'll set stream+ if you agree with it. Yes, I'm ok with it. Thanks Marcelo. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (iproute bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7752 |
Missing the following patch: tc: 73590d957314 ("tc: flower: Fix buffer overflow on large labels") Without this patch, tc filter show crashes on BF-2 tue to a very long ct label.