Loading...

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.5
Affects Version/s: None
Component/s: kernel / Networking / OVS
Labels:
None

Fixed in Build:
kernel-5.14.0-451.el9
Regression:
None
Severity:
Important

Pool Team:

rhel-sst-network-fastdatapath
Sub-System Group:

ssg_networking

Dev Target Milestone:
10
Internal Target Milestone:
12
Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
Pass
Testable Builds:

Hide
The following Merge Request has pipeline job artifacts available:

Title: net: openvswitch: limit the number of recursions from action sets
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/3929
MR Pipeline: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/pipelines/1273871726

The Repo URLs are *not* accessible from a web browser! They only function as a dnf or yum baseurl.

Artifacts expire six weeks after creation. If artifacts are needed after that time please rerun the pipeline by visiting the MR's 'Pipelines' tab and clicking the 'Run pipeline' button.

----------------------------------------

Downstream Pipeline Name: RHEL_COMPAT (c9s_rhel9_compat_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871815
Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/1273871815/$basearch/5.14.0-445.3929_1273871726.el9.$basearch
Debug Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/1273871815/$basearch-debug/5.14.0-445.3929_1273871726.el9.$basearch

5.14.0-445.3929_1273871726.el9.s390x-debug:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_s390x_debug/6752460382/artifacts/repo/5.14.0-445.3929_1273871726.el9.s390x/

5.14.0-445.3929_1273871726.el9.s390x:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_s390x/6752460381/artifacts/repo/5.14.0-445.3929_1273871726.el9.s390x/

5.14.0-445.3929_1273871726.el9.aarch64-debug:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_aarch64_debug/6752460377/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/

5.14.0-445.3929_1273871726.el9.aarch64:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_aarch64/6752460375/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/

5.14.0-445.3929_1273871726.el9.ppc64le-debug:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_ppc64le_debug/6752460370/artifacts/repo/5.14.0-445.3929_1273871726.el9.ppc64le/

5.14.0-445.3929_1273871726.el9.ppc64le:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_ppc64le/6752460366/artifacts/repo/5.14.0-445.3929_1273871726.el9.ppc64le/

5.14.0-445.3929_1273871726.el9.x86_64-debug:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_x86_64_debug/6752460360/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/

5.14.0-445.3929_1273871726.el9.x86_64:
Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_x86_64/6752460353/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/

----------------------------------------

Downstream Pipeline Name: REALTIME (c9s_rt_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871807

5.14.0-445.3929_1273871726.el9.x86_64-debug:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871807/publish_x86_64_debug/6752460150/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871807/publish_x86_64_debug/6752460150/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/

5.14.0-445.3929_1273871726.el9.x86_64:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871807/publish_x86_64/6752460128/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871807/publish_x86_64/6752460128/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/

----------------------------------------

Downstream Pipeline Name: AUTOMOTIVE (c9s_automotive_check_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871825

5.14.0-445.397.3929_1273871726.el9iv.aarch64-debug:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_aarch64_debug/6752460330/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_aarch64_debug/6752460330/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/

5.14.0-445.397.3929_1273871726.el9iv.aarch64:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_aarch64/6752460329/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_aarch64/6752460329/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/

5.14.0-445.397.3929_1273871726.el9iv.x86_64-debug:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_x86_64_debug/6752460327/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_x86_64_debug/6752460327/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/

5.14.0-445.397.3929_1273871726.el9iv.x86_64:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_x86_64/6752460324/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_x86_64/6752460324/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/

----------------------------------------

Downstream Pipeline Name: 64K (c9s_64k_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871809

5.14.0-445.3929_1273871726.el9.aarch64-debug:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871809/publish_aarch64_debug/6752460147/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871809/publish_aarch64_debug/6752460147/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/

5.14.0-445.3929_1273871726.el9.aarch64:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871809/publish_aarch64/6752460142/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871809/publish_aarch64/6752460142/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/

----------------------------------------

Updated 2024-05-07 14:16 UTC by buglinker:
- KWF FAQ: https://red.ht/kernel_workflow_doc
- Slack #team-kernel-workflow: https://redhat-internal.slack.com/archives/C04LRUPMJQ5
- Source: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/buglinker.py
- Documentation: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.buglinker.md
- Report an issue: https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=buglinker%20webhook%20issue

Show
The following Merge Request has pipeline job artifacts available: Title: net: openvswitch: limit the number of recursions from action sets MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/3929 MR Pipeline: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/pipelines/1273871726 The Repo URLs are *not* accessible from a web browser! They only function as a dnf or yum baseurl. Artifacts expire six weeks after creation. If artifacts are needed after that time please rerun the pipeline by visiting the MR's 'Pipelines' tab and clicking the 'Run pipeline' button. ---------------------------------------- Downstream Pipeline Name: RHEL_COMPAT (c9s_rhel9_compat_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871815 Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/1273871815/$basearch/5.14.0-445.3929_1273871726.el9.$basearch Debug Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/1273871815/$basearch-debug/5.14.0-445.3929_1273871726.el9.$basearch 5.14.0-445.3929_1273871726.el9.s390x-debug: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_s390x_debug/6752460382/artifacts/repo/5.14.0-445.3929_1273871726.el9.s390x/ 5.14.0-445.3929_1273871726.el9.s390x: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_s390x/6752460381/artifacts/repo/5.14.0-445.3929_1273871726.el9.s390x/ 5.14.0-445.3929_1273871726.el9.aarch64-debug: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_aarch64_debug/6752460377/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/ 5.14.0-445.3929_1273871726.el9.aarch64: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_aarch64/6752460375/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/ 5.14.0-445.3929_1273871726.el9.ppc64le-debug: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_ppc64le_debug/6752460370/artifacts/repo/5.14.0-445.3929_1273871726.el9.ppc64le/ 5.14.0-445.3929_1273871726.el9.ppc64le: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_ppc64le/6752460366/artifacts/repo/5.14.0-445.3929_1273871726.el9.ppc64le/ 5.14.0-445.3929_1273871726.el9.x86_64-debug: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_x86_64_debug/6752460360/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/ 5.14.0-445.3929_1273871726.el9.x86_64: Artifacts (RPMs): https://s3.upshift.redhat.com/DH-PROD-CKI/index.html?prefix=internal-artifacts/1273871815/publish_x86_64/6752460353/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/ ---------------------------------------- Downstream Pipeline Name: REALTIME (c9s_rt_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871807 5.14.0-445.3929_1273871726.el9.x86_64-debug: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871807/publish_x86_64_debug/6752460150/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871807/publish_x86_64_debug/6752460150/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/ 5.14.0-445.3929_1273871726.el9.x86_64: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871807/publish_x86_64/6752460128/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871807/publish_x86_64/6752460128/artifacts/repo/5.14.0-445.3929_1273871726.el9.x86_64/ ---------------------------------------- Downstream Pipeline Name: AUTOMOTIVE (c9s_automotive_check_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871825 5.14.0-445.397.3929_1273871726.el9iv.aarch64-debug: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_aarch64_debug/6752460330/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_aarch64_debug/6752460330/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/ 5.14.0-445.397.3929_1273871726.el9iv.aarch64: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_aarch64/6752460329/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_aarch64/6752460329/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.aarch64/ 5.14.0-445.397.3929_1273871726.el9iv.x86_64-debug: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_x86_64_debug/6752460327/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_x86_64_debug/6752460327/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/ 5.14.0-445.397.3929_1273871726.el9iv.x86_64: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871825/publish_x86_64/6752460324/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871825/publish_x86_64/6752460324/artifacts/repo/5.14.0-445.397.3929_1273871726.el9iv.x86_64/ ---------------------------------------- Downstream Pipeline Name: 64K (c9s_64k_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1273871809 5.14.0-445.3929_1273871726.el9.aarch64-debug: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871809/publish_aarch64_debug/6752460147/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871809/publish_aarch64_debug/6752460147/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/ 5.14.0-445.3929_1273871726.el9.aarch64: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1273871809/publish_aarch64/6752460142/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1273871809/publish_aarch64/6752460142/artifacts/repo/5.14.0-445.3929_1273871726.el9.aarch64/ ---------------------------------------- Updated 2024-05-07 14:16 UTC by buglinker: - KWF FAQ: https://red.ht/kernel_workflow_doc - Slack #team-kernel-workflow: https://redhat-internal.slack.com/archives/C04LRUPMJQ5 - Source: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/buglinker.py - Documentation: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.buglinker.md - Report an issue: https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=buglinker%20webhook%20issue
Errata Link:
https://errata.engineering.redhat.com/advisory/128795
Test Coverage:
None

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

This is an issue with the Open vSwitch Kernel module that is currently not resolved upstream.

The Netlink copy code in the ovs kernel module attempts to make an in-kernel copy of the actions required. That means that when recursive operations, like sample(), clone(), dec_ttl(), etc include additional actions, the code pushes a new stack frame and recursively calls into the code block.

Unfortunately, OVS module doesn't validate the stack depth, and will push too many frames causing a stack overflow which can lead to crash or worse.

This can be validated with the following patch to kernel's ovs-dpctl.py utility:

ff --git a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
index b97e621face9..05191b9ac301 100644
--- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
+++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
@@ -299,7 +299,7 @@ class ovsactions(nla):
         ("OVS_ACTION_ATTR_PUSH_NSH", "none"),
         ("OVS_ACTION_ATTR_POP_NSH", "flag"),
         ("OVS_ACTION_ATTR_METER", "none"),
-        ("OVS_ACTION_ATTR_CLONE", "none"),
+        ("OVS_ACTION_ATTR_CLONE", "recursive"),
         ("OVS_ACTION_ATTR_CHECK_PKT_LEN", "none"),
         ("OVS_ACTION_ATTR_ADD_MPLS", "none"),
         ("OVS_ACTION_ATTR_DEC_TTL", "none"),
@@ -465,29 +465,45 @@ class ovsactions(nla):
                     print_str += "pop_mpls"
             else:
                 datum = self.get_attr(field[0])
-                print_str += datum.dpstr(more)
+                if field[0] == "OVS_ACTION_ATTR_CLONE":
+                    print_str += "clone("
+
+                    for d in datum:
+                        print(".. recursive instance: %s" % type(d))
+
+                    print_str += ")"
+                else:
+                    print_str += datum.dpstr(more)
 
         return print_str
 
     def parse(self, actstr):
+        totallen = len(actstr)
         while len(actstr) != 0:
             parsed = False
+            parencount = 0
             if actstr.startswith("drop"):
                 # If no reason is provided, the implicit drop is used (i.e no
                 # action). If some reason is given, an explicit action is used.
-                actstr, reason = parse_extract_field(
-                    actstr,
-                    "drop(",
-                    "([0-9]+)",
-                    lambda x: int(x, 0),
-                    False,
-                    None,
-                )
+                reason = None
+                if actstr.startswith("drop("):
+                    parencount += 1
+
+                    actstr, reason = parse_extract_field(
+                        actstr,
+                        "drop(",
+                        "([0-9]+)",
+                        lambda x: int(x, 0),
+                        False,
+                        None,
+                    )
+
                 if reason is not None:
                     self["attrs"].append(["OVS_ACTION_ATTR_DROP", reason])
                     parsed = True
                 else:
-                    return
+                    actstr = actstr[len("drop"): ]
+                    return (totallen - len(actstr))
 
             elif parse_starts_block(actstr, "^(\d+)", False, True):
                 actstr, output = parse_extract_field(
@@ -504,6 +520,7 @@ class ovsactions(nla):
                     False,
                     0,
                 )
+                parencount += 1
                 self["attrs"].append(["OVS_ACTION_ATTR_RECIRC", recircid])
                 parsed = True
 
@@ -516,12 +533,22 @@ class ovsactions(nla):
 
             for flat_act in parse_flat_map:
                 if parse_starts_block(actstr, flat_act[0], False):
-                    actstr += len(flat_act[0])
+                    actstr = actstr[len(flat_act[0]):]
                     self["attrs"].append([flat_act[1]])
                     actstr = actstr[strspn(actstr, ", ") :]
                     parsed = True
 
-            if parse_starts_block(actstr, "ct(", False):
+            if parse_starts_block(actstr, "clone(", False):
+                parencount += 1
+                subacts = ovsactions()
+                actstr = actstr[len("clone("):]
+                parsedLen = subacts.parse(actstr)
+                lst = []
+                self["attrs"].append(("OVS_ACTION_ATTR_CLONE", subacts))
+                actstr = actstr[parsedLen:]
+                parsed = True
+            elif parse_starts_block(actstr, "ct(", False):
+                parencount += 1
                 actstr = actstr[len("ct(") :]
                 ctact = ovsactions.ctact()
 
@@ -553,6 +580,7 @@ class ovsactions(nla):
                         natact = ovsactions.ctact.natattr()
 
                         if actstr.startswith("("):
+                            parencount += 1
                             t = None
                             actstr = actstr[1:]
                             if actstr.startswith("src"):
@@ -607,15 +635,29 @@ class ovsactions(nla):
                                     actstr = actstr[strspn(actstr, ", ") :]
 
                         ctact["attrs"].append(["OVS_CT_ATTR_NAT", natact])
-                        actstr = actstr[strspn(actstr, ",) ") :]
+                        actstr = actstr[strspn(actstr, ", ") :]
 
                 self["attrs"].append(["OVS_ACTION_ATTR_CT", ctact])
                 parsed = True
 
-            actstr = actstr[strspn(actstr, "), ") :]
+            actstr = actstr[strspn(actstr, ", ") :]
+            while parencount > 0:
+                parencount -= 1
+                actstr = actstr[strspn(actstr, " "):]
+                if len(actstr) and actstr[0] != ")":
+                    raise ValueError("Action str: '%s' unbalanced" % actstr)
+                actstr = actstr[1:]
+
+            if len(actstr) and actstr[0] == ")":
+                return (totallen - len(actstr))
+
+            actstr = actstr[strspn(actstr, ", ") :]
+
             if not parsed:
                 raise ValueError("Action str: '%s' not supported" % actstr)
 
+        return (totallen - len(actstr))
+
 
 class ovskey(nla):
     nla_flags = NLA_F_NESTED
@@ -2111,6 +2153,8 @@ def main(argv):
     ovsflow = OvsFlow()
     ndb = NDB()
 
+    sys.setrecursionlimit(100000)
+
     if hasattr(args, "showdp"):
         found = False
         for iface in ndb.interfaces:

And the following script snippet:

# ip link add d0 type dummy
# python3 ./ovs-dpctl.py add-dp vuln
# python3 ./ovs-dpctl.py add-if vuln d0
# python3 ./ovs-dpctl.py add-flow vuln \   
  'in_port(0),eth(),eth_type(0x800),ipv4()'\
  'clone(clone(clone(clone(clone(clone(clone(....))))))))'

Number of clone calls may need to vary to observe a stack overflow message.

I will propose the following patch upstream on Tuesday 2/6

--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -48,6 +48,9 @@ struct ovs_len_tbl {
 
 #define OVS_ATTR_NESTED -1
 #define OVS_ATTR_VARIABLE -2
+#define OVS_COPY_ACTIONS_MAX_DEPTH 16
+
+static DEFINE_PER_CPU(int, copy_actions_depth);
 
 static bool actions_may_change_flow(const struct nlattr *actions)
 {
@@ -3148,11 +3151,11 @@ static int copy_action(const struct nlattr *from,
        return 0;
 }
 
-static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
-                                 const struct sw_flow_key *key,
-                                 struct sw_flow_actions **sfa,
-                                 __be16 eth_type, __be16 vlan_tci,
-                                 u32 mpls_label_count, bool log)
+static int ___ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+                                  const struct sw_flow_key *key,
+                                  struct sw_flow_actions **sfa,
+                                  __be16 eth_type, __be16 vlan_tci,
+                                  u32 mpls_label_count, bool log)
 {
        u8 mac_proto = ovs_key_mac_proto(key);
        const struct nlattr *a;
@@ -3478,6 +3481,26 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
        return 0;
 }
 
+static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+                                 const struct sw_flow_key *key,
+                                 struct sw_flow_actions **sfa,
+                                 __be16 eth_type, __be16 vlan_tci,
+                                 u32 mpls_label_count, bool log)
+{
+       int level = this_cpu_read(copy_actions_depth);
+       int ret;
+
+       if (level > OVS_COPY_ACTIONS_MAX_DEPTH)
+               return -EOVERFLOW;
+
+       __this_cpu_inc(copy_actions_depth);
+       ret = ___ovs_nla_copy_actions(net, attr, key, sfa, eth_type,
+                                     vlan_tci, mpls_label_count, log);
+       __this_cpu_dec(copy_actions_depth);
+
+       return ret;
+}
+

This will limit the number of recursive copies to a maximum of 16 deep.

links to

Merge Request: net: openvswitch: limit the number of recursions from action sets

RHSA-2024:128795 kernel bug fix and enhancement update

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates