From patchwork Wed Sep 27 02:02:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joao Moreira X-Patchwork-Id: 145114 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2336477vqu; Tue, 26 Sep 2023 19:40:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH6EVNKXfOnAgWV5q8T06EfRj9ZrlKb3IlScKobRDjnqxR/nelXKouaSgYLseqtbbvlLIRL X-Received: by 2002:a05:6808:1803:b0:3a7:6213:6899 with SMTP id bh3-20020a056808180300b003a762136899mr1177476oib.24.1695782424131; Tue, 26 Sep 2023 19:40:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695782424; cv=none; d=google.com; s=arc-20160816; b=o8g5qy1Gf7VMVznE8u4Y9xiBG22co0a+yKsAGLJIRAsDwSU789bYjw317uM85GCTJB eilN0bDd1M7Q4d19brLoGwpNTDmbVVnx/9ClWFV19UL26KVXozfo4a5ZzWxnroOXe6i4 07xnlbA0XAAYOvX9pdp6WVe9woUWbgb7L9dagsdtmXg1EDSYSbjRYjmwwdkR7XswKU3J 2caoY4+F8xurZ0uLJADuoA1JrdJs40mQvC0xoLxcE6Yo2CSKq0OvV0ZImc5iFPTumLVV lHJFXaLvcQ33vMb5UyGsJUv+gzhgN7kwPrFCTyg/CbI/vW4KNPOlJ+qkXUnGRmwTaU4u swcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=XTwV12iZLATQ82tTWEAW4gokfUjy2O3xXDuIEM5S7Is=; fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=; b=uw7pEa+40EaOOFC+dcKM7Wcv/sERM9F8fHCVacCxPM6oNdngytFUNtnh1bVANVA5xf PmfeS6jqM3Xf4wfrwqvUKjH/yuOWx/UP4EHLYex883buU3yWChzlbeT2sv2eh6yAvSVY EmhbwC9YIAT0bg3EWevUR6XG789M/y/U323t9uGgnTf3YZ1PFfZcTRFoVkyQ3v6+k9wQ /CMa7IIxxqx4WUH+7G1bwhxnWIhqyqgsK2ogDTcDwTManGGPzuBKwSAyw7w5qUe/7e4T tf9+nxlipesfqcTGZkbmCxHg1M4WFRgDzPFMV8NmmS+UppvYqIxLR0tarQjyAxxDVw2L jlcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id p33-20020a056a0026e100b00690d79bafd9si13183964pfw.168.2023.09.26.19.40.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 19:40:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id C33CF802F7C0; Tue, 26 Sep 2023 19:40:21 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234819AbjI0Cjy (ORCPT + 28 others); Tue, 26 Sep 2023 22:39:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233436AbjI0Chv (ORCPT ); Tue, 26 Sep 2023 22:37:51 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F1631C26B; Tue, 26 Sep 2023 19:02:55 -0700 (PDT) X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="385565342" X-IronPort-AV: E=Sophos;i="6.03,179,1694761200"; d="scan'208";a="385565342" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2023 19:02:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="725628836" X-IronPort-AV: E=Sophos;i="6.03,179,1694761200"; d="scan'208";a="725628836" Received: from pinksteam.jf.intel.com ([10.165.239.231]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2023 19:02:39 -0700 From: joao@overdrivepizza.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, joao@overdrivepizza.com Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: [PATCH v2 1/2] Make loop indexes unsigned Date: Tue, 26 Sep 2023 19:02:20 -0700 Message-ID: <20230927020221.85292-2-joao@overdrivepizza.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230927020221.85292-1-joao@overdrivepizza.com> References: <20230927020221.85292-1-joao@overdrivepizza.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 26 Sep 2023 19:40:21 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778156751176556683 X-GMAIL-MSGID: 1778156751176556683 From: Joao Moreira Both flow_rule_alloc and offload_action_alloc functions received an unsigned num_actions parameters which are then operated within a loop. The index of this loop is declared as a signed int. If it was possible to pass a large enough num_actions to these functions, it would lead to an out of bounds write. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach this function with such a large number. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira --- net/core/flow_offload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index bc5169482710..bc3f53a09d8f 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -10,7 +10,7 @@ struct flow_rule *flow_rule_alloc(unsigned int num_actions) { struct flow_rule *rule; - int i; + unsigned int i; rule = kzalloc(struct_size(rule, action.entries, num_actions), GFP_KERNEL); @@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc); struct flow_offload_action *offload_action_alloc(unsigned int num_actions) { struct flow_offload_action *fl_action; - int i; + unsigned int i; fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions), GFP_KERNEL);