From patchwork Wed Sep 27 16:47:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joao Moreira X-Patchwork-Id: 145540 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2833825vqu; Wed, 27 Sep 2023 11:56:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHHZGOJAxjtpzEVnvQw1eGJvs/SP0SKhUMTnCrl+bKrYoPJp1LPDsmukZyvmSlTpwzZiWhY X-Received: by 2002:a9d:4f16:0:b0:6c0:abdd:a875 with SMTP id d22-20020a9d4f16000000b006c0abdda875mr3010974otl.18.1695840960168; Wed, 27 Sep 2023 11:56:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695840960; cv=none; d=google.com; s=arc-20160816; b=A/IUZuLIRfzIeZIUZ97swT8yDSqOb3LKS0yJJzvmxKeIH3rWDeyvPdvpJ9n4V0VQRs c9rhMG8C217H5mdDTbWgXmGaGCcbzRlxTbvvBZh9rgNH4WyOcUp/AbJkdfGW25B0GOOJ Vs2+AICD34oQAr0qrESWVaV6zTlQtrQRgGqLDvQOD5aoK7Hcj77Y0gyJfOfPdlDTdC6U qNiyGFjXOiqwgculnbATXKRI9X3rsxXAml2NMHpchsNYBEsh53P175OWFKK4FfFiOOHX EcTU6fiihH2qfnYlAHFtZt2mYiJD/+pEAO1DHhqsjW13BUeKHLr6LYnrYTs3/dfihrg7 N9tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=XTwV12iZLATQ82tTWEAW4gokfUjy2O3xXDuIEM5S7Is=; fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=; b=tD4GunhoQMAERg6dYdJQxzSsIlA7KzUe0WP0QP4RWTVORzyd++B/k1o4EqwdcUCFv3 /ZvRqmpOhAuJSVndJKE3zgRrULDXoRkZjHK27UcfSGLzA9p0J8jtaBXUpCEMuOMsaTHd aYL+cW50nl9owDBhCI0fb9vVo8M8YN9Rstp42OaMesIsoK6lFd9p3R/JN1BImxdXXfhB ajsTFe46V31azhPqhzZYOwTya1v3ipI/5NqD2tcvW9kzGDKczdy6ZSFVxRP0aVVbRiRd I6bAllzOk9Q1iNP2/EMzp2Nw2t5lnukIoR8ku5TfmEyGrIaVhXWUnp4m49gqaJwUIarK IAHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id ck7-20020a056a00328700b0068fb8fa1e71si9784935pfb.207.2023.09.27.11.55.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 11:56:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 58BBD801B709; Wed, 27 Sep 2023 09:47:47 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229542AbjI0Qrl (ORCPT + 19 others); Wed, 27 Sep 2023 12:47:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229521AbjI0Qri (ORCPT ); Wed, 27 Sep 2023 12:47:38 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FA85DE; Wed, 27 Sep 2023 09:47:36 -0700 (PDT) X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="366934590" X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; d="scan'208";a="366934590" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 09:47:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="922853707" X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; d="scan'208";a="922853707" Received: from pinksteam.jf.intel.com ([10.165.239.231]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 09:47:35 -0700 From: joao@overdrivepizza.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, joao@overdrivepizza.com Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: [PATCH v3 1/2] Make loop indexes unsigned Date: Wed, 27 Sep 2023 09:47:14 -0700 Message-ID: <20230927164715.76744-2-joao@overdrivepizza.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com> References: <20230927164715.76744-1-joao@overdrivepizza.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NEUTRAL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 27 Sep 2023 09:47:47 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778218130562036186 X-GMAIL-MSGID: 1778218130562036186 From: Joao Moreira Both flow_rule_alloc and offload_action_alloc functions received an unsigned num_actions parameters which are then operated within a loop. The index of this loop is declared as a signed int. If it was possible to pass a large enough num_actions to these functions, it would lead to an out of bounds write. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach this function with such a large number. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira --- net/core/flow_offload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index bc5169482710..bc3f53a09d8f 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -10,7 +10,7 @@ struct flow_rule *flow_rule_alloc(unsigned int num_actions) { struct flow_rule *rule; - int i; + unsigned int i; rule = kzalloc(struct_size(rule, action.entries, num_actions), GFP_KERNEL); @@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc); struct flow_offload_action *offload_action_alloc(unsigned int num_actions) { struct flow_offload_action *fl_action; - int i; + unsigned int i; fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions), GFP_KERNEL); From patchwork Wed Sep 27 16:47:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joao Moreira X-Patchwork-Id: 145536 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp2833010vqu; Wed, 27 Sep 2023 11:54:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFYFw5vq425AI+kG1X2EGkf4TrBluOEQNVzYhmJv9GoJ65tBzqHHznrOJxayfU/g11t9IEC X-Received: by 2002:a17:902:a416:b0:1b8:90bd:d157 with SMTP id p22-20020a170902a41600b001b890bdd157mr2631056plq.26.1695840847739; Wed, 27 Sep 2023 11:54:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695840847; cv=none; d=google.com; s=arc-20160816; b=acJgWcNZQ/xD9t4CV822jv3rWTtQ2Q417C9oBrlXdsQ0MOagu93lFpf0ubyRWFrRNT 9V++W6CsHqpfzHmtgST1OP2fytrWsu1Bzs27HsvRzwWO7ylHTL5cD6k5OeSsp1Lhtsi4 o618be0b2eNcEL4pTDK8uBJJ1Vs7s6Bl87/ZK0D6ElCN2FyivSE/41oAlC47qZbmeIr2 9L6F+OE2kB4Y+QR1FIZKoTDWf54G9OMstwMtQ0qgeKgmuu2hb6x4wIo/pSWYwuU1j46M mf0r/HY4O/xmzSTc3zNzV1+rVWHWUoP+QXVKX2bnhlde9w3eicOpcyd+JfXNTgQSK7HF Drsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=HfU8VZCvm4/6ZNolDEiKpu8EhPRabZTL0yZDdztsqs4=; fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=; b=U4ytSSDPXTf1MxOCrtxGnXbvic/oPDyAIIx8ChMjflsJUYt3+9wZfS33IoEpjy73fM CbvqJ440/lllPICEbNZyt29OFyXHUMw6V0rl2UofWFs7K+zG1MOKdGCgSjlPyZfydnVh B8RYmDfudFmXvZtpA4Hr8TJiF5WFrTvyRKbelAaaSZuy07fGaBUsTTiyBa0hMVm3gjhy MVMiRrVcTaU9LiHMvxhog87hYX5KOhuOunIlJ+fmzKpgUR+nLwsSIR8jF7jnGE4YO7cF xgzUXqOqBd4bKxgZjYr25HrbELzag8oWv2BsMU1Row5N8A5g2IHXmmSXEI0na4PRCVq5 kP5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id ay6-20020a1709028b8600b001bc52116351si16101162plb.70.2023.09.27.11.54.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 11:54:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 0ECF2801B736; Wed, 27 Sep 2023 09:47:49 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229487AbjI0Qro (ORCPT + 19 others); Wed, 27 Sep 2023 12:47:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60314 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229534AbjI0Qrj (ORCPT ); Wed, 27 Sep 2023 12:47:39 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9186CEB; Wed, 27 Sep 2023 09:47:37 -0700 (PDT) X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="366934607" X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; d="scan'208";a="366934607" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 09:47:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="922853712" X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; d="scan'208";a="922853712" Received: from pinksteam.jf.intel.com ([10.165.239.231]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 09:47:37 -0700 From: joao@overdrivepizza.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, joao@overdrivepizza.com Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: [PATCH v3 2/2] Make num_actions unsigned Date: Wed, 27 Sep 2023 09:47:15 -0700 Message-ID: <20230927164715.76744-3-joao@overdrivepizza.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com> References: <20230927164715.76744-1-joao@overdrivepizza.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NEUTRAL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 27 Sep 2023 09:47:49 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778218012734061259 X-GMAIL-MSGID: 1778218012734061259 From: Joao Moreira Currently, in nft_flow_rule_create function, num_actions is a signed integer. Yet, it is processed within a loop which increments its value. To prevent an overflow from occurring, make it unsigned and also check if it reaches 256 when being incremented. Accordingly to discussions around v2, 256 actions are more than enough for the frontend actions. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach such condition for an overflow. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira --- net/netfilter/nf_tables_offload.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 12ab78fa5d84..9a86db1f0e07 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, { struct nft_offload_ctx *ctx; struct nft_flow_rule *flow; - int num_actions = 0, err; + unsigned int num_actions = 0; + int err; struct nft_expr *expr; expr = nft_expr_first(rule); @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, expr->ops->offload_action(expr)) num_actions++; + /* 2^8 is enough for frontend actions, avoid overflow */ + if (num_actions == 256) + return ERR_PTR(-ENOMEM); + expr = nft_expr_next(expr); }