Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3646436rdh;
        Thu, 28 Sep 2023 19:55:44 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFBJyZh9S+QwRDNvBeNUZMBZP6l2jLRDd1OENtr++P+ZKPcU5sQQM3eV7xk5VeQ+0fNpxWq
X-Received: by 2002:a17:902:efc6:b0:1c5:e9a8:dbc0 with SMTP id ja6-20020a170902efc600b001c5e9a8dbc0mr2838823plb.51.1695956143909;
        Thu, 28 Sep 2023 19:55:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695956143; cv=none;
        d=google.com; s=arc-20160816;
        b=XfhLclrN28lPMfpjUtQjeb0mNPOBUjM5VF2WgbfKiw/j8wkoU72imAQxv8JhbY8jbX
         U9m5bUQ80iW6kj9f0OcdlSB9DflBvZJQr+aMFEodvAPxRo30CdPOD1Nve91uL2CgdU5i
         SF1+1y4w9Oy5eoU1ygWYyAggVGDVoQM+EU9PeYnCbYo6GGJbCHMaVB1vHVOr40ILAnW3
         06hhBXrBRl7dbbvV3cN/eI4hL7UH+mpHZR6Ds5I2u1KVfnvqQn9CALlJoNvm9WbVr16j
         xPChbzJpw5UO6R6F3E+ZHs1giYbt6upPyrwPjpFbnJLJ+gCQx7e9+v6KYl+eDH2JAgV2
         FoWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:message-id:references
         :in-reply-to:subject:cc:to:from:date:mime-version;
        bh=OCq6hjXiobVANwDPw6oH/qRcg+FM3jTwPMdJzFkc+80=;
        fh=Z3cMMUkIJdPK78hMc6yaY32DY1pwVr0zoKQB22dEn/4=;
        b=jN7nAZItNemKcHELKptNh/cIMhgPdl4cxsZdGyRBhCpmqmDwblC89CeRnswpPlGl5c
         oviCxv2Cb0+Jyyu0s7FXvWbCRFX/vMCSIAUrgWul9kd2sZ4CMh1yoFVI3d1m93UMO911
         95XWUBJcIPFJo00TVDLaPRaIcBwiITwjIGCdp5Q5nMNK10QptxJ+IU+xjeQUgto94arT
         aC7UXjCITVKMg3gSA+pxegUVhoAZ5hfAtOO/XwqONohyWHzxURnzWX6pvYgAWrA187oY
         eGmYUIEP/FHd8AenODwLE/tvNs4GXEnQJuSx0Oqjh8xIlgW2Emx90mNvgu0AC8BxpF91
         rc5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [23.128.96.36])
        by mx.google.com with ESMTPS id l9-20020a170902f68900b001bdc10170casi16348769plg.36.2023.09.28.19.55.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Sep 2023 19:55:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id 302D084AB80C;
	Thu, 28 Sep 2023 19:55:41 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232178AbjI2CzT (ORCPT <rfc822;yangyccccc@gmail.com> + 99 others);
        Thu, 28 Sep 2023 22:55:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43056 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229912AbjI2CzR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Sep 2023 22:55:17 -0400
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::222])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A824F199;
        Thu, 28 Sep 2023 19:55:15 -0700 (PDT)
Received: by mail.gandi.net (Postfix) with ESMTPA id 4E48040003;
        Fri, 29 Sep 2023 02:55:09 +0000 (UTC)
MIME-Version: 1.0
Date:   Thu, 28 Sep 2023 19:55:09 -0700
From:   Joao Moreira <joao@overdrivepizza.com>
To:     Pablo Neira Ayuso <pablo@netfilter.org>
Cc:     netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        rkannoth@marvell.com, wojciech.drewek@intel.com,
        steen.hegenlund@microhip.com, keescook@chromium.org,
        Joao Moreira <joao.moreira@intel.com>
Subject: Re: [PATCH v3 2/2] Make num_actions unsigned
In-Reply-To: <ZRWDCGG5/dP12YEs@calendula>
References: <20230927164715.76744-1-joao@overdrivepizza.com>
 <20230927164715.76744-3-joao@overdrivepizza.com>
 <ZRWDCGG5/dP12YEs@calendula>
Message-ID: <8f531b29873587b4f9b7ee64c745b667@overdrivepizza.com>
X-Sender: joao@overdrivepizza.com
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-GND-Sasl: joao@overdrivepizza.com
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 28 Sep 2023 19:55:41 -0700 (PDT)

On 2023-09-28 06:43, Pablo Neira Ayuso wrote:
> On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com 
> wrote:
>> From: Joao Moreira <joao.moreira@intel.com>
>> 
>> Currently, in nft_flow_rule_create function, num_actions is a signed
>> integer. Yet, it is processed within a loop which increments its
>> value. To prevent an overflow from occurring, make it unsigned and
>> also check if it reaches 256 when being incremented.
>> 
>> Accordingly to discussions around v2, 256 actions are more than enough
>> for the frontend actions.
>> 
>> After checking with maintainers, it was mentioned that front-end will
>> cap the num_actions value and that it is not possible to reach such
>> condition for an overflow. Yet, for correctness, it is still better to
>> fix this.
>> 
>> This issue was observed by the commit author while reviewing a 
>> write-up
>> regarding a CVE within the same subsystem [1].
>> 
>> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/
> 
> Yes, but this is not related to the netfilter subsystem itself, this
> harderning is good to have for the flow offload infrastructure in
> general.

Right, I'll try to look up where this would fit in then. I'm not an 
expert in the subsystem at all, so should take a minute or two for me to 
get to it and send a v4.

> 
>> Signed-off-by: Joao Moreira <joao.moreira@intel.com>
>> ---
>>  net/netfilter/nf_tables_offload.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
>> 
>> diff --git a/net/netfilter/nf_tables_offload.c 
>> b/net/netfilter/nf_tables_offload.c
>> index 12ab78fa5d84..9a86db1f0e07 100644
>> --- a/net/netfilter/nf_tables_offload.c
>> +++ b/net/netfilter/nf_tables_offload.c
>> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct 
>> net *net,
>>  {
>>  	struct nft_offload_ctx *ctx;
>>  	struct nft_flow_rule *flow;
>> -	int num_actions = 0, err;
>> +	unsigned int num_actions = 0;
>> +	int err;
> 
> reverse xmas tree.

ack.

> 
>>  	struct nft_expr *expr;
>> 
>>  	expr = nft_expr_first(rule);
>> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct 
>> net *net,
>>  		    expr->ops->offload_action(expr))
>>  			num_actions++;
>> 
>> +		/* 2^8 is enough for frontend actions, avoid overflow */
>> +		if (num_actions == 256)
> 
> This cap is not specific of nf_tables, it should apply to all other
> subsystems. This is the wrong spot.

Any pointers regarding where I should look at?

> 
> Moreover, please, add a definition for this, no hardcoded values.

Ack.

> 
>> +			return ERR_PTR(-ENOMEM);
> 
> Better E2BIG or similar, otherwise this propagates to userspace as
> ENOMEM.

Ack.

> 
>> +
>>  		expr = nft_expr_next(expr);
>>  	}
>> 
>> --
>> 2.42.0
>>