[PATCH net v2 6/7] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	<netfilter-devel@vger.kernel.org>,
	pablo@netfilter.org
Subject: [PATCH net v2 6/7] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
Date: Tue, 10 Mar 2026 14:20:48 +0100	[thread overview]
Message-ID: <20260310132050.630-7-fw@strlen.de> (raw)
In-Reply-To: <20260310132050.630-1-fw@strlen.de>

From: Hyunwoo Kim <imv4bel@gmail.com>

nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label
inside the for loop body.  When the "last" helper saved in cb->args[1]
is deleted between dump rounds, every entry fails the (cur != last)
check, so cb->args[1] is never cleared.  The for loop finishes with
cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back
into the loop body bypassing the bounds check, causing an 8-byte
out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].

The 'goto restart' block was meant to re-traverse the current bucket
when "last" is no longer found, but it was placed after the for loop
instead of inside it.  Move the block into the for loop body so that
the restart only occurs while cb->args[0] is still within bounds.

 BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0
 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131
 Call Trace:
  nfnl_cthelper_dump_table+0x9f/0x1b0
  netlink_dump+0x333/0x880
  netlink_recvmsg+0x3e2/0x4b0
  sock_recvmsg+0xde/0xf0
  __sys_recvfrom+0x150/0x200
  __x64_sys_recvfrom+0x76/0x90
  do_syscall_64+0xc3/0x6e0

 Allocated by task 1:
  __kvmalloc_node_noprof+0x21b/0x700
  nf_ct_alloc_hashtable+0x65/0xd0
  nf_conntrack_helper_init+0x21/0x60
  nf_conntrack_init_start+0x18d/0x300
  nf_conntrack_standalone_init+0x12/0xc0

Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nfnetlink_cthelper.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index d658b1478fa0..d545fa459455 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -601,10 +601,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 				goto out;
 			}
 		}
-	}
-	if (cb->args[1]) {
-		cb->args[1] = 0;
-		goto restart;
+		if (cb->args[1]) {
+			cb->args[1] = 0;
+			goto restart;
+		}
 	}
 out:
 	rcu_read_unlock();
-- 
2.52.0

next prev parent reply	other threads:[~2026-03-10 13:21 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-10 13:20 [PATCH net v2 0/7] netfilter: updates for net Florian Westphal
2026-03-10 13:20 ` [PATCH net v2 1/7] netfilter: nf_tables: Fix for duplicate device in netdev hooks Florian Westphal
2026-03-12  2:20   ` patchwork-bot+netdevbpf
2026-03-10 13:20 ` [PATCH net v2 2/7] netfilter: nf_tables: always walk all pending catchall elements Florian Westphal
2026-03-10 13:20 ` [PATCH net v2 3/7] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Florian Westphal
2026-03-10 13:20 ` [PATCH net v2 4/7] netfilter: x_tables: guard option walkers against 1-byte tail reads Florian Westphal
2026-03-10 13:20 ` [PATCH net v2 5/7] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Florian Westphal
2026-03-10 13:20 ` Florian Westphal [this message]
2026-03-10 13:20 ` [PATCH net v2 7/7] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Florian Westphal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d658b1478fa dfblob:d545fa45945 )
 OR (
bs:"[PATCH net v2 6/7] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260310132050.630-7-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox