Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2723748rdh;
        Wed, 27 Sep 2023 10:40:06 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFctMMcnJ6dpEBGSYitJ1epspVj6F5F/Tgv8rTSDow9m0R9gT2/PoAOFsPTrR+1LckVBWTQ
X-Received: by 2002:a17:902:db0a:b0:1c6:2dbb:e5fa with SMTP id m10-20020a170902db0a00b001c62dbbe5famr2838381plx.44.1695836405901;
        Wed, 27 Sep 2023 10:40:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695836405; cv=none;
        d=google.com; s=arc-20160816;
        b=zxZB1fzONm+CnDDuBDCcbR7nyMfzjY0cco5RmHGiRYJfS4R+WFNHfP70g6yTeKdb4D
         7CaoVxGzBML8Sbxz0oZbxd28g3Ynn0DSLS3Syt1xH8Fk6EApgH78ZD1SSsYPyJunZO/0
         PGB3uoJE1lE7z6++9mjNXvIgVkowdMkO5jx7hDXKKbGt3cVsP9+1QLRkA0gPJqfW55Ag
         d1qxlhvN9izfc7KePskmXMyiOmXqKfw9dbJO0Ok8y9VU/eZ7Ry2g5YMn0lcCmHNdH4eo
         e10u9GOmLs3OulIA4t+AbNY71TpobsDyeK0W4MPvvMlqm6XwL4CMjrW1oqCcUc3tix/3
         8tew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=HfU8VZCvm4/6ZNolDEiKpu8EhPRabZTL0yZDdztsqs4=;
        fh=BI+T4F8SA0SHDb6m7HWfv63JWeI34VTzFV+4LHBcWNU=;
        b=U4ytSSDPXTf1MxOCrtxGnXbvic/oPDyAIIx8ChMjflsJUYt3+9wZfS33IoEpjy73fM
         CbvqJ440/lllPICEbNZyt29OFyXHUMw6V0rl2UofWFs7K+zG1MOKdGCgSjlPyZfydnVh
         B8RYmDfudFmXvZtpA4Hr8TJiF5WFrTvyRKbelAaaSZuy07fGaBUsTTiyBa0hMVm3gjhy
         MVMiRrVcTaU9LiHMvxhog87hYX5KOhuOunIlJ+fmzKpgUR+nLwsSIR8jF7jnGE4YO7cF
         xgzUXqOqBd4bKxgZjYr25HrbELzag8oWv2BsMU1Row5N8A5g2IHXmmSXEI0na4PRCVq5
         kP5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id u3-20020a170902e80300b001b9e2ce5723si12618037plg.495.2023.09.27.10.40.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Sep 2023 10:40:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id 1545180212FC;
	Wed, 27 Sep 2023 09:48:04 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229464AbjI0Qro (ORCPT <rfc822;yangyccccc@gmail.com> + 99 others);
        Wed, 27 Sep 2023 12:47:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60314 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229534AbjI0Qrj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Sep 2023 12:47:39 -0400
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.126])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9186CEB;
        Wed, 27 Sep 2023 09:47:37 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="366934607"
X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; 
   d="scan'208";a="366934607"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 09:47:37 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="922853712"
X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; 
   d="scan'208";a="922853712"
Received: from pinksteam.jf.intel.com ([10.165.239.231])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 09:47:37 -0700
From:   joao@overdrivepizza.com
To:     pablo@netfilter.org, netfilter-devel@vger.kernel.org,
        coreteam@netfilter.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, joao@overdrivepizza.com
Cc:     kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        rkannoth@marvell.com, wojciech.drewek@intel.com,
        steen.hegenlund@microhip.com, keescook@chromium.org,
        Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v3 2/2] Make num_actions unsigned
Date:   Wed, 27 Sep 2023 09:47:15 -0700
Message-ID: <20230927164715.76744-3-joao@overdrivepizza.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com>
References: <20230927164715.76744-1-joao@overdrivepizza.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Wed, 27 Sep 2023 09:48:04 -0700 (PDT)

From: Joao Moreira <joao.moreira@intel.com>

Currently, in nft_flow_rule_create function, num_actions is a signed
integer. Yet, it is processed within a loop which increments its
value. To prevent an overflow from occurring, make it unsigned and
also check if it reaches 256 when being incremented.

Accordingly to discussions around v2, 256 actions are more than enough
for the frontend actions.

After checking with maintainers, it was mentioned that front-end will
cap the num_actions value and that it is not possible to reach such
condition for an overflow. Yet, for correctness, it is still better to
fix this.

This issue was observed by the commit author while reviewing a write-up
regarding a CVE within the same subsystem [1].

1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Signed-off-by: Joao Moreira <joao.moreira@intel.com>
---
 net/netfilter/nf_tables_offload.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 12ab78fa5d84..9a86db1f0e07 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 {
 	struct nft_offload_ctx *ctx;
 	struct nft_flow_rule *flow;
-	int num_actions = 0, err;
+	unsigned int num_actions = 0;
+	int err;
 	struct nft_expr *expr;
 
 	expr = nft_expr_first(rule);
@@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 		    expr->ops->offload_action(expr))
 			num_actions++;
 
+		/* 2^8 is enough for frontend actions, avoid overflow */
+		if (num_actions == 256)
+			return ERR_PTR(-ENOMEM);
+
 		expr = nft_expr_next(expr);
 	}
 
-- 
2.42.0