* [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user [not found] <cover.1776834093.git.rakukuip@gmail.com> @ 2026-04-24 9:23 ` Ren Wei 2026-04-24 9:52 ` Florian Westphal 0 siblings, 1 reply; 2+ messages in thread From: Ren Wei @ 2026-04-24 9:23 UTC (permalink / raw) To: netfilter-devel, bridge Cc: pablo, fw, phil, razor, idosch, davem, edumazet, kuba, pabeni, horms, yuantan098, yifanwucs, tomapufckgml, bird, rakukuip, n05ec From: Luxiao Xu <rakukuip@gmail.com> The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size. When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN. This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets. Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Luxiao Xu <rakukuip@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> --- net/bridge/netfilter/ebtables.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index aea3e19875c6..80cd0233c088 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1977,6 +1977,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, if (IS_ERR(match)) return PTR_ERR(match); + if (match_size < match->compatsize) { + module_put(match->me); + return -EINVAL; + } + off = ebt_compat_match_offset(match, match_size); if (dst) { if (match->compat_from_user) @@ -1996,6 +2001,12 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, mwt->u.revision); if (IS_ERR(wt)) return PTR_ERR(wt); + + if (match_size < wt->compatsize) { + module_put(wt->me); + return -EINVAL; + } + off = xt_compat_target_offset(wt); if (dst) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user 2026-04-24 9:23 ` [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user Ren Wei @ 2026-04-24 9:52 ` Florian Westphal 0 siblings, 0 replies; 2+ messages in thread From: Florian Westphal @ 2026-04-24 9:52 UTC (permalink / raw) To: Ren Wei Cc: netfilter-devel, bridge, pablo, phil, razor, idosch, davem, edumazet, kuba, pabeni, horms, yuantan098, yifanwucs, tomapufckgml, bird, rakukuip Ren Wei <n05ec@lzu.edu.cn> wrote: > From: Luxiao Xu <rakukuip@gmail.com> > > The function compat_mtw_from_user() converts ebtables extensions from > 32-bit user structures to kernel native structures. However, it lacks > proper validation of the user-supplied match_size/target_size. > > When certain extensions are processed, the kernel-side translation > logic may perform memory accesses based on the extension's expected > size. If the user provides a size smaller than what the extension > requires, it results in an out-of-bounds read as reported by KASAN. > > This fix introduces a check to ensure match_size is at least as large > as the extension's required compatsize. This covers matches, watchers, > and targets, while maintaining compatibility with standard targets. > > Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") > Cc: stable@kernel.org > Reported-by: Yuan Tan <yuantan098@gmail.com> > Reported-by: Yifan Wu <yifanwucs@gmail.com> > Reported-by: Juefei Pu <tomapufckgml@gmail.com> > Reported-by: Xin Liu <bird@lzu.edu.cn> > Signed-off-by: Luxiao Xu <rakukuip@gmail.com> > Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> > --- > net/bridge/netfilter/ebtables.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c > index aea3e19875c6..80cd0233c088 100644 > --- a/net/bridge/netfilter/ebtables.c > +++ b/net/bridge/netfilter/ebtables.c > @@ -1977,6 +1977,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, > if (IS_ERR(match)) > return PTR_ERR(match); > > + if (match_size < match->compatsize) { > + module_put(match->me); > + return -EINVAL; > + } > + Are you sure this catches all bad requests? AFAIR compatsize is 0 in most cases, which bypasses this test. should this be: u16 csize = match->compatsize ? : match->matchsize; ... if (match_size < csize) { ... ? @Pablo: I think the 32bit compat layer should be removed in -next, or at least strongly discouraged and slated for removal soon. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-24 9:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1776834093.git.rakukuip@gmail.com>
2026-04-24 9:23 ` [PATCH nf 1/1] netfilter: ebtables: fix OOB read in compat_mtw_from_user Ren Wei
2026-04-24 9:52 ` Florian Westphal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox