[v3,2/2] Make num_actions unsigned

Message ID	20230927164715.76744-3-joao@overdrivepizza.com (mailing list archive)
State	Awaiting Upstream
Delegated to:	Netdev Maintainers
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A3423E46A for <netdev@vger.kernel.org>; Wed, 27 Sep 2023 16:47:39 +0000 (UTC) From: joao@overdrivepizza.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, joao@overdrivepizza.com Cc: kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, rkannoth@marvell.com, wojciech.drewek@intel.com, steen.hegenlund@microhip.com, keescook@chromium.org, Joao Moreira <joao.moreira@intel.com> Subject: [PATCH v3 2/2] Make num_actions unsigned Date: Wed, 27 Sep 2023 09:47:15 -0700 Message-ID: <20230927164715.76744-3-joao@overdrivepizza.com> In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com> References: <20230927164715.76744-1-joao@overdrivepizza.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Prevent potential write out of bounds \| expand [v3,0/2] Prevent potential write out of bounds [v3,1/2] Make loop indexes unsigned [v3,2/2] Make num_actions unsigned

Message ID

20230927164715.76744-3-joao@overdrivepizza.com (mailing list archive)

State

Awaiting Upstream

Delegated to:

Netdev Maintainers

Headers

From: joao@overdrivepizza.com
To: pablo@netfilter.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	joao@overdrivepizza.com
Cc: kadlec@netfilter.org,
	fw@strlen.de,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	rkannoth@marvell.com,
	wojciech.drewek@intel.com,
	steen.hegenlund@microhip.com,
	keescook@chromium.org,
	Joao Moreira <joao.moreira@intel.com>
Subject: [PATCH v3 2/2] Make num_actions unsigned
Date: Wed, 27 Sep 2023 09:47:15 -0700
Message-ID: <20230927164715.76744-3-joao@overdrivepizza.com>
In-Reply-To: <20230927164715.76744-1-joao@overdrivepizza.com>
References: <20230927164715.76744-1-joao@overdrivepizza.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Prevent potential write out of bounds | expand

Context	Check	Description
netdev/series_format	warning	Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1341 this patch: 1341
netdev/cc_maintainers	success	CCed 10 of 10 maintainers
netdev/build_clang	success	Errors and warnings before: 1363 this patch: 1363
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1364 this patch: 1364
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 19 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

warning

Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1341 this patch: 1341

netdev/cc_maintainers

success

CCed 10 of 10 maintainers

netdev/build_clang

success

Errors and warnings before: 1363 this patch: 1363

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

No Fixes tag

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1364 this patch: 1364

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 19 lines checked

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Joao Moreira Sept. 27, 2023, 4:47 p.m. UTC

From: Joao Moreira <joao.moreira@intel.com>

Currently, in nft_flow_rule_create function, num_actions is a signed
integer. Yet, it is processed within a loop which increments its
value. To prevent an overflow from occurring, make it unsigned and
also check if it reaches 256 when being incremented.

Accordingly to discussions around v2, 256 actions are more than enough
for the frontend actions.

After checking with maintainers, it was mentioned that front-end will
cap the num_actions value and that it is not possible to reach such
condition for an overflow. Yet, for correctness, it is still better to
fix this.

This issue was observed by the commit author while reviewing a write-up
regarding a CVE within the same subsystem [1].

1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Signed-off-by: Joao Moreira <joao.moreira@intel.com>
---
 net/netfilter/nf_tables_offload.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Pablo Neira Ayuso Sept. 28, 2023, 1:43 p.m. UTC | #1

On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote:
> From: Joao Moreira <joao.moreira@intel.com>
> 
> Currently, in nft_flow_rule_create function, num_actions is a signed
> integer. Yet, it is processed within a loop which increments its
> value. To prevent an overflow from occurring, make it unsigned and
> also check if it reaches 256 when being incremented.
> 
> Accordingly to discussions around v2, 256 actions are more than enough
> for the frontend actions.
> 
> After checking with maintainers, it was mentioned that front-end will
> cap the num_actions value and that it is not possible to reach such
> condition for an overflow. Yet, for correctness, it is still better to
> fix this.
> 
> This issue was observed by the commit author while reviewing a write-up
> regarding a CVE within the same subsystem [1].
> 
> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/

Yes, but this is not related to the netfilter subsystem itself, this
harderning is good to have for the flow offload infrastructure in
general.

> Signed-off-by: Joao Moreira <joao.moreira@intel.com>
> ---
>  net/netfilter/nf_tables_offload.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 12ab78fa5d84..9a86db1f0e07 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
>  {
>  	struct nft_offload_ctx *ctx;
>  	struct nft_flow_rule *flow;
> -	int num_actions = 0, err;
> +	unsigned int num_actions = 0;
> +	int err;

reverse xmas tree.

>  	struct nft_expr *expr;
>  
>  	expr = nft_expr_first(rule);
> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
>  		    expr->ops->offload_action(expr))
>  			num_actions++;
>  
> +		/* 2^8 is enough for frontend actions, avoid overflow */
> +		if (num_actions == 256)

This cap is not specific of nf_tables, it should apply to all other
subsystems. This is the wrong spot.

Moreover, please, add a definition for this, no hardcoded values.

> +			return ERR_PTR(-ENOMEM);

Better E2BIG or similar, otherwise this propagates to userspace as
ENOMEM.

> +
>  		expr = nft_expr_next(expr);
>  	}
>  
> -- 
> 2.42.0
>

Joao Moreira Sept. 29, 2023, 2:55 a.m. UTC | #2

On 2023-09-28 06:43, Pablo Neira Ayuso wrote:
> On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com 
> wrote:
>> From: Joao Moreira <joao.moreira@intel.com>
>> 
>> Currently, in nft_flow_rule_create function, num_actions is a signed
>> integer. Yet, it is processed within a loop which increments its
>> value. To prevent an overflow from occurring, make it unsigned and
>> also check if it reaches 256 when being incremented.
>> 
>> Accordingly to discussions around v2, 256 actions are more than enough
>> for the frontend actions.
>> 
>> After checking with maintainers, it was mentioned that front-end will
>> cap the num_actions value and that it is not possible to reach such
>> condition for an overflow. Yet, for correctness, it is still better to
>> fix this.
>> 
>> This issue was observed by the commit author while reviewing a 
>> write-up
>> regarding a CVE within the same subsystem [1].
>> 
>> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/
> 
> Yes, but this is not related to the netfilter subsystem itself, this
> harderning is good to have for the flow offload infrastructure in
> general.

Right, I'll try to look up where this would fit in then. I'm not an 
expert in the subsystem at all, so should take a minute or two for me to 
get to it and send a v4.

> 
>> Signed-off-by: Joao Moreira <joao.moreira@intel.com>
>> ---
>>  net/netfilter/nf_tables_offload.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
>> 
>> diff --git a/net/netfilter/nf_tables_offload.c 
>> b/net/netfilter/nf_tables_offload.c
>> index 12ab78fa5d84..9a86db1f0e07 100644
>> --- a/net/netfilter/nf_tables_offload.c
>> +++ b/net/netfilter/nf_tables_offload.c
>> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct 
>> net *net,
>>  {
>>  	struct nft_offload_ctx *ctx;
>>  	struct nft_flow_rule *flow;
>> -	int num_actions = 0, err;
>> +	unsigned int num_actions = 0;
>> +	int err;
> 
> reverse xmas tree.

ack.

> 
>>  	struct nft_expr *expr;
>> 
>>  	expr = nft_expr_first(rule);
>> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct 
>> net *net,
>>  		    expr->ops->offload_action(expr))
>>  			num_actions++;
>> 
>> +		/* 2^8 is enough for frontend actions, avoid overflow */
>> +		if (num_actions == 256)
> 
> This cap is not specific of nf_tables, it should apply to all other
> subsystems. This is the wrong spot.

Any pointers regarding where I should look at?

> 
> Moreover, please, add a definition for this, no hardcoded values.

Ack.

> 
>> +			return ERR_PTR(-ENOMEM);
> 
> Better E2BIG or similar, otherwise this propagates to userspace as
> ENOMEM.

Ack.

> 
>> +
>>  		expr = nft_expr_next(expr);
>>  	}
>> 
>> --
>> 2.42.0
>>

Pablo Neira Ayuso Sept. 29, 2023, 8:08 a.m. UTC | #3

On Thu, Sep 28, 2023 at 07:55:09PM -0700, Joao Moreira wrote:
> On 2023-09-28 06:43, Pablo Neira Ayuso wrote:
> > On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@overdrivepizza.com wrote:
> > > From: Joao Moreira <joao.moreira@intel.com>
> > > 
> > > Currently, in nft_flow_rule_create function, num_actions is a signed
> > > integer. Yet, it is processed within a loop which increments its
> > > value. To prevent an overflow from occurring, make it unsigned and
> > > also check if it reaches 256 when being incremented.
> > > 
> > > Accordingly to discussions around v2, 256 actions are more than enough
> > > for the frontend actions.
> > > 
> > > After checking with maintainers, it was mentioned that front-end will
> > > cap the num_actions value and that it is not possible to reach such
> > > condition for an overflow. Yet, for correctness, it is still better to
> > > fix this.
> > > 
> > > This issue was observed by the commit author while reviewing a
> > > write-up
> > > regarding a CVE within the same subsystem [1].
> > > 
> > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/
> > 
> > Yes, but this is not related to the netfilter subsystem itself, this
> > harderning is good to have for the flow offload infrastructure in
> > general.
> 
> Right, I'll try to look up where this would fit in then. I'm not an expert
> in the subsystem at all, so should take a minute or two for me to get to it
> and send a v4.

Thanks.

> > >  	struct nft_expr *expr;
> > > 
> > >  	expr = nft_expr_first(rule);
> > > @@ -99,6 +100,10 @@ struct nft_flow_rule
> > > *nft_flow_rule_create(struct net *net,
> > >  		    expr->ops->offload_action(expr))
> > >  			num_actions++;
> > > 
> > > +		/* 2^8 is enough for frontend actions, avoid overflow */
> > > +		if (num_actions == 256)
> > 
> > This cap is not specific of nf_tables, it should apply to all other
> > subsystems. This is the wrong spot.
> 
> Any pointers regarding where I should look at?

See flow_rule_alloc().

diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 12ab78fa5d84..9a86db1f0e07 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -90,7 +90,8 @@  struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 {
 	struct nft_offload_ctx *ctx;
 	struct nft_flow_rule *flow;
-	int num_actions = 0, err;
+	unsigned int num_actions = 0;
+	int err;
 	struct nft_expr *expr;
 
 	expr = nft_expr_first(rule);
@@ -99,6 +100,10 @@  struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 		    expr->ops->offload_action(expr))
 			num_actions++;
 
+		/* 2^8 is enough for frontend actions, avoid overflow */
+		if (num_actions == 256)
+			return ERR_PTR(-ENOMEM);
+
 		expr = nft_expr_next(expr);
 	}

[v3,2/2] Make num_actions unsigned

Checks

Commit Message

Comments

Patch