Re: [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netfilter-devel@vger.kernel.org, bridge@lists.linux.dev,
	pablo@netfilter.org, phil@nwl.cc, razor@blackwall.org,
	idosch@nvidia.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
	yuantan098@gmail.com, yifanwucs@gmail.com,
	tomapufckgml@gmail.com, bird@lzu.edu.cn, rakukuip@gmail.com
Subject: Re: [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user
Date: Fri, 24 Apr 2026 11:52:11 +0200	[thread overview]
Message-ID: <aes9S-ToE9yOXrIM@strlen.de> (raw)
In-Reply-To: <4e714f6189f9691fa5980087ce378a57cf625976.1776834093.git.rakukuip@gmail.com>

Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Luxiao Xu <rakukuip@gmail.com>
> 
> The function compat_mtw_from_user() converts ebtables extensions from
> 32-bit user structures to kernel native structures. However, it lacks
> proper validation of the user-supplied match_size/target_size.
> 
> When certain extensions are processed, the kernel-side translation
> logic may perform memory accesses based on the extension's expected
> size. If the user provides a size smaller than what the extension
> requires, it results in an out-of-bounds read as reported by KASAN.
> 
> This fix introduces a check to ensure match_size is at least as large
> as the extension's required compatsize. This covers matches, watchers,
> and targets, while maintaining compatibility with standard targets.
> 
> Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
> Cc: stable@kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  net/bridge/netfilter/ebtables.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index aea3e19875c6..80cd0233c088 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1977,6 +1977,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
>  		if (IS_ERR(match))
>  			return PTR_ERR(match);
>  
> +		if (match_size < match->compatsize) {
> +			module_put(match->me);
> +			return -EINVAL;
> +		}
> +

Are you sure this catches all bad requests? AFAIR compatsize is 0
in most cases, which bypasses this test.

should this be:

u16 csize = match->compatsize ? : match->matchsize;
...
if (match_size < csize) {
...

?

@Pablo: I think the 32bit compat layer should be removed in -next, or
at least strongly discouraged and slated for removal soon.

     prev parent reply	other threads:[~2026-04-24  9:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <cover.1776834093.git.rakukuip@gmail.com>
2026-04-24  9:23 ` [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user Ren Wei
2026-04-24  9:52   ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aes9S-ToE9yOXrIM@strlen.de \
    --to=fw@strlen.de \
    --cc=bird@lzu.edu.cn \
    --cc=bridge@lists.linux.dev \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=idosch@nvidia.com \
    --cc=kuba@kernel.org \
    --cc=n05ec@lzu.edu.cn \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    --cc=rakukuip@gmail.com \
    --cc=razor@blackwall.org \
    --cc=tomapufckgml@gmail.com \
    --cc=yifanwucs@gmail.com \
    --cc=yuantan098@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.