From: Greg KH <gregkh@linuxfoundation.org>
To: Igor Garofano <igorgarofano@gmail.com>
Cc: security@kernel.org, pablo@netfilter.org, fw@strlen.de,
netfilter-devel@vger.kernel.org
Subject: Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass
Date: Wed, 20 May 2026 14:13:15 +0200 [thread overview]
Message-ID: <2026052028-grain-pencil-0d8b@gregkh> (raw)
In-Reply-To: <CAOOOOYyfpwO7inyq2wXtpT0kY0s19-n4OZf2MCR62WRi7vzMMg@mail.gmail.com>
On Tue, May 19, 2026 at 07:42:15PM +0200, Igor Garofano wrote:
> SUMMARY
> =======
>
> A logic error in nft_byteorder_eval() causes incorrect byteorder conversion
> for 64-bit (size=8) operations in nftables. The source register is indexed
> using a u32* pointer (4-byte stride) while nft_reg_load64() reads 8 bytes,
> causing overlapping reads for any priv->len > 8. The result is that bytes
> are swapped from the wrong positions, leading to incorrect packet matching
> decisions.
>
> This can be exploited by a remote attacker to bypass nftables firewall rules
> that use 64-bit byteorder expressions, without requiring any privilege on
> the
> target system.
>
>
> AFFECTED VERSIONS
> =================
>
> Confirmed affected: Linux 6.19.13 (net/netfilter/nft_byteorder.c)
6.19.y is end-of-life, have you tried the latest 7.1-rc4 release?
> PROPOSED FIX
> ============
>
> Cast source pointer to u64* before the size=8 loop to obtain correct
> 8-byte stride, matching the destination pointer type:
>
> --- a/net/netfilter/nft_byteorder.c
> +++ b/net/netfilter/nft_byteorder.c
> @@ -39,19 +39,21 @@ void nft_byteorder_eval(const struct nft_expr *expr,
> switch (priv->size) {
> case 8: {
> u64 *dst64 = (void *)dst;
> + u64 *src64 = (void *)src;
> u64 src_val;
>
> switch (priv->op) {
> case NFT_BYTEORDER_NTOH:
> for (i = 0; i < priv->len / 8; i++) {
> - src64 = nft_reg_load64(&src[i]);
> + src_val = nft_reg_load64((u32 *)&src
> nft_reg_store64(&dst64[i],
> - be64_to_cpu((__force
> + be64_to_cpu((__force
> __be64)src_val));
> }
> break;
> case NFT_BYTEORDER_HTON:
> for (i = 0; i < priv->len / 8; i++) {
> - src64 = (__force __u64)
> -
> cpu_to_be64(nft_reg_load64(&src[i]));
> + src_val = (__force __u64)
> + cpu_to_be64(nft_reg_load64((u32
> *)&src64[i]));
> nft_reg_store64(&dst64[i], src64);
> }
> + nft_reg_store64(&dst64[i], src_val);
> break;
> }
> break;
>
Can you turn this into a real patch that can be applied so you get full
credit for resolving this issue?
thanks,
greg k-h
next prev parent reply other threads:[~2026-05-20 12:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAOOOOYyfpwO7inyq2wXtpT0kY0s19-n4OZf2MCR62WRi7vzMMg@mail.gmail.com>
2026-05-19 18:34 ` [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass Florian Westphal
2026-05-20 12:13 ` Greg KH [this message]
2026-05-20 12:17 ` Florian Westphal
2026-05-20 12:30 ` Greg KH
2026-05-23 14:39 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026052028-grain-pencil-0d8b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=igorgarofano@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.