[PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Jiayuan Chen]

I noticed this issue while looking at a historic syzbot report [1].

syzbot forces dreg[19] to be used as the storage for the ipv4 address,
together with a raw priority chain, which makes nf_ct_l3num(ct) be 0
so that 16 bytes get copied into dreg[19]. Even when the dreg is not
[19], the same larger-than-expected copy can clobber other regs.

I am not sure whether there are other paths; here we add a check to
fix the deprecated NFT_CT_SRC and NFT_CT_DST branches.

[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c

Fixes: 45d9bcda21f4 ("netfilter: nf_tables: validate len in nft_validate_data_load()")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
 net/netfilter/nft_ct.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index fa2cc556331c..813467de1479 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -61,6 +61,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 	const struct nf_conntrack_tuple *tuple;
 	const struct nf_conntrack_helper *helper;
 	unsigned int state;
+	u8 addr_len;
 
 	ct = nf_ct_get(pkt->skb, &ctinfo);
 
@@ -178,14 +179,17 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 	}
 
 	tuple = &ct->tuplehash[priv->dir].tuple;
+	addr_len = nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16;
 	switch (priv->key) {
 	case NFT_CT_SRC:
-		memcpy(dest, tuple->src.u3.all,
-		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+		if (priv->len != addr_len)
+			goto err;
+		memcpy(dest, tuple->src.u3.all, addr_len);
 		return;
 	case NFT_CT_DST:
-		memcpy(dest, tuple->dst.u3.all,
-		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+		if (priv->len != addr_len)
+			goto err;
+		memcpy(dest, tuple->dst.u3.all, addr_len);
 		return;
 	case NFT_CT_PROTO_SRC:
 		nft_reg_store16(dest, (__force u16)tuple->src.u.all);
-- 
2.43.0

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Florian Westphal]

> which makes nf_ct_l3num(ct) be 0

How?

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Florian Westphal]

Florian Westphal <fw@strlen.de> wrote:
> > which makes nf_ct_l3num(ct) be 0
> 
> How?

Wild guess:

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 		break;
 	}
 
-	if (ct == NULL)
+	if (!ct || nf_ct_is_template(ct))
 		goto err;
 
 	switch (priv->key) {
diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
--- a/net/netfilter/nft_ct_fast.c
+++ b/net/netfilter/nft_ct_fast.c
@@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
 		break;
 	}
 
-	if (!ct) {
+	if (!ct || nf_ct_is_template(ct)) {
 		regs->verdict.code = NFT_BREAK;
 		return;
 	}


.... might also make sense to invert
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16), i.e.:
nf_ct_l3num(ct) == NFPROTO_IPV6 ? 16 : 4);

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Jiayuan Chen]

On 5/28/26 1:43 PM, Florian Westphal wrote:
> Florian Westphal <fw@strlen.de> wrote:
>>> which makes nf_ct_l3num(ct) be 0
>> How?

Yes, it's the template ct path.  The triggering rule is e.g.:

   table ip t {
       chain pre {
           type filter hook prerouting priority raw;
           ct zone set 1
           ct original saddr 1.2.3.4 accept
       }
   }


> Wild guess:
>
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
>   		break;
>   	}
>   
> -	if (ct == NULL)
> +	if (!ct || nf_ct_is_template(ct))
>   		goto err;
>   
>   	switch (priv->key) {
> diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
> --- a/net/netfilter/nft_ct_fast.c
> +++ b/net/netfilter/nft_ct_fast.c
> @@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
>   		break;
>   	}
>   
> -	if (!ct) {
> +	if (!ct || nf_ct_is_template(ct)) {
>   		regs->verdict.code = NFT_BREAK;
>   		return;
>   	}
>

It looks more general and also covers the other GET keys that would 
equally misbehave on a template.

> .... might also make sense to invert
> nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16), i.e.:
> nf_ct_l3num(ct) == NFPROTO_IPV6 ? 16 : 4);


As defense-in-depth, IIUC?

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Florian Westphal]

Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
> > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> > --- a/net/netfilter/nft_ct.c
> > +++ b/net/netfilter/nft_ct.c
> > @@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
> >   		break;
> >   	}
> > -	if (ct == NULL)
> > +	if (!ct || nf_ct_is_template(ct))
> >   		goto err;
> >   	switch (priv->key) {
> > diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
> > --- a/net/netfilter/nft_ct_fast.c
> > +++ b/net/netfilter/nft_ct_fast.c
> > @@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
> >   		break;
> >   	}
> > -	if (!ct) {
> > +	if (!ct || nf_ct_is_template(ct)) {
> >   		regs->verdict.code = NFT_BREAK;
> >   		return;
> >   	}
> > 
> 
> It looks more general and also covers the other GET keys that would equally
> misbehave on a template.

Would you mind sending a v2?

> > .... might also make sense to invert
> > nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16), i.e.:
> > nf_ct_l3num(ct) == NFPROTO_IPV6 ? 16 : 4);
> 
> As defense-in-depth, IIUC?

Yes, alternatively merge your v1 with the template check. I don't see how
we can ever have nf_ct_l3num(ct) != nft_pf(pkt) outside of the template
bug.

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Jiayuan Chen]

On 5/28/26 3:10 PM, Florian Westphal wrote:
> Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>>> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
>>> --- a/net/netfilter/nft_ct.c
>>> +++ b/net/netfilter/nft_ct.c
>>> @@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
>>>    		break;
>>>    	}
>>> -	if (ct == NULL)
>>> +	if (!ct || nf_ct_is_template(ct))
>>>    		goto err;
>>>    	switch (priv->key) {
>>> diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
>>> --- a/net/netfilter/nft_ct_fast.c
>>> +++ b/net/netfilter/nft_ct_fast.c
>>> @@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
>>>    		break;
>>>    	}
>>> -	if (!ct) {
>>> +	if (!ct || nf_ct_is_template(ct)) {
>>>    		regs->verdict.code = NFT_BREAK;
>>>    		return;
>>>    	}
>>>
>> It looks more general and also covers the other GET keys that would equally
>> misbehave on a template.
> Would you mind sending a v2?

No problem, will do.


>>> .... might also make sense to invert
>>> nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16), i.e.:
>>> nf_ct_l3num(ct) == NFPROTO_IPV6 ? 16 : 4);
>> As defense-in-depth, IIUC?
> Yes, alternatively merge your v1 with the template check. I don't see how
> we can ever have nf_ct_l3num(ct) != nft_pf(pkt) outside of the template
> bug.
I think the template check plus the family check (nf_ct_l3num(ct) != 
nft_pf(pkt)) is enough as defense-in-depth.

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Florian Westphal]

Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
> > > > nf_ct_l3num(ct) == NFPROTO_IPV6 ? 16 : 4);
> > > As defense-in-depth, IIUC?
> > Yes, alternatively merge your v1 with the template check. I don't see how
> > we can ever have nf_ct_l3num(ct) != nft_pf(pkt) outside of the template
> > bug.
> I think the template check plus the family check (nf_ct_l3num(ct) !=
> nft_pf(pkt)) is enough as defense-in-depth.

Actually, I think we need to fix this to copy priv->len unconditionally.
Or, alternatively, add a memcpy wrapper that zero-pads the remainder of
the registers.

https://sashiko.dev/#/patchset/20260528042620.263828-1-jiayuan.chen%40linux.dev

"This is a pre-existing issue, but does copying only addr_len bytes when
priv->len is larger leave the remainder of the register uninitialized?
In nft_do_chain(), the register array is allocated on the kernel stack
without zero-initialization. If priv->len is 16 and addr_len is 4, only
the first 4 bytes are written."

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Jiayuan Chen]

On 5/28/26 4:01 PM, Florian Westphal wrote:
> Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>>>>> nf_ct_l3num(ct) == NFPROTO_IPV6 ? 16 : 4);
>>>> As defense-in-depth, IIUC?
>>> Yes, alternatively merge your v1 with the template check. I don't see how
>>> we can ever have nf_ct_l3num(ct) != nft_pf(pkt) outside of the template
>>> bug.
>> I think the template check plus the family check (nf_ct_l3num(ct) !=
>> nft_pf(pkt)) is enough as defense-in-depth.
> Actually, I think we need to fix this to copy priv->len unconditionally.
> Or, alternatively, add a memcpy wrapper that zero-pads the remainder of
> the registers.
>
> https://sashiko.dev/#/patchset/20260528042620.263828-1-jiayuan.chen%40linux.dev
>
> "This is a pre-existing issue, but does copying only addr_len bytes when
> priv->len is larger leave the remainder of the register uninitialized?
> In nft_do_chain(), the register array is allocated on the kernel stack
> without zero-initialization. If priv->len is 16 and addr_len is 4, only
> the first 4 bytes are written."


I just spotted that too.  I think copying priv->len unconditionally
is enough -- tuple->{src,dst} is zeroed in nf_ct_get_tuple() before the
protocol pkt_to_tuple callback fills in only the relevant leading bytes,
so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zeros
and no wrapper is needed.

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Florian Westphal]

Jiayuan Chen <jiayuan.chen@linux.dev> wrote:

[ CC Pablo ]

> > https://sashiko.dev/#/patchset/20260528042620.263828-1-jiayuan.chen%40linux.dev
> > 
> > "This is a pre-existing issue, but does copying only addr_len bytes when
> > priv->len is larger leave the remainder of the register uninitialized?
> > In nft_do_chain(), the register array is allocated on the kernel stack
> > without zero-initialization. If priv->len is 16 and addr_len is 4, only
> > the first 4 bytes are written."
> 
> I just spotted that too.  I think copying priv->len unconditionally
> is enough -- tuple->{src,dst} is zeroed in nf_ct_get_tuple() before the
> protocol pkt_to_tuple callback fills in only the relevant leading bytes,
> so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zeros
> and no wrapper is needed.

Pablo, whats your take?

chain c {
 type filter hook output priority -300; policy accept;
 ct zone set 1
 ct original saddr 0.0.0.0 counter accept
}

Then: ping -c 1 127.0.0.1

should the rule match the template or not?
If not, we need:

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 		break;
 	}
 
-	if (ct == NULL)
+	if (!ct || nf_ct_is_template(ct))
 		goto err;
 
 	switch (priv->key) {
diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
index e684c8a91848..ecf7b3a404be 100644
--- a/net/netfilter/nft_ct_fast.c
+++ b/net/netfilter/nft_ct_fast.c
@@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
 		break;
 	}
 
-	if (!ct) {
+	if (!ct || nf_ct_is_template(ct)) {
 		regs->verdict.code = NFT_BREAK;
 		return;
 	}


If it should match, we need something like this:

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -180,12 +180,14 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 	tuple = &ct->tuplehash[priv->dir].tuple;
 	switch (priv->key) {
 	case NFT_CT_SRC:
-		memcpy(dest, tuple->src.u3.all,
-		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+		if (nf_ct_l3num(ct) != nft_pf(pkt))
+			goto err;
+		memcpy(dest, tuple->src.u3.all, priv->len);
 		return;
 	case NFT_CT_DST:
-		memcpy(dest, tuple->dst.u3.all,
-		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+		if (nf_ct_l3num(ct) != nft_pf(pkt))
+			goto err;
+		memcpy(dest, tuple->dst.u3.all, priv->len);
 		return;
 	case NFT_CT_PROTO_SRC:
 		nft_reg_store16(dest, (__force u16)tuple->src.u.all);

I am leaning towards both changes.  What do you think?

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Pablo Neira Ayuso]

On Thu, May 28, 2026 at 11:31:32AM +0200, Florian Westphal wrote:
> Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
> 
> [ CC Pablo ]
> 
> > > https://sashiko.dev/#/patchset/20260528042620.263828-1-jiayuan.chen%40linux.dev
> > > 
> > > "This is a pre-existing issue, but does copying only addr_len bytes when
> > > priv->len is larger leave the remainder of the register uninitialized?
> > > In nft_do_chain(), the register array is allocated on the kernel stack
> > > without zero-initialization. If priv->len is 16 and addr_len is 4, only
> > > the first 4 bytes are written."
> > 
> > I just spotted that too.  I think copying priv->len unconditionally
> > is enough -- tuple->{src,dst} is zeroed in nf_ct_get_tuple() before the
> > protocol pkt_to_tuple callback fills in only the relevant leading bytes,
> > so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zeros
> > and no wrapper is needed.
> 
> Pablo, whats your take?
> 
> chain c {
>  type filter hook output priority -300; policy accept;
>  ct zone set 1
>  ct original saddr 0.0.0.0 counter accept
> }
> 
> Then: ping -c 1 127.0.0.1
> 
> should the rule match the template or not?

I don't think so, no matching on the template conntrack.

> If not, we need:
> 
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
>  		break;
>  	}
>  
> -	if (ct == NULL)
> +	if (!ct || nf_ct_is_template(ct))
>  		goto err;
>  
>  	switch (priv->key) {
> diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
> index e684c8a91848..ecf7b3a404be 100644
> --- a/net/netfilter/nft_ct_fast.c
> +++ b/net/netfilter/nft_ct_fast.c
> @@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
>  		break;
>  	}
>  
> -	if (!ct) {
> +	if (!ct || nf_ct_is_template(ct)) {
>  		regs->verdict.code = NFT_BREAK;
>  		return;
>  	}
> 

This patch LGTM.

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, May 28, 2026 at 11:31:32AM +0200, Florian Westphal wrote:
> > Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
> >  type filter hook output priority -300; policy accept;
> >  ct zone set 1
> >  ct original saddr 0.0.0.0 counter accept
> > }
> > 
> > Then: ping -c 1 127.0.0.1
> > 
> > should the rule match the template or not?
> 
> I don't think so, no matching on the template conntrack.

Great, I will make a test case for nftables.
Jiayuan, would you send a v2  that fixes the OOB+register leak
and restricts template matching?

Thanks!

Re: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval

[Jiayuan Chen]

On 5/28/26 6:24 PM, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> On Thu, May 28, 2026 at 11:31:32AM +0200, Florian Westphal wrote:
>>> Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>>>   type filter hook output priority -300; policy accept;
>>>   ct zone set 1
>>>   ct original saddr 0.0.0.0 counter accept
>>> }
>>>
>>> Then: ping -c 1 127.0.0.1
>>>
>>> should the rule match the template or not?
>> I don't think so, no matching on the template conntrack.
> Great, I will make a test case for nftables.
> Jiayuan, would you send a v2  that fixes the OOB+register leak
> and restricts template matching?
>
> Thanks!

Sure. I will send V2 since everything is clear.