Re: [PATCH v3 2/2] Make num_actions unsigned

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: joao@overdrivepizza.com
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
	edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
	rkannoth@marvell.com, wojciech.drewek@intel.com,
	steen.hegenlund@microhip.com, keescook@chromium.org,
	Joao Moreira <joao.moreira@intel.com>
Subject: Re: [PATCH v3 2/2] Make num_actions unsigned
Date: Thu, 28 Sep 2023 15:43:36 +0200	[thread overview]
Message-ID: <ZRWDCGG5/dP12YEs@calendula> (raw)
In-Reply-To: <20230927164715.76744-3-joao@overdrivepizza.com>

On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote:
> From: Joao Moreira <joao.moreira@intel.com>
> 
> Currently, in nft_flow_rule_create function, num_actions is a signed
> integer. Yet, it is processed within a loop which increments its
> value. To prevent an overflow from occurring, make it unsigned and
> also check if it reaches 256 when being incremented.
> 
> Accordingly to discussions around v2, 256 actions are more than enough
> for the frontend actions.
> 
> After checking with maintainers, it was mentioned that front-end will
> cap the num_actions value and that it is not possible to reach such
> condition for an overflow. Yet, for correctness, it is still better to
> fix this.
> 
> This issue was observed by the commit author while reviewing a write-up
> regarding a CVE within the same subsystem [1].
> 
> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Yes, but this is not related to the netfilter subsystem itself, this
harderning is good to have for the flow offload infrastructure in
general.

> Signed-off-by: Joao Moreira <joao.moreira@intel.com>
> ---
>  net/netfilter/nf_tables_offload.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 12ab78fa5d84..9a86db1f0e07 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
>  {
>  	struct nft_offload_ctx *ctx;
>  	struct nft_flow_rule *flow;
> -	int num_actions = 0, err;
> +	unsigned int num_actions = 0;
> +	int err;

reverse xmas tree.

>  	struct nft_expr *expr;
>  
>  	expr = nft_expr_first(rule);
> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
>  		    expr->ops->offload_action(expr))
>  			num_actions++;
>  
> +		/* 2^8 is enough for frontend actions, avoid overflow */
> +		if (num_actions == 256)

This cap is not specific of nf_tables, it should apply to all other
subsystems. This is the wrong spot.

Moreover, please, add a definition for this, no hardcoded values.

> +			return ERR_PTR(-ENOMEM);

Better E2BIG or similar, otherwise this propagates to userspace as
ENOMEM.

> +
>  		expr = nft_expr_next(expr);
>  	}
>  
> -- 
> 2.42.0
>

next prev parent reply	other threads:[~2023-09-28 13:43 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-27 16:47 [PATCH v3 0/2] Prevent potential write out of bounds joao
2023-09-27 16:47 ` [PATCH v3 1/2] Make loop indexes unsigned joao
2023-09-28 13:40   ` Pablo Neira Ayuso
2023-09-29  2:53     ` Joao Moreira
2023-09-29  8:05       ` Pablo Neira Ayuso
2023-09-27 16:47 ` [PATCH v3 2/2] Make num_actions unsigned joao
2023-09-28 13:43   ` Pablo Neira Ayuso [this message]
2023-09-29  2:55     ` Joao Moreira
2023-09-29  8:08       ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZRWDCGG5/dP12YEs@calendula \
    --to=pablo@netfilter.org \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=joao.moreira@intel.com \
    --cc=joao@overdrivepizza.com \
    --cc=kadlec@netfilter.org \
    --cc=keescook@chromium.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=rkannoth@marvell.com \
    --cc=steen.hegenlund@microhip.com \
    --cc=wojciech.drewek@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.