| Message ID | 20230927164715.76744-2-joao@overdrivepizza.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2833825vqu;
Wed, 27 Sep 2023 11:56:00 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IHHZGOJAxjtpzEVnvQw1eGJvs/SP0SKhUMTnCrl+bKrYoPJp1LPDsmukZyvmSlTpwzZiWhY
X-Received: by 2002:a9d:4f16:0:b0:6c0:abdd:a875 with SMTP id
d22-20020a9d4f16000000b006c0abdda875mr3010974otl.18.1695840960168;
Wed, 27 Sep 2023 11:56:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695840960; cv=none;
d=google.com; s=arc-20160816;
b=A/IUZuLIRfzIeZIUZ97swT8yDSqOb3LKS0yJJzvmxKeIH3rWDeyvPdvpJ9n4V0VQRs
c9rhMG8C217H5mdDTbWgXmGaGCcbzRlxTbvvBZh9rgNH4WyOcUp/AbJkdfGW25B0GOOJ
Vs2+AICD34oQAr0qrESWVaV6zTlQtrQRgGqLDvQOD5aoK7Hcj77Y0gyJfOfPdlDTdC6U
qNiyGFjXOiqwgculnbATXKRI9X3rsxXAml2NMHpchsNYBEsh53P175OWFKK4FfFiOOHX
EcTU6fiihH2qfnYlAHFtZt2mYiJD/+pEAO1DHhqsjW13BUeKHLr6LYnrYTs3/dfihrg7
N9tA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=XTwV12iZLATQ82tTWEAW4gokfUjy2O3xXDuIEM5S7Is=;
fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
b=tD4GunhoQMAERg6dYdJQxzSsIlA7KzUe0WP0QP4RWTVORzyd++B/k1o4EqwdcUCFv3
/ZvRqmpOhAuJSVndJKE3zgRrULDXoRkZjHK27UcfSGLzA9p0J8jtaBXUpCEMuOMsaTHd
aYL+cW50nl9owDBhCI0fb9vVo8M8YN9Rstp42OaMesIsoK6lFd9p3R/JN1BImxdXXfhB
ajsTFe46V31azhPqhzZYOwTya1v3ipI/5NqD2tcvW9kzGDKczdy6ZSFVxRP0aVVbRiRd
I6bAllzOk9Q1iNP2/EMzp2Nw2t5lnukIoR8ku5TfmEyGrIaVhXWUnp4m49gqaJwUIarK
IAHQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
by mx.google.com with ESMTPS id
ck7-20020a056a00328700b0068fb8fa1e71si9784935pfb.207.2023.09.27.11.55.59
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 27 Sep 2023 11:56:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by howler.vger.email (Postfix) with ESMTP id 58BBD801B709;
Wed, 27 Sep 2023 09:47:47 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229542AbjI0Qrl (ORCPT <rfc822;ruipengqi7@gmail.com> + 19 others);
Wed, 27 Sep 2023 12:47:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60312 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229521AbjI0Qri (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 27 Sep 2023 12:47:38 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.126])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FA85DE;
Wed, 27 Sep 2023 09:47:36 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="366934590"
X-IronPort-AV: E=Sophos;i="6.03,181,1694761200";
d="scan'208";a="366934590"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Sep 2023 09:47:35 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="922853707"
X-IronPort-AV: E=Sophos;i="6.03,181,1694761200";
d="scan'208";a="922853707"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Sep 2023 09:47:35 -0700
From: joao@overdrivepizza.com
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
rkannoth@marvell.com, wojciech.drewek@intel.com,
steen.hegenlund@microhip.com, keescook@chromium.org,
Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v3 1/2] Make loop indexes unsigned
Date: Wed, 27 Sep 2023 09:47:14 -0700
Message-ID: <20230927164715.76744-2-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com>
References: <20230927164715.76744-1-joao@overdrivepizza.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NEUTRAL autolearn=no
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]);
Wed, 27 Sep 2023 09:47:47 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778218130562036186
X-GMAIL-MSGID: 1778218130562036186
|
| Series |
Prevent potential write out of bounds
|
|
Commit Message
Joao Moreira
Sept. 27, 2023, 4:47 p.m. UTC
From: Joao Moreira <joao.moreira@intel.com> Both flow_rule_alloc and offload_action_alloc functions received an unsigned num_actions parameters which are then operated within a loop. The index of this loop is declared as a signed int. If it was possible to pass a large enough num_actions to these functions, it would lead to an out of bounds write. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach this function with such a large number. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira <joao.moreira@intel.com> --- net/core/flow_offload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Wed, Sep 27, 2023 at 09:47:14AM -0700, joao@overdrivepizza.com wrote: > From: Joao Moreira <joao.moreira@intel.com> > > Both flow_rule_alloc and offload_action_alloc functions received an > unsigned num_actions parameters which are then operated within a loop. > The index of this loop is declared as a signed int. If it was possible > to pass a large enough num_actions to these functions, it would lead to > an out of bounds write. > > After checking with maintainers, it was mentioned that front-end will > cap the num_actions value and that it is not possible to reach this > function with such a large number. Yet, for correctness, it is still > better to fix this. > > This issue was observed by the commit author while reviewing a write-up > regarding a CVE within the same subsystem [1]. > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > Signed-off-by: Joao Moreira <joao.moreira@intel.com> > --- > net/core/flow_offload.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c > index bc5169482710..bc3f53a09d8f 100644 > --- a/net/core/flow_offload.c > +++ b/net/core/flow_offload.c > @@ -10,7 +10,7 @@ > struct flow_rule *flow_rule_alloc(unsigned int num_actions) > { > struct flow_rule *rule; > - int i; > + unsigned int i; With the 2^8 cap, I don't think this patch is required anymore. > > rule = kzalloc(struct_size(rule, action.entries, num_actions), > GFP_KERNEL); > @@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc); > struct flow_offload_action *offload_action_alloc(unsigned int num_actions) > { > struct flow_offload_action *fl_action; > - int i; > + unsigned int i; > > fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions), > GFP_KERNEL); > -- > 2.42.0 >
On 2023-09-28 06:40, Pablo Neira Ayuso wrote: > On Wed, Sep 27, 2023 at 09:47:14AM -0700, joao@overdrivepizza.com > wrote: >> From: Joao Moreira <joao.moreira@intel.com> >> >> Both flow_rule_alloc and offload_action_alloc functions received an >> unsigned num_actions parameters which are then operated within a loop. >> The index of this loop is declared as a signed int. If it was possible >> to pass a large enough num_actions to these functions, it would lead >> to >> an out of bounds write. >> >> After checking with maintainers, it was mentioned that front-end will >> cap the num_actions value and that it is not possible to reach this >> function with such a large number. Yet, for correctness, it is still >> better to fix this. >> >> This issue was observed by the commit author while reviewing a >> write-up >> regarding a CVE within the same subsystem [1]. >> >> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ >> >> Signed-off-by: Joao Moreira <joao.moreira@intel.com> >> --- >> net/core/flow_offload.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c >> index bc5169482710..bc3f53a09d8f 100644 >> --- a/net/core/flow_offload.c >> +++ b/net/core/flow_offload.c >> @@ -10,7 +10,7 @@ >> struct flow_rule *flow_rule_alloc(unsigned int num_actions) >> { >> struct flow_rule *rule; >> - int i; >> + unsigned int i; > > With the 2^8 cap, I don't think this patch is required anymore. Hm. While I understand that there is not a significant menace haunting this... would it be good for (1) type correctness and (2) prevent that things blow up if something changes and someone misses this spot? > >> >> rule = kzalloc(struct_size(rule, action.entries, num_actions), >> GFP_KERNEL); >> @@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc); >> struct flow_offload_action *offload_action_alloc(unsigned int >> num_actions) >> { >> struct flow_offload_action *fl_action; >> - int i; >> + unsigned int i; >> >> fl_action = kzalloc(struct_size(fl_action, action.entries, >> num_actions), >> GFP_KERNEL); >> -- >> 2.42.0 >>
On Thu, Sep 28, 2023 at 07:53:14PM -0700, Joao Moreira wrote: > On 2023-09-28 06:40, Pablo Neira Ayuso wrote: > > On Wed, Sep 27, 2023 at 09:47:14AM -0700, joao@overdrivepizza.com wrote: > > > From: Joao Moreira <joao.moreira@intel.com> > > > > > > Both flow_rule_alloc and offload_action_alloc functions received an > > > unsigned num_actions parameters which are then operated within a loop. > > > The index of this loop is declared as a signed int. If it was possible > > > to pass a large enough num_actions to these functions, it would lead > > > to > > > an out of bounds write. > > > > > > After checking with maintainers, it was mentioned that front-end will > > > cap the num_actions value and that it is not possible to reach this > > > function with such a large number. Yet, for correctness, it is still > > > better to fix this. > > > > > > This issue was observed by the commit author while reviewing a > > > write-up > > > regarding a CVE within the same subsystem [1]. > > > > > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > > > > > Signed-off-by: Joao Moreira <joao.moreira@intel.com> > > > --- > > > net/core/flow_offload.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c > > > index bc5169482710..bc3f53a09d8f 100644 > > > --- a/net/core/flow_offload.c > > > +++ b/net/core/flow_offload.c > > > @@ -10,7 +10,7 @@ > > > struct flow_rule *flow_rule_alloc(unsigned int num_actions) > > > { > > > struct flow_rule *rule; > > > - int i; > > > + unsigned int i; > > > > With the 2^8 cap, I don't think this patch is required anymore. > > Hm. While I understand that there is not a significant menace haunting > this... would it be good for (1) type correctness and (2) prevent that > things blow up if something changes and someone misses this spot? Nothing is going to change, please remove unnecesary updates. Capping to 2^8 for all hardware offload subsystems is sufficient by now. If someone needs more than that, it will have to justify it.
diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index bc5169482710..bc3f53a09d8f 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -10,7 +10,7 @@ struct flow_rule *flow_rule_alloc(unsigned int num_actions) { struct flow_rule *rule; - int i; + unsigned int i; rule = kzalloc(struct_size(rule, action.entries, num_actions), GFP_KERNEL); @@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc); struct flow_offload_action *offload_action_alloc(unsigned int num_actions) { struct flow_offload_action *fl_action; - int i; + unsigned int i; fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions), GFP_KERNEL);