Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2278457rdh;
        Tue, 26 Sep 2023 19:40:12 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGC3QrFnHqEDPdFX6D8Vca0/IhZvQWypoXyCq7fPSJPnNJLJtBYMV49DLEDMPBMOyZ9e+LG
X-Received: by 2002:a05:6a20:12ca:b0:151:35ad:f327 with SMTP id v10-20020a056a2012ca00b0015135adf327mr805051pzg.17.1695782411842;
        Tue, 26 Sep 2023 19:40:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695782411; cv=none;
        d=google.com; s=arc-20160816;
        b=qVcIUBrTKbPC3movK//wKej0Suw7ZfR5BcuvEES501D9kRHmuZukORgReRMkcnMe9S
         mgLHtLOJIuOhMQFjV3x2aDwY6yYBy63xEGNGFexSb43XYwiTxfqMebEtZ5hlAMGAkeUu
         2ybNocfephNzQXdqRXf1Llh0YB43S8FzSmHRsgSUc+tZ9/S64u7Oy/2CpM2XU63CIk5R
         n5GWerrXpwp5xx/be9h1+1wKwVl7kJ6wOofim7syjk3OQllEpUfQqciQA7kJxYWLhJtm
         SLwulAmXysEkmsBN+PmtlF/wk+Gyt1PLdQYWFpD7nhgIM+0ONyhloDBiwY1Q+hGT8A+u
         MEJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=XTwV12iZLATQ82tTWEAW4gokfUjy2O3xXDuIEM5S7Is=;
        fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
        b=uw7pEa+40EaOOFC+dcKM7Wcv/sERM9F8fHCVacCxPM6oNdngytFUNtnh1bVANVA5xf
         PmfeS6jqM3Xf4wfrwqvUKjH/yuOWx/UP4EHLYex883buU3yWChzlbeT2sv2eh6yAvSVY
         EmhbwC9YIAT0bg3EWevUR6XG789M/y/U323t9uGgnTf3YZ1PFfZcTRFoVkyQ3v6+k9wQ
         /CMa7IIxxqx4WUH+7G1bwhxnWIhqyqgsK2ogDTcDwTManGGPzuBKwSAyw7w5qUe/7e4T
         tf9+nxlipesfqcTGZkbmCxHg1M4WFRgDzPFMV8NmmS+UppvYqIxLR0tarQjyAxxDVw2L
         jlcw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id u7-20020a170902e5c700b001bdf6eb05f2si4921358plf.227.2023.09.26.19.40.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Sep 2023 19:40:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 351E48250250;
	Tue, 26 Sep 2023 19:40:07 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234756AbjI0Cjx (ORCPT <rfc822;bharatb.linux@gmail.com>
        + 99 others); Tue, 26 Sep 2023 22:39:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45020 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233436AbjI0Chv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Sep 2023 22:37:51 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F1631C26B;
        Tue, 26 Sep 2023 19:02:55 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="385565342"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200"; 
   d="scan'208";a="385565342"
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2023 19:02:39 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10845"; a="725628836"
X-IronPort-AV: E=Sophos;i="6.03,179,1694761200"; 
   d="scan'208";a="725628836"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
  by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2023 19:02:39 -0700
From:   joao@overdrivepizza.com
To:     pablo@netfilter.org, netfilter-devel@vger.kernel.org,
        coreteam@netfilter.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc:     kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        rkannoth@marvell.com, wojciech.drewek@intel.com,
        steen.hegenlund@microhip.com, keescook@chromium.org,
        Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v2 1/2] Make loop indexes unsigned
Date:   Tue, 26 Sep 2023 19:02:20 -0700
Message-ID: <20230927020221.85292-2-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927020221.85292-1-joao@overdrivepizza.com>
References: <20230927020221.85292-1-joao@overdrivepizza.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 26 Sep 2023 19:40:07 -0700 (PDT)

From: Joao Moreira <joao.moreira@intel.com>

Both flow_rule_alloc and offload_action_alloc functions received an
unsigned num_actions parameters which are then operated within a loop.
The index of this loop is declared as a signed int. If it was possible
to pass a large enough num_actions to these functions, it would lead to
an out of bounds write.

After checking with maintainers, it was mentioned that front-end will
cap the num_actions value and that it is not possible to reach this
function with such a large number. Yet, for correctness, it is still
better to fix this.

This issue was observed by the commit author while reviewing a write-up
regarding a CVE within the same subsystem [1].

1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Signed-off-by: Joao Moreira <joao.moreira@intel.com>
---
 net/core/flow_offload.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index bc5169482710..bc3f53a09d8f 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -10,7 +10,7 @@
 struct flow_rule *flow_rule_alloc(unsigned int num_actions)
 {
 	struct flow_rule *rule;
-	int i;
+	unsigned int i;
 
 	rule = kzalloc(struct_size(rule, action.entries, num_actions),
 		       GFP_KERNEL);
@@ -31,7 +31,7 @@ EXPORT_SYMBOL(flow_rule_alloc);
 struct flow_offload_action *offload_action_alloc(unsigned int num_actions)
 {
 	struct flow_offload_action *fl_action;
-	int i;
+	unsigned int i;
 
 	fl_action = kzalloc(struct_size(fl_action, action.entries, num_actions),
 			    GFP_KERNEL);
-- 
2.42.0