2023-09-27 17:40:06

by Joao Moreira

[permalink] [raw]
Subject: [PATCH v3 2/2] Make num_actions unsigned

From: Joao Moreira <[email protected]>

Currently, in nft_flow_rule_create function, num_actions is a signed
integer. Yet, it is processed within a loop which increments its
value. To prevent an overflow from occurring, make it unsigned and
also check if it reaches 256 when being incremented.

Accordingly to discussions around v2, 256 actions are more than enough
for the frontend actions.

After checking with maintainers, it was mentioned that front-end will
cap the num_actions value and that it is not possible to reach such
condition for an overflow. Yet, for correctness, it is still better to
fix this.

This issue was observed by the commit author while reviewing a write-up
regarding a CVE within the same subsystem [1].

1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Signed-off-by: Joao Moreira <[email protected]>
---
net/netfilter/nf_tables_offload.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 12ab78fa5d84..9a86db1f0e07 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
{
struct nft_offload_ctx *ctx;
struct nft_flow_rule *flow;
- int num_actions = 0, err;
+ unsigned int num_actions = 0;
+ int err;
struct nft_expr *expr;

expr = nft_expr_first(rule);
@@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
expr->ops->offload_action(expr))
num_actions++;

+ /* 2^8 is enough for frontend actions, avoid overflow */
+ if (num_actions == 256)
+ return ERR_PTR(-ENOMEM);
+
expr = nft_expr_next(expr);
}

--
2.42.0


2023-09-28 13:47:54

by Pablo Neira Ayuso

[permalink] [raw]
Subject: Re: [PATCH v3 2/2] Make num_actions unsigned

On Wed, Sep 27, 2023 at 09:47:15AM -0700, [email protected] wrote:
> From: Joao Moreira <[email protected]>
>
> Currently, in nft_flow_rule_create function, num_actions is a signed
> integer. Yet, it is processed within a loop which increments its
> value. To prevent an overflow from occurring, make it unsigned and
> also check if it reaches 256 when being incremented.
>
> Accordingly to discussions around v2, 256 actions are more than enough
> for the frontend actions.
>
> After checking with maintainers, it was mentioned that front-end will
> cap the num_actions value and that it is not possible to reach such
> condition for an overflow. Yet, for correctness, it is still better to
> fix this.
>
> This issue was observed by the commit author while reviewing a write-up
> regarding a CVE within the same subsystem [1].
>
> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Yes, but this is not related to the netfilter subsystem itself, this
harderning is good to have for the flow offload infrastructure in
general.

> Signed-off-by: Joao Moreira <[email protected]>
> ---
> net/netfilter/nf_tables_offload.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 12ab78fa5d84..9a86db1f0e07 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
> {
> struct nft_offload_ctx *ctx;
> struct nft_flow_rule *flow;
> - int num_actions = 0, err;
> + unsigned int num_actions = 0;
> + int err;

reverse xmas tree.

> struct nft_expr *expr;
>
> expr = nft_expr_first(rule);
> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
> expr->ops->offload_action(expr))
> num_actions++;
>
> + /* 2^8 is enough for frontend actions, avoid overflow */
> + if (num_actions == 256)

This cap is not specific of nf_tables, it should apply to all other
subsystems. This is the wrong spot.

Moreover, please, add a definition for this, no hardcoded values.

> + return ERR_PTR(-ENOMEM);

Better E2BIG or similar, otherwise this propagates to userspace as
ENOMEM.

> +
> expr = nft_expr_next(expr);
> }
>
> --
> 2.42.0
>

2023-09-29 02:55:44

by Joao Moreira

[permalink] [raw]
Subject: Re: [PATCH v3 2/2] Make num_actions unsigned

On 2023-09-28 06:43, Pablo Neira Ayuso wrote:
> On Wed, Sep 27, 2023 at 09:47:15AM -0700, [email protected]
> wrote:
>> From: Joao Moreira <[email protected]>
>>
>> Currently, in nft_flow_rule_create function, num_actions is a signed
>> integer. Yet, it is processed within a loop which increments its
>> value. To prevent an overflow from occurring, make it unsigned and
>> also check if it reaches 256 when being incremented.
>>
>> Accordingly to discussions around v2, 256 actions are more than enough
>> for the frontend actions.
>>
>> After checking with maintainers, it was mentioned that front-end will
>> cap the num_actions value and that it is not possible to reach such
>> condition for an overflow. Yet, for correctness, it is still better to
>> fix this.
>>
>> This issue was observed by the commit author while reviewing a
>> write-up
>> regarding a CVE within the same subsystem [1].
>>
>> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/
>
> Yes, but this is not related to the netfilter subsystem itself, this
> harderning is good to have for the flow offload infrastructure in
> general.

Right, I'll try to look up where this would fit in then. I'm not an
expert in the subsystem at all, so should take a minute or two for me to
get to it and send a v4.

>
>> Signed-off-by: Joao Moreira <[email protected]>
>> ---
>> net/netfilter/nf_tables_offload.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netfilter/nf_tables_offload.c
>> b/net/netfilter/nf_tables_offload.c
>> index 12ab78fa5d84..9a86db1f0e07 100644
>> --- a/net/netfilter/nf_tables_offload.c
>> +++ b/net/netfilter/nf_tables_offload.c
>> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct
>> net *net,
>> {
>> struct nft_offload_ctx *ctx;
>> struct nft_flow_rule *flow;
>> - int num_actions = 0, err;
>> + unsigned int num_actions = 0;
>> + int err;
>
> reverse xmas tree.

ack.

>
>> struct nft_expr *expr;
>>
>> expr = nft_expr_first(rule);
>> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct
>> net *net,
>> expr->ops->offload_action(expr))
>> num_actions++;
>>
>> + /* 2^8 is enough for frontend actions, avoid overflow */
>> + if (num_actions == 256)
>
> This cap is not specific of nf_tables, it should apply to all other
> subsystems. This is the wrong spot.

Any pointers regarding where I should look at?

>
> Moreover, please, add a definition for this, no hardcoded values.

Ack.

>
>> + return ERR_PTR(-ENOMEM);
>
> Better E2BIG or similar, otherwise this propagates to userspace as
> ENOMEM.

Ack.

>
>> +
>> expr = nft_expr_next(expr);
>> }
>>
>> --
>> 2.42.0
>>

2023-09-29 08:10:06

by Pablo Neira Ayuso

[permalink] [raw]
Subject: Re: [PATCH v3 2/2] Make num_actions unsigned

On Thu, Sep 28, 2023 at 07:55:09PM -0700, Joao Moreira wrote:
> On 2023-09-28 06:43, Pablo Neira Ayuso wrote:
> > On Wed, Sep 27, 2023 at 09:47:15AM -0700, [email protected] wrote:
> > > From: Joao Moreira <[email protected]>
> > >
> > > Currently, in nft_flow_rule_create function, num_actions is a signed
> > > integer. Yet, it is processed within a loop which increments its
> > > value. To prevent an overflow from occurring, make it unsigned and
> > > also check if it reaches 256 when being incremented.
> > >
> > > Accordingly to discussions around v2, 256 actions are more than enough
> > > for the frontend actions.
> > >
> > > After checking with maintainers, it was mentioned that front-end will
> > > cap the num_actions value and that it is not possible to reach such
> > > condition for an overflow. Yet, for correctness, it is still better to
> > > fix this.
> > >
> > > This issue was observed by the commit author while reviewing a
> > > write-up
> > > regarding a CVE within the same subsystem [1].
> > >
> > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/
> >
> > Yes, but this is not related to the netfilter subsystem itself, this
> > harderning is good to have for the flow offload infrastructure in
> > general.
>
> Right, I'll try to look up where this would fit in then. I'm not an expert
> in the subsystem at all, so should take a minute or two for me to get to it
> and send a v4.

Thanks.

> > > struct nft_expr *expr;
> > >
> > > expr = nft_expr_first(rule);
> > > @@ -99,6 +100,10 @@ struct nft_flow_rule
> > > *nft_flow_rule_create(struct net *net,
> > > expr->ops->offload_action(expr))
> > > num_actions++;
> > >
> > > + /* 2^8 is enough for frontend actions, avoid overflow */
> > > + if (num_actions == 256)
> >
> > This cap is not specific of nf_tables, it should apply to all other
> > subsystems. This is the wrong spot.
>
> Any pointers regarding where I should look at?

See flow_rule_alloc().