| Message ID | 20230927164715.76744-3-joao@overdrivepizza.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2833010vqu;
Wed, 27 Sep 2023 11:54:08 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IFYFw5vq425AI+kG1X2EGkf4TrBluOEQNVzYhmJv9GoJ65tBzqHHznrOJxayfU/g11t9IEC
X-Received: by 2002:a17:902:a416:b0:1b8:90bd:d157 with SMTP id
p22-20020a170902a41600b001b890bdd157mr2631056plq.26.1695840847739;
Wed, 27 Sep 2023 11:54:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695840847; cv=none;
d=google.com; s=arc-20160816;
b=acJgWcNZQ/xD9t4CV822jv3rWTtQ2Q417C9oBrlXdsQ0MOagu93lFpf0ubyRWFrRNT
9V++W6CsHqpfzHmtgST1OP2fytrWsu1Bzs27HsvRzwWO7ylHTL5cD6k5OeSsp1Lhtsi4
o618be0b2eNcEL4pTDK8uBJJ1Vs7s6Bl87/ZK0D6ElCN2FyivSE/41oAlC47qZbmeIr2
9L6F+OE2kB4Y+QR1FIZKoTDWf54G9OMstwMtQ0qgeKgmuu2hb6x4wIo/pSWYwuU1j46M
mf0r/HY4O/xmzSTc3zNzV1+rVWHWUoP+QXVKX2bnhlde9w3eicOpcyd+JfXNTgQSK7HF
Drsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=HfU8VZCvm4/6ZNolDEiKpu8EhPRabZTL0yZDdztsqs4=;
fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
b=U4ytSSDPXTf1MxOCrtxGnXbvic/oPDyAIIx8ChMjflsJUYt3+9wZfS33IoEpjy73fM
CbvqJ440/lllPICEbNZyt29OFyXHUMw6V0rl2UofWFs7K+zG1MOKdGCgSjlPyZfydnVh
B8RYmDfudFmXvZtpA4Hr8TJiF5WFrTvyRKbelAaaSZuy07fGaBUsTTiyBa0hMVm3gjhy
MVMiRrVcTaU9LiHMvxhog87hYX5KOhuOunIlJ+fmzKpgUR+nLwsSIR8jF7jnGE4YO7cF
xgzUXqOqBd4bKxgZjYr25HrbELzag8oWv2BsMU1Row5N8A5g2IHXmmSXEI0na4PRCVq5
kP5g==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:4 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
by mx.google.com with ESMTPS id
ay6-20020a1709028b8600b001bc52116351si16101162plb.70.2023.09.27.11.54.07
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 27 Sep 2023 11:54:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:4 as permitted sender)
client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:4 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by howler.vger.email (Postfix) with ESMTP id 0ECF2801B736;
Wed, 27 Sep 2023 09:47:49 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229487AbjI0Qro (ORCPT <rfc822;ruipengqi7@gmail.com> + 19 others);
Wed, 27 Sep 2023 12:47:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60314 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229534AbjI0Qrj (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 27 Sep 2023 12:47:39 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.126])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9186CEB;
Wed, 27 Sep 2023 09:47:37 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="366934607"
X-IronPort-AV: E=Sophos;i="6.03,181,1694761200";
d="scan'208";a="366934607"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Sep 2023 09:47:37 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="922853712"
X-IronPort-AV: E=Sophos;i="6.03,181,1694761200";
d="scan'208";a="922853712"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Sep 2023 09:47:37 -0700
From: joao@overdrivepizza.com
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
rkannoth@marvell.com, wojciech.drewek@intel.com,
steen.hegenlund@microhip.com, keescook@chromium.org,
Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v3 2/2] Make num_actions unsigned
Date: Wed, 27 Sep 2023 09:47:15 -0700
Message-ID: <20230927164715.76744-3-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com>
References: <20230927164715.76744-1-joao@overdrivepizza.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NEUTRAL autolearn=no
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]);
Wed, 27 Sep 2023 09:47:49 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778218012734061259
X-GMAIL-MSGID: 1778218012734061259
|
| Series |
Prevent potential write out of bounds
|
|
Commit Message
Joao Moreira
Sept. 27, 2023, 4:47 p.m. UTC
From: Joao Moreira <joao.moreira@intel.com> Currently, in nft_flow_rule_create function, num_actions is a signed integer. Yet, it is processed within a loop which increments its value. To prevent an overflow from occurring, make it unsigned and also check if it reaches 256 when being incremented. Accordingly to discussions around v2, 256 actions are more than enough for the frontend actions. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach such condition for an overflow. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira <joao.moreira@intel.com> --- net/netfilter/nf_tables_offload.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
Comments
On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote: > From: Joao Moreira <joao.moreira@intel.com> > > Currently, in nft_flow_rule_create function, num_actions is a signed > integer. Yet, it is processed within a loop which increments its > value. To prevent an overflow from occurring, make it unsigned and > also check if it reaches 256 when being incremented. > > Accordingly to discussions around v2, 256 actions are more than enough > for the frontend actions. > > After checking with maintainers, it was mentioned that front-end will > cap the num_actions value and that it is not possible to reach such > condition for an overflow. Yet, for correctness, it is still better to > fix this. > > This issue was observed by the commit author while reviewing a write-up > regarding a CVE within the same subsystem [1]. > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Yes, but this is not related to the netfilter subsystem itself, this harderning is good to have for the flow offload infrastructure in general. > Signed-off-by: Joao Moreira <joao.moreira@intel.com> > --- > net/netfilter/nf_tables_offload.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c > index 12ab78fa5d84..9a86db1f0e07 100644 > --- a/net/netfilter/nf_tables_offload.c > +++ b/net/netfilter/nf_tables_offload.c > @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > { > struct nft_offload_ctx *ctx; > struct nft_flow_rule *flow; > - int num_actions = 0, err; > + unsigned int num_actions = 0; > + int err; reverse xmas tree. > struct nft_expr *expr; > > expr = nft_expr_first(rule); > @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > expr->ops->offload_action(expr)) > num_actions++; > > + /* 2^8 is enough for frontend actions, avoid overflow */ > + if (num_actions == 256) This cap is not specific of nf_tables, it should apply to all other subsystems. This is the wrong spot. Moreover, please, add a definition for this, no hardcoded values. > + return ERR_PTR(-ENOMEM); Better E2BIG or similar, otherwise this propagates to userspace as ENOMEM. > + > expr = nft_expr_next(expr); > } > > -- > 2.42.0 >
On 2023-09-28 06:43, Pablo Neira Ayuso wrote: > On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com > wrote: >> From: Joao Moreira <joao.moreira@intel.com> >> >> Currently, in nft_flow_rule_create function, num_actions is a signed >> integer. Yet, it is processed within a loop which increments its >> value. To prevent an overflow from occurring, make it unsigned and >> also check if it reaches 256 when being incremented. >> >> Accordingly to discussions around v2, 256 actions are more than enough >> for the frontend actions. >> >> After checking with maintainers, it was mentioned that front-end will >> cap the num_actions value and that it is not possible to reach such >> condition for an overflow. Yet, for correctness, it is still better to >> fix this. >> >> This issue was observed by the commit author while reviewing a >> write-up >> regarding a CVE within the same subsystem [1]. >> >> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > Yes, but this is not related to the netfilter subsystem itself, this > harderning is good to have for the flow offload infrastructure in > general. Right, I'll try to look up where this would fit in then. I'm not an expert in the subsystem at all, so should take a minute or two for me to get to it and send a v4. > >> Signed-off-by: Joao Moreira <joao.moreira@intel.com> >> --- >> net/netfilter/nf_tables_offload.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/net/netfilter/nf_tables_offload.c >> b/net/netfilter/nf_tables_offload.c >> index 12ab78fa5d84..9a86db1f0e07 100644 >> --- a/net/netfilter/nf_tables_offload.c >> +++ b/net/netfilter/nf_tables_offload.c >> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct >> net *net, >> { >> struct nft_offload_ctx *ctx; >> struct nft_flow_rule *flow; >> - int num_actions = 0, err; >> + unsigned int num_actions = 0; >> + int err; > > reverse xmas tree. ack. > >> struct nft_expr *expr; >> >> expr = nft_expr_first(rule); >> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct >> net *net, >> expr->ops->offload_action(expr)) >> num_actions++; >> >> + /* 2^8 is enough for frontend actions, avoid overflow */ >> + if (num_actions == 256) > > This cap is not specific of nf_tables, it should apply to all other > subsystems. This is the wrong spot. Any pointers regarding where I should look at? > > Moreover, please, add a definition for this, no hardcoded values. Ack. > >> + return ERR_PTR(-ENOMEM); > > Better E2BIG or similar, otherwise this propagates to userspace as > ENOMEM. Ack. > >> + >> expr = nft_expr_next(expr); >> } >> >> -- >> 2.42.0 >>
On Thu, Sep 28, 2023 at 07:55:09PM -0700, Joao Moreira wrote: > On 2023-09-28 06:43, Pablo Neira Ayuso wrote: > > On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote: > > > From: Joao Moreira <joao.moreira@intel.com> > > > > > > Currently, in nft_flow_rule_create function, num_actions is a signed > > > integer. Yet, it is processed within a loop which increments its > > > value. To prevent an overflow from occurring, make it unsigned and > > > also check if it reaches 256 when being incremented. > > > > > > Accordingly to discussions around v2, 256 actions are more than enough > > > for the frontend actions. > > > > > > After checking with maintainers, it was mentioned that front-end will > > > cap the num_actions value and that it is not possible to reach such > > > condition for an overflow. Yet, for correctness, it is still better to > > > fix this. > > > > > > This issue was observed by the commit author while reviewing a > > > write-up > > > regarding a CVE within the same subsystem [1]. > > > > > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > > > Yes, but this is not related to the netfilter subsystem itself, this > > harderning is good to have for the flow offload infrastructure in > > general. > > Right, I'll try to look up where this would fit in then. I'm not an expert > in the subsystem at all, so should take a minute or two for me to get to it > and send a v4. Thanks. > > > struct nft_expr *expr; > > > > > > expr = nft_expr_first(rule); > > > @@ -99,6 +100,10 @@ struct nft_flow_rule > > > *nft_flow_rule_create(struct net *net, > > > expr->ops->offload_action(expr)) > > > num_actions++; > > > > > > + /* 2^8 is enough for frontend actions, avoid overflow */ > > > + if (num_actions == 256) > > > > This cap is not specific of nf_tables, it should apply to all other > > subsystems. This is the wrong spot. > > Any pointers regarding where I should look at? See flow_rule_alloc().
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 12ab78fa5d84..9a86db1f0e07 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, { struct nft_offload_ctx *ctx; struct nft_flow_rule *flow; - int num_actions = 0, err; + unsigned int num_actions = 0; + int err; struct nft_expr *expr; expr = nft_expr_first(rule); @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, expr->ops->offload_action(expr)) num_actions++; + /* 2^8 is enough for frontend actions, avoid overflow */ + if (num_actions == 256) + return ERR_PTR(-ENOMEM); + expr = nft_expr_next(expr); }