[PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from

Ethernet Bridge development
 help / color / mirror / Atom feed

* [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user
       [not found] <cover.1776834093.git.rakukuip@gmail.com>
@ 2026-04-24  9:23 ` Ren Wei
  2026-04-24  9:52   ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-04-24  9:23 UTC (permalink / raw)
  To: netfilter-devel, bridge
  Cc: pablo, fw, phil, razor, idosch, davem, edumazet, kuba, pabeni,
	horms, yuantan098, yifanwucs, tomapufckgml, bird, rakukuip, n05ec

From: Luxiao Xu <rakukuip@gmail.com>

The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.

When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.

This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.

Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/bridge/netfilter/ebtables.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index aea3e19875c6..80cd0233c088 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1977,6 +1977,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
 		if (IS_ERR(match))
 			return PTR_ERR(match);
 
+		if (match_size < match->compatsize) {
+			module_put(match->me);
+			return -EINVAL;
+		}
+
 		off = ebt_compat_match_offset(match, match_size);
 		if (dst) {
 			if (match->compat_from_user)
@@ -1996,6 +2001,12 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
 					    mwt->u.revision);
 		if (IS_ERR(wt))
 			return PTR_ERR(wt);
+
+		if (match_size < wt->compatsize) {
+			module_put(wt->me);
+			return -EINVAL;
+		}
+
 		off = xt_compat_target_offset(wt);
 
 		if (dst) {
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user
  2026-04-24  9:23 ` [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user Ren Wei
@ 2026-04-24  9:52   ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2026-04-24  9:52 UTC (permalink / raw)
  To: Ren Wei
  Cc: netfilter-devel, bridge, pablo, phil, razor, idosch, davem,
	edumazet, kuba, pabeni, horms, yuantan098, yifanwucs,
	tomapufckgml, bird, rakukuip

Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Luxiao Xu <rakukuip@gmail.com>
> 
> The function compat_mtw_from_user() converts ebtables extensions from
> 32-bit user structures to kernel native structures. However, it lacks
> proper validation of the user-supplied match_size/target_size.
> 
> When certain extensions are processed, the kernel-side translation
> logic may perform memory accesses based on the extension's expected
> size. If the user provides a size smaller than what the extension
> requires, it results in an out-of-bounds read as reported by KASAN.
> 
> This fix introduces a check to ensure match_size is at least as large
> as the extension's required compatsize. This covers matches, watchers,
> and targets, while maintaining compatibility with standard targets.
> 
> Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
> Cc: stable@kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  net/bridge/netfilter/ebtables.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index aea3e19875c6..80cd0233c088 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1977,6 +1977,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
>  		if (IS_ERR(match))
>  			return PTR_ERR(match);
>  
> +		if (match_size < match->compatsize) {
> +			module_put(match->me);
> +			return -EINVAL;
> +		}
> +

Are you sure this catches all bad requests? AFAIR compatsize is 0
in most cases, which bypasses this test.

should this be:

u16 csize = match->compatsize ? : match->matchsize;
...
if (match_size < csize) {
...

?

@Pablo: I think the 32bit compat layer should be removed in -next, or
at least strongly discouraged and slated for removal soon.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-24  9:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <cover.1776834093.git.rakukuip@gmail.com>
2026-04-24  9:23 ` [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user Ren Wei
2026-04-24  9:52   ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox