| Message ID | 20230927020221.85292-3-joao@overdrivepizza.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2336369vqu;
Tue, 26 Sep 2023 19:40:04 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IFpIXIlehJZHJiV65g5RmRN73Ne5FVC8vTc2OPD3lQ4o3844Qr/5zQrDjW9k0RndBwVMh+D
X-Received: by 2002:a17:90a:6f43:b0:277:11b1:d5c4 with SMTP id
d61-20020a17090a6f4300b0027711b1d5c4mr468856pjk.41.1695782403863;
Tue, 26 Sep 2023 19:40:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695782403; cv=none;
d=google.com; s=arc-20160816;
b=0/2DejfbCHBRmFZO8rY1T9pOtGPYwbods9sG1MZgZZbRlqQ9qBsgkq3Al5UC5tQTCg
f2uHAfXcguVrIQ62JdRNCKfntOAIvh/fJspmLvwSeSbvKOJN9xPqOruiK+FsNj8HAt7p
Foys31r2QEwHV1CfUalCV0QRlstfbHjPxKQGgeZlawN5yZ/9VgE435Kb5ZdKyzMuRCHm
1oDIBJWZZvyttNPcfZc8xkB5ldCtEb5ALSrqYTJgx3k3xljUItkzPVbrng/B6ynXMor9
DMYXimMKoNblSunzXyFRKQa1zyoAhHQfFu1FM3a/ggYBh6UGFI29aVewcGQNgXYcGWdM
J3/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=tcMSq94it+LCPErZ4f1erUUB8BrMtTvhgEOWH+qHjG4=;
fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
b=t5pP1011CBf+kGeIYGAtRqwgg9cTmJ1Lwr039aUQn9zD9akkFg9l96panrp9YUkrJx
pJqKOmrVTmCjrObm+MKO5qetxHNNjx9linirtNVVvLtjpZihOyOzts2N65Hgkm7dzkhQ
KWg433/Y0et5CT/ZfwREET5FQvvXfvmkrRxrEELNe/KmcUlzQx73HdwAZRGfUrW+OXBW
SxqP+Y8zw5COA8pu14FgMeOIVzgtbK1A3meOg8vl3awQxf9c9pAqD+/tj5lUHjtX0TxF
BMNO8iwD6KShf6He6cpZ5JmTpQNDZmwycpD2HT7fGEWoZ6GtTN7wO9QOWske0KTahYDg
eAqw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.31 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
by mx.google.com with ESMTPS id
p12-20020a17090a868c00b00277751629e4si4263818pjn.121.2023.09.26.19.40.03
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 26 Sep 2023 19:40:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.31 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by morse.vger.email (Postfix) with ESMTP id 8326582339A8;
Tue, 26 Sep 2023 19:40:01 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234484AbjI0Cjw (ORCPT <rfc822;pwkd43@gmail.com> + 28 others);
Tue, 26 Sep 2023 22:39:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45018 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229499AbjI0Chv (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 26 Sep 2023 22:37:51 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21CDE1C26C;
Tue, 26 Sep 2023 19:02:56 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="385565355"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200";
d="scan'208";a="385565355"
Received: from orsmga006.jf.intel.com ([10.7.209.51])
by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
26 Sep 2023 19:02:41 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="725628857"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200";
d="scan'208";a="725628857"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
26 Sep 2023 19:02:41 -0700
From: joao@overdrivepizza.com
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
rkannoth@marvell.com, wojciech.drewek@intel.com,
steen.hegenlund@microhip.com, keescook@chromium.org,
Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v2 2/2] Make num_actions unsigned
Date: Tue, 26 Sep 2023 19:02:21 -0700
Message-ID: <20230927020221.85292-3-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927020221.85292-1-joao@overdrivepizza.com>
References: <20230927020221.85292-1-joao@overdrivepizza.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No,
score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]);
Tue, 26 Sep 2023 19:40:01 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778156729838649153
X-GMAIL-MSGID: 1778156729838649153
|
| Series |
Prevent potential write out of bounds
|
|
Commit Message
Joao Moreira
Sept. 27, 2023, 2:02 a.m. UTC
From: Joao Moreira <joao.moreira@intel.com> Currently, in nft_flow_rule_create function, num_actions is a signed integer. Yet, it is processed within a loop which increments its value. To prevent an overflow from occurring, make it unsigned and also check if it reaches UINT_MAX when being incremented. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach such condition for an overflow. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira <joao.moreira@intel.com> --- net/netfilter/nf_tables_offload.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
Comments
From: joao@overdrivepizza.com > Sent: 27 September 2023 03:02 > > From: Joao Moreira <joao.moreira@intel.com> > > Currently, in nft_flow_rule_create function, num_actions is a signed > integer. Yet, it is processed within a loop which increments its > value. To prevent an overflow from occurring, make it unsigned and > also check if it reaches UINT_MAX when being incremented. > > After checking with maintainers, it was mentioned that front-end will > cap the num_actions value and that it is not possible to reach such > condition for an overflow. Yet, for correctness, it is still better to > fix this. > > This issue was observed by the commit author while reviewing a write-up > regarding a CVE within the same subsystem [1]. > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > Signed-off-by: Joao Moreira <joao.moreira@intel.com> > --- > net/netfilter/nf_tables_offload.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c > index 12ab78fa5d84..d25088791a74 100644 > --- a/net/netfilter/nf_tables_offload.c > +++ b/net/netfilter/nf_tables_offload.c > @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > { > struct nft_offload_ctx *ctx; > struct nft_flow_rule *flow; > - int num_actions = 0, err; > + unsigned int num_actions = 0; > + int err; > struct nft_expr *expr; > > expr = nft_expr_first(rule); > @@ -99,6 +100,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > expr->ops->offload_action(expr)) > num_actions++; > > + if (num_actions == UINT_MAX) > + return ERR_PTR(-ENOMEM); > + > expr = nft_expr_next(expr); The code is going to 'crash and burn' well before the counter can possibly overflow. nft_expr_next() is ((void *)expr) + expr->ops->size; It is far more likely that has got setup wrong than the count is too big. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 12ab78fa5d84..d25088791a74 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, { struct nft_offload_ctx *ctx; struct nft_flow_rule *flow; - int num_actions = 0, err; + unsigned int num_actions = 0; + int err; struct nft_expr *expr; expr = nft_expr_first(rule); @@ -99,6 +100,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, expr->ops->offload_action(expr)) num_actions++; + if (num_actions == UINT_MAX) + return ERR_PTR(-ENOMEM); + expr = nft_expr_next(expr); }