Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-616

openvswitch crashes because of a potential lookup race condition

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • openvswitch3.3
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • rhel-net-ovs-dpdk
    • ssg_networking

      In case packets in both directions start to get sent almost simultaneously (i.e. RTP packets in a VoIP call), there's a chance packets in the reverse direction go successfully through the lookup potentially relying on fields of the resulting conn that have not yet been initialized which in turn lead to a crash.

      ASAN trace:

      ==99240==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120013c5f18 at pc 0x55d3408a8696 bp 0x7f699fae7490 sp 0x7f699fae7480
READ of size 8 at 0x6120013c5f18 thread T24
    #0 0x55d3408a8695 in conn_key_lookup (/usr/sbin/ovs-vswitchd+0x3225695)
    #1 0x55d3408b23c5 in conntrack_execute (/usr/sbin/ovs-vswitchd+0x322f3c5)
    #2 0x55d3404665c9 in dp_execute_cb.lto_priv.0 (/usr/sbin/ovs-vswitchd+0x2de35c9)
    #3 0x55d34052a7b8 in odp_execute_actions (/usr/sbin/ovs-vswitchd+0x2ea77b8)
    #4 0x55d34045faf3 in fast_path_processing (/usr/sbin/ovs-vswitchd+0x2ddcaf3)
    #5 0x55d340462f5a in dp_netdev_input__.lto_priv.0 (/usr/sbin/ovs-vswitchd+0x2ddff5a)
    #6 0x55d340467a28 in dp_execute_cb.lto_priv.0 (/usr/sbin/ovs-vswitchd+0x2de4a28)
    #7 0x55d34052a7b8 in odp_execute_actions (/usr/sbin/ovs-vswitchd+0x2ea77b8)
    #8 0x55d34045faf3 in fast_path_processing (/usr/sbin/ovs-vswitchd+0x2ddcaf3)
    #9 0x55d340462f5a in dp_netdev_input__.lto_priv.0 (/usr/sbin/ovs-vswitchd+0x2ddff5a)
    #10 0x55d340463b60 in dp_netdev_input (/usr/sbin/ovs-vswitchd+0x2de0b60)
    #11 0x55d34043c13e in dp_netdev_process_rxq_port.lto_priv.0 (/usr/sbin/ovs-vswitchd+0x2db913e)
    #12 0x55d34045a16b in pmd_thread_main (/usr/sbin/ovs-vswitchd+0x2dd716b)
    #13 0x55d340654fda in ovsthread_wrapper (/usr/sbin/ovs-vswitchd+0x2fd1fda)
    #14 0x7f69abe9f801 in start_thread (/lib64/libc.so.6+0x9f801)
    #15 0x7f69abe3f44f in __GI___clone3 (/lib64/libc.so.6+0x3f44f)
0x6120013c5f18 is located 24 bytes to the right of 320-byte region [0x6120013c5dc0,0x6120013c5f00)
allocated by thread T21 here:
    #0 0x7f69acab4bd7 in calloc (/lib64/libasan.so.6+0xb4bd7)
    #1 0x55d3409347bd in other_new_conn.lto_priv.0 (/usr/sb
in/ovs-vswitchd+0x32b17bd)
Thread T24 created by T0 here:
    #0 0x7f69aca587d5 in pthread_create (/lib64/libasan.so.6+0x587d5)
    #1 0x55d34064ed6d in ovs_thread_create (/usr/sbin/ovs-vswitchd
+0x2fcbd6d)
    #2 0x55d340caeba7  (/usr/sbin/ovs-vswitchd+0x362bba7)
Thread T21 created by T0 here:
    #0 0x7f69aca587d5 in pthread_create (/lib64/libasan.so.6+0x587d5)
    #1 0x55d34064ed6d
in ovs_thread_create (/usr/sbin/ovs-vswitchd+0x2fcbd6d)
    #2 0x55d340caeba7  (/usr/sbin/ovs-vswitchd+0x362bba7)

              pvalerio@redhat.com Paolo Valerio
              pvalerio@redhat.com Paolo Valerio
              Qijun Ding Qijun Ding
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: