Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2278457rdh; Tue, 26 Sep 2023 19:40:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGC3QrFnHqEDPdFX6D8Vca0/IhZvQWypoXyCq7fPSJPnNJLJtBYMV49DLEDMPBMOyZ9e+LG X-Received: by 2002:a05:6a20:12ca:b0:151:35ad:f327 with SMTP id v10-20020a056a2012ca00b0015135adf327mr805051pzg.17.1695782411842; Tue, 26 Sep 2023 19:40:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695782411; cv=none; d=google.com; s=arc-20160816; b=qVcIUBrTKbPC3movK//wKej0Suw7ZfR5BcuvEES501D9kRHmuZukORgReRMkcnMe9S mgLHtLOJIuOhMQFjV3x2aDwY6yYBy63xEGNGFexSb43XYwiTxfqMebEtZ5hlAMGAkeUu 2ybNocfephNzQXdqRXf1Llh0YB43S8FzSmHRsgSUc+tZ9/S64u7Oy/2CpM2XU63CIk5R n5GWerrXpwp5xx/be9h1+1wKwVl7kJ6wOofim7syjk3OQllEpUfQqciQA7kJxYWLhJtm SLwulAmXysEkmsBN+PmtlF/wk+Gyt1PLdQYWFpD7nhgIM+0ONyhloDBiwY1Q+hGT8A+u MEJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=XTwV12iZLATQ82tTWEAW4gokfUjy2O3xXDuIEM5S7Is=; fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=; b=uw7pEa+40EaOOFC+dcKM7Wcv/sERM9F8fHCVacCxPM6oNdngytFUNtnh1bVANVA5xf PmfeS6jqM3Xf4wfrwqvUKjH/yuOWx/UP4EHLYex883buU3yWChzlbeT2sv2eh6yAvSVY EmhbwC9YIAT0bg3EWevUR6XG789M/y/U323t9uGgnTf3YZ1PFfZcTRFoVkyQ3v6+k9wQ /CMa7IIxxqx4WUH+7G1bwhxnWIhqyqgsK2ogDTcDwTManGGPzuBKwSAyw7w5qUe/7e4T tf9+nxlipesfqcTGZkbmCxHg1M4WFRgDzPFMV8NmmS+UppvYqIxLR0tarQjyAxxDVw2L jlcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id u7-20020a170902e5c700b001bdf6eb05f2si4921358plf.227.2023.09.26.19.40.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 19:40:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 351E48250250; Tue, 26 Sep 2023 19:40:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234756AbjI0Cjx (ORCPT + 99 others); Tue, 26 Sep 2023 22:39:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233436AbjI0Chv (ORCPT ); Tue, 26 Sep 2023 22:37:51 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F1631C26B; Tue, 26 Sep 2023 19:02:55 -0700 (PDT) X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="385565342" X-IronPort-AV: E=Sophos;i="6.03,179,1694761200"; d="scan'208";a="385565342" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2023 19:02:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="725628836" X-IronPort-AV: E=Sophos;i="6.03,179,1694761200"; d="scan'208";a="725628836" Received: from pinksteam.jf.intel.com ([10.165.239.231]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2023 19:02:39 -0700 From: joao@overdrivepizza.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, joao@overdrivepizza.com Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: [PATCH v2 1/2] Make loop indexes unsigned Date: Tue, 26 Sep 2023 19:02:20 -0700 Message-ID: <20230927020221.85292-2-joao@overdrivepizza.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230927020221.85292-1-joao@overdrivepizza.com> References: <20230927020221.85292-1-joao@overdrivepizza.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 26 Sep 2023 19:40:07 -0700 (PDT) From: Joao Moreira Both flow_rule_alloc and offload_action_alloc functions received an unsigned num_actions parameters which are then operated within a loop. The index of this loop is declared as a signed int. If it was possible to pass a large enough num_actions to these functions, it would lead to an out of bounds write. After checking with maintainers, it was mentioned that front-end will cap the num_actions value and that it is not possible to reach this function with such a large number. Yet, for correctness, it is still better to fix this. This issue was observed by the commit author while reviewing a write-up regarding a CVE within the same subsystem [1]. 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Signed-off-by: Joao Moreira --- net/core/flow_offload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index bc5169482710..bc3f53a09d8f 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -10,7 +10,7 @@ struct flow_rule *flow_rule_alloc(unsigned int num_actions) { struct flow_rule *rule; - int i; + unsigned int i; rule = kzalloc(struct_size(rule, action.entries, num_actions), GFP_KERNEL); @@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc); struct flow_offload_action *offload_action_alloc(unsigned int num_actions) { struct flow_offload_action *fl_action; - int i; + unsigned int i; fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions), GFP_KERNEL); -- 2.42.0