net: openvswitch: limit the number of recursions from action sets
Merge Request Required Information
Summary of Changes
JIRA: https://issues.redhat.com/browse/RHEL-23659
CVE: CVE-2024-1151
commit 6e2f90d31fe09f2b852de25125ca875aabd81367
Author: Aaron Conole <aconole@redhat.com>
Date: Fri Feb 09 21:54:38 2024 +0100
net: openvswitch: limit the number of recursions from action sets
The ovs module allows for some actions to recursively contain an action
list for complex scenarios, such as sampling, checking lengths, etc.
When these actions are copied into the internal flow table, they are
evaluated to validate that such actions make sense, and these calls
happen recursively.
The ovs-vswitchd userspace won't emit more than 16 recursion levels
deep. However, the module has no such limit and will happily accept
limits larger than 16 levels nested. Prevent this by tracking the
number of recursions happening and manually limiting it to 16 levels
deep. However, the module has no such limit and will happily accept
limits larger than 16 levels nested. Prevent this by tracking the
number of recursions happening and manually limiting it to 16 levels
nested.
The initial implementation of the sample action would track this depth
and prevent more than 3 levels of recursion, but this was removed to
support the clone use case, rather than limited at the current userspace
limit.
Fixes: 798c166173ff ("openvswitch: Optimize sample action for the clone use cases")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240207132416.1488485-2-aconole@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>Approved Development Ticket
All submissions to CentOS Stream must reference an approved ticket in Red Hat Jira. Please follow the CentOS Stream contribution documentation for how to file this ticket and have it approved.
Edited by Aaron Conole