Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass
       [not found] <CAOOOOYyfpwO7inyq2wXtpT0kY0s19-n4OZf2MCR62WRi7vzMMg@mail.gmail.com>
@ 2026-05-19 18:34 ` Florian Westphal
  2026-05-20 12:13 ` Greg KH
  1 sibling, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2026-05-19 18:34 UTC (permalink / raw)
  To: Igor Garofano; +Cc: pablo, netfilter-devel

Igor Garofano <igorgarofano@gmail.com> wrote:

[ removed security@korg from CC ]

> A logic error in nft_byteorder_eval() causes incorrect byteorder conversion
> for 64-bit (size=8) operations in nftables. The source register is indexed
> using a u32* pointer (4-byte stride) while nft_reg_load64() reads 8 bytes,
> causing overlapping reads for any priv->len > 8. The result is that bytes
> are swapped from the wrong positions, leading to incorrect packet matching
> decisions.

Multi-stride is never used by nftables.  This feature is unused and will
be removed:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260512133617.8191-1-fw@strlen.de/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass
       [not found] <CAOOOOYyfpwO7inyq2wXtpT0kY0s19-n4OZf2MCR62WRi7vzMMg@mail.gmail.com>
  2026-05-19 18:34 ` [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass Florian Westphal
@ 2026-05-20 12:13 ` Greg KH
  2026-05-20 12:17   ` Florian Westphal
  2026-05-23 14:39   ` Florian Westphal
  1 sibling, 2 replies; 5+ messages in thread
From: Greg KH @ 2026-05-20 12:13 UTC (permalink / raw)
  To: Igor Garofano; +Cc: security, pablo, fw, netfilter-devel

On Tue, May 19, 2026 at 07:42:15PM +0200, Igor Garofano wrote:
> SUMMARY
> =======
> 
> A logic error in nft_byteorder_eval() causes incorrect byteorder conversion
> for 64-bit (size=8) operations in nftables. The source register is indexed
> using a u32* pointer (4-byte stride) while nft_reg_load64() reads 8 bytes,
> causing overlapping reads for any priv->len > 8. The result is that bytes
> are swapped from the wrong positions, leading to incorrect packet matching
> decisions.
> 
> This can be exploited by a remote attacker to bypass nftables firewall rules
> that use 64-bit byteorder expressions, without requiring any privilege on
> the
> target system.
> 
> 
> AFFECTED VERSIONS
> =================
> 
> Confirmed affected: Linux 6.19.13 (net/netfilter/nft_byteorder.c)

6.19.y is end-of-life, have you tried the latest 7.1-rc4 release?

> PROPOSED FIX
> ============
> 
> Cast source pointer to u64* before the size=8 loop to obtain correct
> 8-byte stride, matching the destination pointer type:
> 
> --- a/net/netfilter/nft_byteorder.c
> +++ b/net/netfilter/nft_byteorder.c
> @@ -39,19 +39,21 @@ void nft_byteorder_eval(const struct nft_expr *expr,
>         switch (priv->size) {
>         case 8: {
>                 u64 *dst64 = (void *)dst;
> +               u64 *src64 = (void *)src;
>                 u64 src_val;
> 
>                 switch (priv->op) {
>                 case NFT_BYTEORDER_NTOH:
>                         for (i = 0; i < priv->len / 8; i++) {
> -                               src64 = nft_reg_load64(&src[i]);
> +                               src_val = nft_reg_load64((u32 *)&src
>                                 nft_reg_store64(&dst64[i],
> -                                               be64_to_cpu((__force
> +                                               be64_to_cpu((__force
> __be64)src_val));
>                         }
>                         break;
>                 case NFT_BYTEORDER_HTON:
>                         for (i = 0; i < priv->len / 8; i++) {
> -                               src64 = (__force __u64)
> -
> cpu_to_be64(nft_reg_load64(&src[i]));
> +                               src_val = (__force __u64)
> +                                       cpu_to_be64(nft_reg_load64((u32
> *)&src64[i]));
>                                 nft_reg_store64(&dst64[i], src64);
>                         }
> +                               nft_reg_store64(&dst64[i], src_val);
>                         break;
>                 }
>                 break;
> 

Can you turn this into a real patch that can be applied so you get full
credit for resolving this issue?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass
  2026-05-20 12:13 ` Greg KH
@ 2026-05-20 12:17   ` Florian Westphal
  2026-05-20 12:30     ` Greg KH
  2026-05-23 14:39   ` Florian Westphal
  1 sibling, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2026-05-20 12:17 UTC (permalink / raw)
  To: Greg KH; +Cc: Igor Garofano, security, pablo, netfilter-devel

Greg KH <gregkh@linuxfoundation.org> wrote:
> Can you turn this into a real patch that can be applied so you get full
> credit for resolving this issue?

No need, this code will be removed.  There are no users.
Patch is already pending in patchwork.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass
  2026-05-20 12:17   ` Florian Westphal
@ 2026-05-20 12:30     ` Greg KH
  0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2026-05-20 12:30 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Igor Garofano, security, pablo, netfilter-devel

On Wed, May 20, 2026 at 02:17:34PM +0200, Florian Westphal wrote:
> Greg KH <gregkh@linuxfoundation.org> wrote:
> > Can you turn this into a real patch that can be applied so you get full
> > credit for resolving this issue?
> 
> No need, this code will be removed.  There are no users.
> Patch is already pending in patchwork.

Great, that's even better!

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass
  2026-05-20 12:13 ` Greg KH
  2026-05-20 12:17   ` Florian Westphal
@ 2026-05-23 14:39   ` Florian Westphal
  1 sibling, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2026-05-23 14:39 UTC (permalink / raw)
  To: Greg KH; +Cc: Igor Garofano, security, pablo, netfilter-devel

Greg KH <gregkh@linuxfoundation.org> wrote:
> Can you turn this into a real patch that can be applied so you get full
> credit for resolving this issue?

A patch to remove the buggy loop is queued in nf-next:testing and scheduled
for a pull request on monday.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-23 14:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CAOOOOYyfpwO7inyq2wXtpT0kY0s19-n4OZf2MCR62WRi7vzMMg@mail.gmail.com>
2026-05-19 18:34 ` [SECURITY] nft_byteorder: incorrect u32* stride in 64-bit byteorder eval leading to firewall bypass Florian Westphal
2026-05-20 12:13 ` Greg KH
2026-05-20 12:17   ` Florian Westphal
2026-05-20 12:30     ` Greg KH
2026-05-23 14:39   ` Florian Westphal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.