CVE-2022-49086

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: fix leak of nested actions<br /> <br /> While parsing user-provided actions, openvswitch module may dynamically<br /> allocate memory and store pointers in the internal copy of the actions.<br /> So this memory has to be freed while destroying the actions.<br /> <br /> Currently there are only two such actions: ct() and set(). However,<br /> there are many actions that can hold nested lists of actions and<br /> ovs_nla_free_flow_actions() just jumps over them leaking the memory.<br /> <br /> For example, removal of the flow with the following actions will lead<br /> to a leak of the memory allocated by nf_ct_tmpl_alloc():<br /> <br /> actions:clone(ct(commit),0)<br /> <br /> Non-freed set() action may also leak the &amp;#39;dst&amp;#39; structure for the<br /> tunnel info including device references.<br /> <br /> Under certain conditions with a high rate of flow rotation that may<br /> cause significant memory leak problem (2MB per second in reporter&amp;#39;s<br /> case). The problem is also hard to mitigate, because the user doesn&amp;#39;t<br /> have direct control over the datapath flows generated by OVS.<br /> <br /> Fix that by iterating over all the nested actions and freeing<br /> everything that needs to be freed recursively.<br /> <br /> New build time assertion should protect us from this problem if new<br /> actions will be added in the future.<br /> <br /> Unfortunately, openvswitch module doesn&amp;#39;t use NLA_F_NESTED, so all<br /> attributes has to be explicitly checked. sample() and clone() actions<br /> are mixing extra attributes into the user-provided action list. That<br /> prevents some code generalization too.