From patchwork Wed Sep 27 02:02:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joao Moreira <joao@overdrivepizza.com>
X-Patchwork-Id: 145114
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2336477vqu;
        Tue, 26 Sep 2023 19:40:24 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IH6EVNKXfOnAgWV5q8T06EfRj9ZrlKb3IlScKobRDjnqxR/nelXKouaSgYLseqtbbvlLIRL
X-Received: by 2002:a05:6808:1803:b0:3a7:6213:6899 with SMTP id
 bh3-20020a056808180300b003a762136899mr1177476oib.24.1695782424131;
        Tue, 26 Sep 2023 19:40:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695782424; cv=none;
        d=google.com; s=arc-20160816;
        b=o8g5qy1Gf7VMVznE8u4Y9xiBG22co0a+yKsAGLJIRAsDwSU789bYjw317uM85GCTJB
         eilN0bDd1M7Q4d19brLoGwpNTDmbVVnx/9ClWFV19UL26KVXozfo4a5ZzWxnroOXe6i4
         07xnlbA0XAAYOvX9pdp6WVe9woUWbgb7L9dagsdtmXg1EDSYSbjRYjmwwdkR7XswKU3J
         2caoY4+F8xurZ0uLJADuoA1JrdJs40mQvC0xoLxcE6Yo2CSKq0OvV0ZImc5iFPTumLVV
         lHJFXaLvcQ33vMb5UyGsJUv+gzhgN7kwPrFCTyg/CbI/vW4KNPOlJ+qkXUnGRmwTaU4u
         swcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=XTwV12iZLATQ82tTWEAW4gokfUjy2O3xXDuIEM5S7Is=;
        fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
        b=uw7pEa+40EaOOFC+dcKM7Wcv/sERM9F8fHCVacCxPM6oNdngytFUNtnh1bVANVA5xf
         PmfeS6jqM3Xf4wfrwqvUKjH/yuOWx/UP4EHLYex883buU3yWChzlbeT2sv2eh6yAvSVY
         EmhbwC9YIAT0bg3EWevUR6XG789M/y/U323t9uGgnTf3YZ1PFfZcTRFoVkyQ3v6+k9wQ
         /CMa7IIxxqx4WUH+7G1bwhxnWIhqyqgsK2ogDTcDwTManGGPzuBKwSAyw7w5qUe/7e4T
         tf9+nxlipesfqcTGZkbmCxHg1M4WFRgDzPFMV8NmmS+UppvYqIxLR0tarQjyAxxDVw2L
         jlcw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id
 p33-20020a056a0026e100b00690d79bafd9si13183964pfw.168.2023.09.26.19.40.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Sep 2023 19:40:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id C33CF802F7C0;
	Tue, 26 Sep 2023 19:40:21 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234819AbjI0Cjy (ORCPT <rfc822;pwkd43@gmail.com> + 28 others);
        Tue, 26 Sep 2023 22:39:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45020 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233436AbjI0Chv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Sep 2023 22:37:51 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F1631C26B;
        Tue, 26 Sep 2023 19:02:55 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="385565342"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200";
   d="scan'208";a="385565342"
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 26 Sep 2023 19:02:39 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="725628836"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200";
   d="scan'208";a="725628836"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
  by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 26 Sep 2023 19:02:39 -0700
From: joao@overdrivepizza.com
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
        coreteam@netfilter.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        rkannoth@marvell.com, wojciech.drewek@intel.com,
        steen.hegenlund@microhip.com, keescook@chromium.org,
        Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v2 1/2] Make loop indexes unsigned
Date: Tue, 26 Sep 2023 19:02:20 -0700
Message-ID: <20230927020221.85292-2-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927020221.85292-1-joao@overdrivepizza.com>
References: <20230927020221.85292-1-joao@overdrivepizza.com>
MIME-Version: 1.0
X-Spam-Status: No,
 score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Tue, 26 Sep 2023 19:40:21 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778156751176556683
X-GMAIL-MSGID: 1778156751176556683

From: Joao Moreira <joao.moreira@intel.com>

Both flow_rule_alloc and offload_action_alloc functions received an
unsigned num_actions parameters which are then operated within a loop.
The index of this loop is declared as a signed int. If it was possible
to pass a large enough num_actions to these functions, it would lead to
an out of bounds write.

After checking with maintainers, it was mentioned that front-end will
cap the num_actions value and that it is not possible to reach this
function with such a large number. Yet, for correctness, it is still
better to fix this.

This issue was observed by the commit author while reviewing a write-up
regarding a CVE within the same subsystem [1].

1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Signed-off-by: Joao Moreira <joao.moreira@intel.com>
---
 net/core/flow_offload.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index bc5169482710..bc3f53a09d8f 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -10,7 +10,7 @@
 struct flow_rule *flow_rule_alloc(unsigned int num_actions)
 {
 	struct flow_rule *rule;
-	int i;
+	unsigned int i;
 
 	rule = kzalloc(struct_size(rule, action.entries, num_actions),
 		       GFP_KERNEL);
@@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc);
 struct flow_offload_action *offload_action_alloc(unsigned int num_actions)
 {
 	struct flow_offload_action *fl_action;
-	int i;
+	unsigned int i;
 
 	fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions),
 			    GFP_KERNEL);

From patchwork Wed Sep 27 02:02:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joao Moreira <joao@overdrivepizza.com>
X-Patchwork-Id: 145113
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2336369vqu;
        Tue, 26 Sep 2023 19:40:04 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFpIXIlehJZHJiV65g5RmRN73Ne5FVC8vTc2OPD3lQ4o3844Qr/5zQrDjW9k0RndBwVMh+D
X-Received: by 2002:a17:90a:6f43:b0:277:11b1:d5c4 with SMTP id
 d61-20020a17090a6f4300b0027711b1d5c4mr468856pjk.41.1695782403863;
        Tue, 26 Sep 2023 19:40:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695782403; cv=none;
        d=google.com; s=arc-20160816;
        b=0/2DejfbCHBRmFZO8rY1T9pOtGPYwbods9sG1MZgZZbRlqQ9qBsgkq3Al5UC5tQTCg
         f2uHAfXcguVrIQ62JdRNCKfntOAIvh/fJspmLvwSeSbvKOJN9xPqOruiK+FsNj8HAt7p
         Foys31r2QEwHV1CfUalCV0QRlstfbHjPxKQGgeZlawN5yZ/9VgE435Kb5ZdKyzMuRCHm
         1oDIBJWZZvyttNPcfZc8xkB5ldCtEb5ALSrqYTJgx3k3xljUItkzPVbrng/B6ynXMor9
         DMYXimMKoNblSunzXyFRKQa1zyoAhHQfFu1FM3a/ggYBh6UGFI29aVewcGQNgXYcGWdM
         J3/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=tcMSq94it+LCPErZ4f1erUUB8BrMtTvhgEOWH+qHjG4=;
        fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
        b=t5pP1011CBf+kGeIYGAtRqwgg9cTmJ1Lwr039aUQn9zD9akkFg9l96panrp9YUkrJx
         pJqKOmrVTmCjrObm+MKO5qetxHNNjx9linirtNVVvLtjpZihOyOzts2N65Hgkm7dzkhQ
         KWg433/Y0et5CT/ZfwREET5FQvvXfvmkrRxrEELNe/KmcUlzQx73HdwAZRGfUrW+OXBW
         SxqP+Y8zw5COA8pu14FgMeOIVzgtbK1A3meOg8vl3awQxf9c9pAqD+/tj5lUHjtX0TxF
         BMNO8iwD6KShf6He6cpZ5JmTpQNDZmwycpD2HT7fGEWoZ6GtTN7wO9QOWske0KTahYDg
         eAqw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.31 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id
 p12-20020a17090a868c00b00277751629e4si4263818pjn.121.2023.09.26.19.40.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Sep 2023 19:40:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.31 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id 8326582339A8;
	Tue, 26 Sep 2023 19:40:01 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234484AbjI0Cjw (ORCPT <rfc822;pwkd43@gmail.com> + 28 others);
        Tue, 26 Sep 2023 22:39:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45018 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229499AbjI0Chv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Sep 2023 22:37:51 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21CDE1C26C;
        Tue, 26 Sep 2023 19:02:56 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="385565355"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200";
   d="scan'208";a="385565355"
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 26 Sep 2023 19:02:41 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="725628857"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200";
   d="scan'208";a="725628857"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
  by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 26 Sep 2023 19:02:41 -0700
From: joao@overdrivepizza.com
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
        coreteam@netfilter.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        rkannoth@marvell.com, wojciech.drewek@intel.com,
        steen.hegenlund@microhip.com, keescook@chromium.org,
        Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v2 2/2] Make num_actions unsigned
Date: Tue, 26 Sep 2023 19:02:21 -0700
Message-ID: <20230927020221.85292-3-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927020221.85292-1-joao@overdrivepizza.com>
References: <20230927020221.85292-1-joao@overdrivepizza.com>
MIME-Version: 1.0
X-Spam-Status: No,
 score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]);
 Tue, 26 Sep 2023 19:40:01 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778156729838649153
X-GMAIL-MSGID: 1778156729838649153

From: Joao Moreira <joao.moreira@intel.com>

Currently, in nft_flow_rule_create function, num_actions is a signed
integer. Yet, it is processed within a loop which increments its
value. To prevent an overflow from occurring, make it unsigned and
also check if it reaches UINT_MAX when being incremented.

After checking with maintainers, it was mentioned that front-end will
cap the num_actions value and that it is not possible to reach such
condition for an overflow. Yet, for correctness, it is still better to
fix this.

This issue was observed by the commit author while reviewing a write-up
regarding a CVE within the same subsystem [1].

1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Signed-off-by: Joao Moreira <joao.moreira@intel.com>
---
 net/netfilter/nf_tables_offload.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 12ab78fa5d84..d25088791a74 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 {
 	struct nft_offload_ctx *ctx;
 	struct nft_flow_rule *flow;
-	int num_actions = 0, err;
+	unsigned int num_actions = 0;
+	int err;
 	struct nft_expr *expr;
 
 	expr = nft_expr_first(rule);
@@ -99,6 +100,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 		    expr->ops->offload_action(expr))
 			num_actions++;
 
+		if (num_actions == UINT_MAX)
+			return ERR_PTR(-ENOMEM);
+
 		expr = nft_expr_next(expr);
 	}