Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3245996rdh; Thu, 28 Sep 2023 06:47:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHibyUfjOzdZCAMLnIn3Kl2SnykD0kbeaAyOX5gjs+aMKjcg2CiYxJHJkgpDFSogkZIuSwC X-Received: by 2002:a17:902:e5d1:b0:1c3:e5bf:a9fe with SMTP id u17-20020a170902e5d100b001c3e5bfa9femr2160977plf.30.1695908873899; Thu, 28 Sep 2023 06:47:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695908873; cv=none; d=google.com; s=arc-20160816; b=Zi46XgIC9VhhH3DOFCzIY+ZrEcJGhuOBRpF4JycBV6m5iwCFCO/p3h4Fgq9t347Qzg 4VPutFRzQaKpBINLF11lKereNYgaFXIGC5IFo9jLo8pmnyhGPU2b9f3ySwjrwCJ6hA63 /lE7Vi/l5e1aVC9tgrR2XXA3a+faNfEbu4QFYwybwryslZ+IatfAPwoAXaPSQRul3Cu8 V0j1m1NrdBkZUhbDCYJlUlMFgSAUyHU/7ppm20BvcEQCTGe62R8WncZ0wyKQpxysFoaV XOO0JsV6uLeCpD/9jVTzI803n1Z7vISaUZTKGxg5twCCjzHy1vpvirHiK7J3Kfq8u9r8 Ml2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=QCLsGPDCql/pU1Vnk6wm5eDk23vTv0aoW+XW1OmNu6g=; fh=0s5vfmZDbl1esSnUK0ZxnNhgSQTQAi6eA0fFHaF7pEg=; b=qRxOQ3puHq53eNobLgshjjjmHDlKt2+/6yi2MWYOmM8xFP5Av/oWfylu40VX2lsNfC 5cpDh7di7k3QkncOCpaoW70rXPE+x6q00fQzRvXSpsMkTwBZjmgAha2176jKrJErHlGi hS5wja+uB2j7My9+x8P9Cn6hQxZAgNx11hnasid5X7kOWTNk/An02W+TtSI1pa0VZ4kT zaISRq1ljJTCK8nbR2wIMolg6fbJKcc2iM/vzF2vJzEr/uWqgl8D8aBj6j6Ul+c9+0VR P5ss6zWGecbELS9G8dtyhU8u2lUzUjJ4txJYSnOqX3VErbUKkjTgo1XWr87cO1v0SPwS VfRQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id m8-20020a170902db0800b001c41515c4c7si11069584plx.115.2023.09.28.06.47.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 06:47:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id D91EE804B297; Thu, 28 Sep 2023 06:44:01 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232302AbjI1Nnq (ORCPT + 99 others); Thu, 28 Sep 2023 09:43:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231966AbjI1Nno (ORCPT ); Thu, 28 Sep 2023 09:43:44 -0400 Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [IPv6:2001:780:45:1d:225:90ff:fe52:c662]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 729CC136; Thu, 28 Sep 2023 06:43:42 -0700 (PDT) Received: from [78.30.34.192] (port=35962 helo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qlrIm-002BVs-Ok; Thu, 28 Sep 2023 15:43:39 +0200 Date: Thu, 28 Sep 2023 15:43:36 +0200 From: Pablo Neira Ayuso To: joao@overdrivepizza.com Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: Re: [PATCH v3 2/2] Make num_actions unsigned Message-ID: References: <20230927164715.76744-1-joao@overdrivepizza.com> <20230927164715.76744-3-joao@overdrivepizza.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20230927164715.76744-3-joao@overdrivepizza.com> X-Spam-Score: -1.9 (-) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 28 Sep 2023 06:44:02 -0700 (PDT) On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote: > From: Joao Moreira > > Currently, in nft_flow_rule_create function, num_actions is a signed > integer. Yet, it is processed within a loop which increments its > value. To prevent an overflow from occurring, make it unsigned and > also check if it reaches 256 when being incremented. > > Accordingly to discussions around v2, 256 actions are more than enough > for the frontend actions. > > After checking with maintainers, it was mentioned that front-end will > cap the num_actions value and that it is not possible to reach such > condition for an overflow. Yet, for correctness, it is still better to > fix this. > > This issue was observed by the commit author while reviewing a write-up > regarding a CVE within the same subsystem [1]. > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Yes, but this is not related to the netfilter subsystem itself, this harderning is good to have for the flow offload infrastructure in general. > Signed-off-by: Joao Moreira > --- > net/netfilter/nf_tables_offload.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c > index 12ab78fa5d84..9a86db1f0e07 100644 > --- a/net/netfilter/nf_tables_offload.c > +++ b/net/netfilter/nf_tables_offload.c > @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > { > struct nft_offload_ctx *ctx; > struct nft_flow_rule *flow; > - int num_actions = 0, err; > + unsigned int num_actions = 0; > + int err; reverse xmas tree. > struct nft_expr *expr; > > expr = nft_expr_first(rule); > @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > expr->ops->offload_action(expr)) > num_actions++; > > + /* 2^8 is enough for frontend actions, avoid overflow */ > + if (num_actions == 256) This cap is not specific of nf_tables, it should apply to all other subsystems. This is the wrong spot. Moreover, please, add a definition for this, no hardcoded values. > + return ERR_PTR(-ENOMEM); Better E2BIG or similar, otherwise this propagates to userspace as ENOMEM. > + > expr = nft_expr_next(expr); > } > > -- > 2.42.0 >