lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <8f531b29873587b4f9b7ee64c745b667@overdrivepizza.com> Date: Thu, 28 Sep 2023 19:55:09 -0700 From: Joao Moreira <joao@...rdrivepizza.com> To: Pablo Neira Ayuso <pablo@...filter.org> Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, kadlec@...filter.org, fw@...len.de, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, rkannoth@...vell.com, wojciech.drewek@...el.com, steen.hegenlund@...rohip.com, keescook@...omium.org, Joao Moreira <joao.moreira@...el.com> Subject: Re: [PATCH v3 2/2] Make num_actions unsigned On 2023-09-28 06:43, Pablo Neira Ayuso wrote: > On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@...rdrivepizza.com > wrote: >> From: Joao Moreira <joao.moreira@...el.com> >> >> Currently, in nft_flow_rule_create function, num_actions is a signed >> integer. Yet, it is processed within a loop which increments its >> value. To prevent an overflow from occurring, make it unsigned and >> also check if it reaches 256 when being incremented. >> >> Accordingly to discussions around v2, 256 actions are more than enough >> for the frontend actions. >> >> After checking with maintainers, it was mentioned that front-end will >> cap the num_actions value and that it is not possible to reach such >> condition for an overflow. Yet, for correctness, it is still better to >> fix this. >> >> This issue was observed by the commit author while reviewing a >> write-up >> regarding a CVE within the same subsystem [1]. >> >> 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ > > Yes, but this is not related to the netfilter subsystem itself, this > harderning is good to have for the flow offload infrastructure in > general. Right, I'll try to look up where this would fit in then. I'm not an expert in the subsystem at all, so should take a minute or two for me to get to it and send a v4. > >> Signed-off-by: Joao Moreira <joao.moreira@...el.com> >> --- >> net/netfilter/nf_tables_offload.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/net/netfilter/nf_tables_offload.c >> b/net/netfilter/nf_tables_offload.c >> index 12ab78fa5d84..9a86db1f0e07 100644 >> --- a/net/netfilter/nf_tables_offload.c >> +++ b/net/netfilter/nf_tables_offload.c >> @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct >> net *net, >> { >> struct nft_offload_ctx *ctx; >> struct nft_flow_rule *flow; >> - int num_actions = 0, err; >> + unsigned int num_actions = 0; >> + int err; > > reverse xmas tree. ack. > >> struct nft_expr *expr; >> >> expr = nft_expr_first(rule); >> @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct >> net *net, >> expr->ops->offload_action(expr)) >> num_actions++; >> >> + /* 2^8 is enough for frontend actions, avoid overflow */ >> + if (num_actions == 256) > > This cap is not specific of nf_tables, it should apply to all other > subsystems. This is the wrong spot. Any pointers regarding where I should look at? > > Moreover, please, add a definition for this, no hardcoded values. Ack. > >> + return ERR_PTR(-ENOMEM); > > Better E2BIG or similar, otherwise this propagates to userspace as > ENOMEM. Ack. > >> + >> expr = nft_expr_next(expr); >> } >> >> -- >> 2.42.0 >>
Powered by blists - more mailing lists