From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EFD63D9029; Mon, 4 May 2026 14:07:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777903629; cv=none; b=egG/GQnv/dvTbmCB846feqRQnJsmEjGqN0WEnkgpaDMHf7xqSZk8dhGQK9Lajljqw2OtC95ydFS49ZTiRkC2Ah2jCJw+LrKnvRDjJ/JsrmpHPgR2xzjXdkDUILUN7bx6g8FSht4NPM4XpZf+0VV0u2PEn/zzb3B57qbQuUKfKac= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777903629; c=relaxed/simple; bh=x2Cdv+aEHfgAARAZrzw6yRIL7QUtQbEP02Qiyiw4Opc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DKkrKXkRTKmyBoDXSYYyjarFvADCcOjftkdGsLAZNTfAfx0AqReJQF7Qfb7Mogd/uWPthTBuFTdbmPXxGKhzsg4vWNQi7kJHwv7s2XLdY1xMprKHffxG1MqGCZiznhrscsVpfw34FByzhwyGQHqgTP0AfrFkoaeni2NAhYA9vag= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=HGHFJW+M; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="HGHFJW+M" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D7302C2BCB8; Mon, 4 May 2026 14:07:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1777903629; bh=x2Cdv+aEHfgAARAZrzw6yRIL7QUtQbEP02Qiyiw4Opc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HGHFJW+Mj4hRUzxywL/s1egjca0izwGUxeaIj+fHFtMsd41psbTSf0nI7dNzhzgDZ 8PiizEGdc4sLawFuNpLT0nhIw78c1Mfqy6B03xSBYiO0OstX+5g8zSbL7G969FoIrW rJsgMR0qPfM3p8qzhsHXOn62TP163K6cNBLp/8sA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Yuan Tan , Yifan Wu , Juefei Pu , Xin Liu , Kai Ma , Ren Wei , Fernando Fernandez Mancera , Pablo Neira Ayuso Subject: [PATCH 7.0 307/307] netfilter: reject zero shift in nft_bitwise Date: Mon, 4 May 2026 15:53:12 +0200 Message-ID: <20260504135154.321404125@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260504135142.814938198@linuxfoundation.org> References: <20260504135142.814938198@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kai Ma commit fe11e5c40817b84abaa5d83bfb6586d8412bfd07 upstream. Reject zero shift operands for nft_bitwise left and right shift expressions during initialization. The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour. Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path. Fixes: 567d746b55bc ("netfilter: bitwise: add support for shifts.") Cc: stable@kernel.org Reported-by: Yuan Tan Reported-by: Yifan Wu Reported-by: Juefei Pu Reported-by: Xin Liu Signed-off-by: Kai Ma Signed-off-by: Ren Wei Reviewed-by: Fernando Fernandez Mancera Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nft_bitwise.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/netfilter/nft_bitwise.c +++ b/net/netfilter/nft_bitwise.c @@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct if (err < 0) return err; - if (priv->data.data[0] >= BITS_PER_TYPE(u32)) { + if (!priv->data.data[0] || + priv->data.data[0] >= BITS_PER_TYPE(u32)) { nft_data_release(&priv->data, desc.type); return -EINVAL; }