Received: by 2002:a05:7412:3210:b0:e2:908c:2ebd with SMTP id eu16csp828659rdb; Fri, 1 Sep 2023 05:36:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEhsIguu7DRHxav7bt6tbMBWoQYcnt5HuFt5fVnWrwz9NNFdC8lAkxO+M+q9S9ck+KPRXSg X-Received: by 2002:a2e:a0d8:0:b0:2bd:c23:c810 with SMTP id f24-20020a2ea0d8000000b002bd0c23c810mr1457900ljm.51.1693571812002; Fri, 01 Sep 2023 05:36:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693571811; cv=none; d=google.com; s=arc-20160816; b=OMFTmLx//JO8vZVvglJtv41oa/K3WDXw88OgyLLVakx/Tx6cP/eNAsYU5/UoYO7J3A meeknnMJjG35pZhWxrbR4VzZiOmTZvZx3+9Pb6z52gDXOCPpnjTN+xjcwEUaMrjd9ZVF 11MlsTiQrSepkoNHwIV/GyADjhGls21pb7uL/dAhE5sEgo6NaN+1phCkZzf6dcYZcf7W DxlV4QJLaae7mnTEwulNgMSY50qpXBkMmwKaEUjw258cQz2xLsIemuGsdqixD6MRI1UO opZbgNo/26hgNPyo4rpq5e+8UR3VvGH5KeR5ePhDPBgR9Fbsm5Hcuna5E9R5klFQkBA+ gWCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=Wo4aon65i+4EqGOQS6Qky+VaTAGLas+398s4+doJm2c=; fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=; b=EiXOdgj5GKJ5Ejfkc70xU5SpO66sswZKbnRMMuX5yUZ3aqn9KYxCyv5sXLNGxNgf+P uSed7BVtmjbc78lfZ0gXbqkgcKfghHhjaI3HR7GYPRN4KM05WtYqSqc4rZuKxeaS/eSA 1eSIiPbuUhL37jlGKvabPRe5G+WR0CLreguD0KNAfdhsx1YC87Zzluq0AvpL7uzSRKe2 RjwvhPfVNdOxqh3sotMt1R1StDetu5ZRtObZtQ3Cvev3t9bwF7YtrEx5Eh7AZAU6i9zp gY0zXCeemqHh206vGgHLEaF728I7HSAjXRY11IeRPZZnOpcIL5ALklAU1mkHGsljBq0e yL/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l13-20020a170906a40d00b0099bd627bb9dsi2215495ejz.983.2023.09.01.05.36.24; Fri, 01 Sep 2023 05:36:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347972AbjIABEh (ORCPT + 99 others); Thu, 31 Aug 2023 21:04:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241329AbjIABEh (ORCPT ); Thu, 31 Aug 2023 21:04:37 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADAD5E0; Thu, 31 Aug 2023 18:04:33 -0700 (PDT) X-IronPort-AV: E=McAfee;i="6600,9927,10819"; a="375009822" X-IronPort-AV: E=Sophos;i="6.02,218,1688454000"; d="scan'208";a="375009822" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Aug 2023 18:04:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10819"; a="733361463" X-IronPort-AV: E=Sophos;i="6.02,218,1688454000"; d="scan'208";a="733361463" Received: from pinksteam.jf.intel.com ([10.165.239.231]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Aug 2023 18:04:31 -0700 From: joao@overdrivepizza.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, joao@overdrivepizza.com Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: [PATCH 0/2] Prevent potential write out of bounds Date: Thu, 31 Aug 2023 18:04:35 -0700 Message-ID: <20230901010437.126631-1-joao@overdrivepizza.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NEUTRAL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Joao Moreira The function flow_rule_alloc in net/core/flow_offload.c [2] gets an unsigned int num_actions (line 10) and later traverses the actions in the rule (line 24) setting hw.stats to FLOW_ACTION_HW_STATS_DONT_CARE. Within the same file, the loop in the line 24 compares a signed int (i) to an unsigned int (num_actions), and then uses i as an array index. If an integer overflow happens, then the array within the loop is wrongly indexed, causing a write out of bounds. After checking with maintainers, it seems that the front-end caps the maximum value of num_action, thus it is not possible to reach the given write out of bounds, yet, still, to prevent disasters it is better to fix the signedness here. Similarly, also it is also good to ensure that an overflow won't happen in net/netfilter/nf_tables_offload.c's function nft_flow_rule_create by checking that num_actions is not negative. Tks, Joao Moreira (2): Make loop indexes unsigned Ensure num_actions is not a negative net/core/flow_offload.c | 4 ++-- net/netfilter/nf_tables_offload.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) -- 2.41.0