Received: by 2002:a05:7412:3210:b0:e2:908c:2ebd with SMTP id eu16csp846568rdb; Fri, 1 Sep 2023 06:05:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH47SkeYmxIVAC4RHzN3lr5M/V/0WU1od/GFkQyZE08LxDIkTcQpMGy/ikuQdQxnTSpmL6P X-Received: by 2002:a17:907:7635:b0:9a1:b144:30f4 with SMTP id jy21-20020a170907763500b009a1b14430f4mr3181478ejc.14.1693573536040; Fri, 01 Sep 2023 06:05:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693573536; cv=none; d=google.com; s=arc-20160816; b=mv2EM9tXCLOpK4oFrjWFRubIemfIy4BE9qbXFW+Vr6flJZlLoS1h+/41TRv6wvL5WZ W7+gFttt1A2clbhXfGW8M/hign0MXrB0DOEOawa5AAhcteIk0nm/YMoiLpgotvVpb6sQ dTXo0xaV4gsDwAHHc9k1qlDlw3TX4EildUWbeXUV9OXl/ekwULBvPwsgXh+JHn73nhjJ kru47SLwvAcLrJTraucbIzN2IqxMe0w71Uc7oSRMfa1vC0p5gjTxXGVvwERorWPgbvpz CNMunMx2SG29nvEQTN/YONJqVYinQhgFavTy6pMFuue/3eLeofEmJ3hl4ARuFs5OcFUK ac+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:references :in-reply-to:subject:cc:to:from:date:mime-version; bh=rc/G2XI+hM+HtkNaBO0GEEYnYHQraZvp98aTrpOfkyw=; fh=0i7pEbEpZ+m0N0zxqzVhP0IdeqRMt27CQmzjbB54hl8=; b=lcQZzqcU0SukEy8ACLh5mvwznprmiZwZs8XXzSHelREOt7Bb54BFemu67eJDwRVXXa W7yl/BVSeX6EtNO3ukq0kck7C/ZJDlmoT8hOYobxa5lLK3ze+JhX3Um/idJxBl5zy3kp c+x+vMon4AJyAnFRNDNz0zWhB09oy3jixYeKRel9jJeYm6dCRQNVWyEHSL1jeIuSCli5 zbmfaEs7B+wUl2I0b2111UY5qJeHjLFf0jscOLmKgn4iIt8YzGON9Hm2XCDlG/xDxU6i MWkF3r0xbTahF6KXDg3xAaOv9TWZhhSf/GoMSdG+YIAla9i0L7AwmCEeh7BkHo2d6Z8b +gAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sz16-20020a1709078b1000b00992fee4bc4csi2448422ejc.647.2023.09.01.06.04.51; Fri, 01 Sep 2023 06:05:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238127AbjIAFrF (ORCPT + 99 others); Fri, 1 Sep 2023 01:47:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229569AbjIAFrC (ORCPT ); Fri, 1 Sep 2023 01:47:02 -0400 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::224]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 813EAE50; Thu, 31 Aug 2023 22:46:55 -0700 (PDT) Received: by mail.gandi.net (Postfix) with ESMTPA id C8080E0003; Fri, 1 Sep 2023 05:46:49 +0000 (UTC) MIME-Version: 1.0 Date: Thu, 31 Aug 2023 22:46:49 -0700 From: Joao Moreira To: Jakub Kicinski Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: Re: [PATCH 0/2] Prevent potential write out of bounds In-Reply-To: <20230831182800.25e5d4d9@kernel.org> References: <20230901010437.126631-1-joao@overdrivepizza.com> <20230831182800.25e5d4d9@kernel.org> Message-ID: <00d4a104c17d92562f03042c31ea664b@overdrivepizza.com> X-Sender: joao@overdrivepizza.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-GND-Sasl: joao@overdrivepizza.com X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023-08-31 18:28, Jakub Kicinski wrote: > On Thu, 31 Aug 2023 18:04:35 -0700 joao@overdrivepizza.com wrote: >> The function flow_rule_alloc in net/core/flow_offload.c [2] gets an >> unsigned int num_actions (line 10) and later traverses the actions in >> the rule (line 24) setting hw.stats to FLOW_ACTION_HW_STATS_DONT_CARE. >> >> Within the same file, the loop in the line 24 compares a signed int >> (i) to an unsigned int (num_actions), and then uses i as an array >> index. If an integer overflow happens, then the array within the loop >> is wrongly indexed, causing a write out of bounds. >> >> After checking with maintainers, it seems that the front-end caps the >> maximum value of num_action, thus it is not possible to reach the >> given >> write out of bounds, yet, still, to prevent disasters it is better to >> fix the signedness here. > > How did you find this? The commit messages should include info > about how the issue was discovered. Sure, I'll wait a bit longer for more suggestions and add the info in a next patch version. Meanwhile, fwiiw, I stumbled on the bug when I was reading Nick Gregory's write-up on CVE-2022-25636 [1], which happens nearby but is not exactly this issue. Tks, Joao [1] - https://nickgregory.me/post/2022/03/12/cve-2022-25636/