Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3646436rdh; Thu, 28 Sep 2023 19:55:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFBJyZh9S+QwRDNvBeNUZMBZP6l2jLRDd1OENtr++P+ZKPcU5sQQM3eV7xk5VeQ+0fNpxWq X-Received: by 2002:a17:902:efc6:b0:1c5:e9a8:dbc0 with SMTP id ja6-20020a170902efc600b001c5e9a8dbc0mr2838823plb.51.1695956143909; Thu, 28 Sep 2023 19:55:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695956143; cv=none; d=google.com; s=arc-20160816; b=XfhLclrN28lPMfpjUtQjeb0mNPOBUjM5VF2WgbfKiw/j8wkoU72imAQxv8JhbY8jbX U9m5bUQ80iW6kj9f0OcdlSB9DflBvZJQr+aMFEodvAPxRo30CdPOD1Nve91uL2CgdU5i SF1+1y4w9Oy5eoU1ygWYyAggVGDVoQM+EU9PeYnCbYo6GGJbCHMaVB1vHVOr40ILAnW3 06hhBXrBRl7dbbvV3cN/eI4hL7UH+mpHZR6Ds5I2u1KVfnvqQn9CALlJoNvm9WbVr16j xPChbzJpw5UO6R6F3E+ZHs1giYbt6upPyrwPjpFbnJLJ+gCQx7e9+v6KYl+eDH2JAgV2 FoWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:references :in-reply-to:subject:cc:to:from:date:mime-version; bh=OCq6hjXiobVANwDPw6oH/qRcg+FM3jTwPMdJzFkc+80=; fh=Z3cMMUkIJdPK78hMc6yaY32DY1pwVr0zoKQB22dEn/4=; b=jN7nAZItNemKcHELKptNh/cIMhgPdl4cxsZdGyRBhCpmqmDwblC89CeRnswpPlGl5c oviCxv2Cb0+Jyyu0s7FXvWbCRFX/vMCSIAUrgWul9kd2sZ4CMh1yoFVI3d1m93UMO911 95XWUBJcIPFJo00TVDLaPRaIcBwiITwjIGCdp5Q5nMNK10QptxJ+IU+xjeQUgto94arT aC7UXjCITVKMg3gSA+pxegUVhoAZ5hfAtOO/XwqONohyWHzxURnzWX6pvYgAWrA187oY eGmYUIEP/FHd8AenODwLE/tvNs4GXEnQJuSx0Oqjh8xIlgW2Emx90mNvgu0AC8BxpF91 rc5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id l9-20020a170902f68900b001bdc10170casi16348769plg.36.2023.09.28.19.55.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 19:55:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 302D084AB80C; Thu, 28 Sep 2023 19:55:41 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232178AbjI2CzT (ORCPT + 99 others); Thu, 28 Sep 2023 22:55:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229912AbjI2CzR (ORCPT ); Thu, 28 Sep 2023 22:55:17 -0400 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::222]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A824F199; Thu, 28 Sep 2023 19:55:15 -0700 (PDT) Received: by mail.gandi.net (Postfix) with ESMTPA id 4E48040003; Fri, 29 Sep 2023 02:55:09 +0000 (UTC) MIME-Version: 1.0 Date: Thu, 28 Sep 2023 19:55:09 -0700 From: Joao Moreira To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: Re: [PATCH v3 2/2] Make num_actions unsigned In-Reply-To: References: <20230927164715.76744-1-joao@overdrivepizza.com> <20230927164715.76744-3-joao@overdrivepizza.com> Message-ID: <8f531b29873587b4f9b7ee64c745b667@overdrivepizza.com> X-Sender: joao@overdrivepizza.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-GND-Sasl: joao@overdrivepizza.com X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 28 Sep 2023 19:55:41 -0700 (PDT) On 2023-09-28 06:43, Pablo Neira Ayuso wrote: > On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com > wrote: >> From: Joao Moreira >> >> Currently, in nft_flow_rule_create function, num_actions is a signed >> integer. Yet, it is processed within a loop which increments its >> value. To prevent an overflow from occurring, make it unsigned and >> also check if it reaches 256 when being incremented. >> >> Accordingly to discussions around v2, 256 actions are more than enough >> for the frontend actions. >> >> After checking with maintainers, it was mentioned that front-end will >> cap the num_actions value and that it is not possible to reach such >> condition for an overflow. Yet, for correctness, it is still better to >> fix this. >> >> This issue was observed by the commit author while reviewing a >> write-up >> regarding a CVE within the same subsystem [1]. >> >> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > Yes, but this is not related to the netfilter subsystem itself, this > harderning is good to have for the flow offload infrastructure in > general. Right, I'll try to look up where this would fit in then. I'm not an expert in the subsystem at all, so should take a minute or two for me to get to it and send a v4. > >> Signed-off-by: Joao Moreira >> --- >> net/netfilter/nf_tables_offload.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/net/netfilter/nf_tables_offload.c >> b/net/netfilter/nf_tables_offload.c >> index 12ab78fa5d84..9a86db1f0e07 100644 >> --- a/net/netfilter/nf_tables_offload.c >> +++ b/net/netfilter/nf_tables_offload.c >> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct >> net *net, >> { >> struct nft_offload_ctx *ctx; >> struct nft_flow_rule *flow; >> - int num_actions = 0, err; >> + unsigned int num_actions = 0; >> + int err; > > reverse xmas tree. ack. > >> struct nft_expr *expr; >> >> expr = nft_expr_first(rule); >> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct >> net *net, >> expr->ops->offload_action(expr)) >> num_actions++; >> >> + /* 2^8 is enough for frontend actions, avoid overflow */ >> + if (num_actions == 256) > > This cap is not specific of nf_tables, it should apply to all other > subsystems. This is the wrong spot. Any pointers regarding where I should look at? > > Moreover, please, add a definition for this, no hardcoded values. Ack. > >> + return ERR_PTR(-ENOMEM); > > Better E2BIG or similar, otherwise this propagates to userspace as > ENOMEM. Ack. > >> + >> expr = nft_expr_next(expr); >> } >> >> -- >> 2.42.0 >>