Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3760020rdh; Fri, 29 Sep 2023 01:10:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGHClgaHvedC9lDKYXYLjNmc7ZxbaBT8lbDTns2wljWfdjRFfWTwhkvkV2u9zZgFQmN1MaC X-Received: by 2002:a17:903:22c4:b0:1c1:f3f8:3949 with SMTP id y4-20020a17090322c400b001c1f3f83949mr3584463plg.1.1695975005975; Fri, 29 Sep 2023 01:10:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695975005; cv=none; d=google.com; s=arc-20160816; b=wzrdmqXaRhtW0zgnDfLiKSA2TYjtrh1WNMSmFSUHF73kri5ddjiTdc1PbijK6tE/uz eTOVs3+MJD+x9kDkNIeBH1ynLHPyeDH0FC7reHvMvK2sk9qul0EdGFZ+9lkn6POhWpZY qYSFRL+FM/WsSaTEcaFICwj1mxg9mwL3s2PO8KzFKic7mxmUbVhhGRdB3xSw4hxnXFms 5DFPhnvXZOBU1y7W8HND1Tv4QaRQzb6gVV0voZATbB8vpcps8WdBAUOC90RkjUrkFPP+ QDijeSLrrvGOv7uj4XWjq9MPPL/NvVslVvOnccviiawIVG6T43wo/K2beU+KHwumMhSa hP5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=aRvLxahnRH3PYmVu1TbBmz42Qb8Yq2Bg1GclC9t79aE=; fh=lOnKzTvIuQ1MRgQrzS1tuzHcEbejIIjsMe7wr3UD3+A=; b=DI9Ib/pqsY7sJghozdozN86U5xhy7zPwGZt4rIuVXNOuoZCRJfv6yNeaFNBmsV2PQ9 aB9SEw5O0Akg3XTowvx/Wq3rv03hUVE90hrwSIrsuegeIBBKE/s14sHLQyquVnLmVL7X KsNc5lBiBQYyJPp5mtPcVL04BBuIUlg+mytxk+OEMCbJ4/VORJQelK0uUuO3wfGkk7vK Cu9kRC1xvaP+ItKl8E/FsMcYOqQGz7L+OSRoQUd7iljf0ACld75e0R51oLX85voj/e71 ivItWfRTbnxyOGE4zyx4WqPdH8EZZh+8GkdIVKFkIwg/Ot7ZogDGWFRK9xjqv8wcVjL7 G5wQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id k9-20020a170902c40900b001b3bd85f54bsi2795551plk.35.2023.09.29.01.10.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Sep 2023 01:10:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 058E382BBE18; Fri, 29 Sep 2023 01:08:38 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232816AbjI2IIX (ORCPT + 99 others); Fri, 29 Sep 2023 04:08:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232800AbjI2IIV (ORCPT ); Fri, 29 Sep 2023 04:08:21 -0400 Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [IPv6:2001:780:45:1d:225:90ff:fe52:c662]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F22E1A5; Fri, 29 Sep 2023 01:08:20 -0700 (PDT) Received: from [78.30.34.192] (port=36496 helo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qm8Xm-007wJ5-HC; Fri, 29 Sep 2023 10:08:16 +0200 Date: Fri, 29 Sep 2023 10:08:13 +0200 From: Pablo Neira Ayuso To: Joao Moreira Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira Subject: Re: [PATCH v3 2/2] Make num_actions unsigned Message-ID: References: <20230927164715.76744-1-joao@overdrivepizza.com> <20230927164715.76744-3-joao@overdrivepizza.com> <8f531b29873587b4f9b7ee64c745b667@overdrivepizza.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <8f531b29873587b4f9b7ee64c745b667@overdrivepizza.com> X-Spam-Score: -1.9 (-) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Fri, 29 Sep 2023 01:08:38 -0700 (PDT) On Thu, Sep 28, 2023 at 07:55:09PM -0700, Joao Moreira wrote: > On 2023-09-28 06:43, Pablo Neira Ayuso wrote: > > On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote: > > > From: Joao Moreira > > > > > > Currently, in nft_flow_rule_create function, num_actions is a signed > > > integer. Yet, it is processed within a loop which increments its > > > value. To prevent an overflow from occurring, make it unsigned and > > > also check if it reaches 256 when being incremented. > > > > > > Accordingly to discussions around v2, 256 actions are more than enough > > > for the frontend actions. > > > > > > After checking with maintainers, it was mentioned that front-end will > > > cap the num_actions value and that it is not possible to reach such > > > condition for an overflow. Yet, for correctness, it is still better to > > > fix this. > > > > > > This issue was observed by the commit author while reviewing a > > > write-up > > > regarding a CVE within the same subsystem [1]. > > > > > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > > > Yes, but this is not related to the netfilter subsystem itself, this > > harderning is good to have for the flow offload infrastructure in > > general. > > Right, I'll try to look up where this would fit in then. I'm not an expert > in the subsystem at all, so should take a minute or two for me to get to it > and send a v4. Thanks. > > > struct nft_expr *expr; > > > > > > expr = nft_expr_first(rule); > > > @@ -99,6 +100,10 @@ struct nft_flow_rule > > > *nft_flow_rule_create(struct net *net, > > > expr->ops->offload_action(expr)) > > > num_actions++; > > > > > > + /* 2^8 is enough for frontend actions, avoid overflow */ > > > + if (num_actions == 256) > > > > This cap is not specific of nf_tables, it should apply to all other > > subsystems. This is the wrong spot. > > Any pointers regarding where I should look at? See flow_rule_alloc().