public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping
@ 2026-04-18 16:30 Weiming Shi
  2026-04-18 19:58 ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Weiming Shi @ 2026-04-18 16:30 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal, David S . Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni
  Cc: Phil Sutter, Simon Horman, netfilter-devel, coreteam, netdev,
	Xiang Mei, Weiming Shi

When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base
chain, par->hook_mask is set to 0, bypassing the checkentry hook
validation. The target can then run at PRE_ROUTING where skb_dst is
NULL, causing a null-ptr-deref in tcpmss_mangle_packet():

 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
 RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)
  tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)
  nft_target_eval_xt (net/netfilter/nft_compat.c:87)
  nft_do_chain (net/netfilter/nf_tables_core.c:287)
  nf_hook_slow (net/netfilter/core.c:623)

Check skb_dst() for NULL before calling dst_mtu().

Fixes: 493618a92c6a ("netfilter: nft_compat: fix hook validation for non-base chains")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
 net/netfilter/xt_TCPMSS.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 116a885adb3c..79b5e475e23e 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -102,7 +102,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
 		struct net *net = xt_net(par);
 		unsigned int in_mtu = tcpmss_reverse_mtu(net, skb, family);
-		unsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);
+		unsigned int min_mtu;
+
+		if (!skb_dst(skb))
+			return -1;
+
+		min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);
 
 		if (min_mtu <= minlen) {
 			net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping
  2026-04-18 16:30 [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping Weiming Shi
@ 2026-04-18 19:58 ` Florian Westphal
  2026-04-19  8:00   ` Florian Westphal
                     ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Florian Westphal @ 2026-04-18 19:58 UTC (permalink / raw)
  To: Weiming Shi
  Cc: Pablo Neira Ayuso, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Phil Sutter, Simon Horman, netfilter-devel, coreteam,
	netdev, Xiang Mei

Weiming Shi <bestswngs@gmail.com> wrote:
> When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base
> chain, par->hook_mask is set to 0, bypassing the checkentry hook
> validation. The target can then run at PRE_ROUTING where skb_dst is
> NULL, causing a null-ptr-deref in tcpmss_mangle_packet():
> 
>  KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
>  RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)
>   tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)
>   nft_target_eval_xt (net/netfilter/nft_compat.c:87)
>   nft_do_chain (net/netfilter/nf_tables_core.c:287)
>   nf_hook_slow (net/netfilter/core.c:623)
> 
> Check skb_dst() for NULL before calling dst_mtu().

FWIW I will apply this patch even though its wrong.

nft_compat.c is just too broken, I don't see how it can be
fixed in any reasonable amount of time.

validation is done too early, at expression instantiation
time.

This doesn't work because we have incomplete graph, it has
to be done at final table validation time.

But then all required compat info (xtables hints) is gone
and no longer available.

AFAICS the only way to resolve this is to cache the info in
the nft_expr priv area (WHERE IS ABSOLUTELY DOESN'T BELONG!)
because thats the only storage thewre is.

*puke*

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping
  2026-04-18 19:58 ` Florian Westphal
@ 2026-04-19  8:00   ` Florian Westphal
  2026-04-19 10:24   ` Pablo Neira Ayuso
  2026-04-19 10:25   ` Pablo Neira Ayuso
  2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2026-04-19  8:00 UTC (permalink / raw)
  To: Weiming Shi
  Cc: Pablo Neira Ayuso, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Phil Sutter, Simon Horman, netfilter-devel, coreteam,
	netdev, Xiang Mei

Florian Westphal <fw@strlen.de> wrote:
> Weiming Shi <bestswngs@gmail.com> wrote:
> > When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base
> > chain, par->hook_mask is set to 0, bypassing the checkentry hook
> > validation. The target can then run at PRE_ROUTING where skb_dst is
> > NULL, causing a null-ptr-deref in tcpmss_mangle_packet():
> > 
> >  KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> >  RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)
> >   tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)
> >   nft_target_eval_xt (net/netfilter/nft_compat.c:87)
> >   nft_do_chain (net/netfilter/nf_tables_core.c:287)
> >   nf_hook_slow (net/netfilter/core.c:623)
> > 
> > Check skb_dst() for NULL before calling dst_mtu().
> 
> FWIW I will apply this patch even though its wrong.
> 
> nft_compat.c is just too broken, I don't see how it can be
> fixed in any reasonable amount of time.

net/netfilter/xt_TCPMSS.c:          (par->hook_mask & ~((1 << NF_INET_FORWARD) |
net/netfilter/xt_addrtype.c:    if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
net/netfilter/xt_devgroup.c:        par->hook_mask & ~((1 << NF_INET_PRE_ROUTING) |
net/netfilter/xt_physdev.c:         par->hook_mask & (1 << NF_INET_LOCAL_OUT)) {
net/netfilter/xt_policy.c:      if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
net/netfilter/xt_set.c:              (par->hook_mask & ~(1 << NF_INET_FORWARD |

Look at this I don't see an alternative to mixing nft specific bits into
x_tables, i.e.:

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -187,6 +187,8 @@ struct xt_target {
        /* Should return 0 on success or an error code otherwise (-Exxxx). */
        int (*checkentry)(const struct xt_tgchk_param *);
 
+       int (*nft_validate_chain)(const void *targinfo, unsigned int hook_mask);
+
        /* Called when entry of this type deleted. */
        void (*destroy)(const struct xt_tgdtor_param *);
 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT

.. and then call that from nft_compat.c for TCPSS.
Same for matches.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping
  2026-04-18 19:58 ` Florian Westphal
  2026-04-19  8:00   ` Florian Westphal
@ 2026-04-19 10:24   ` Pablo Neira Ayuso
  2026-04-19 10:25   ` Pablo Neira Ayuso
  2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-19 10:24 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Weiming Shi, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Phil Sutter, Simon Horman, netfilter-devel, coreteam,
	netdev, Xiang Mei

On Sat, Apr 18, 2026 at 09:58:03PM +0200, Florian Westphal wrote:
> Weiming Shi <bestswngs@gmail.com> wrote:
> > When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base
> > chain, par->hook_mask is set to 0, bypassing the checkentry hook
> > validation. The target can then run at PRE_ROUTING where skb_dst is
> > NULL, causing a null-ptr-deref in tcpmss_mangle_packet():
> > 
> >  KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> >  RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)
> >   tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)
> >   nft_target_eval_xt (net/netfilter/nft_compat.c:87)
> >   nft_do_chain (net/netfilter/nf_tables_core.c:287)
> >   nf_hook_slow (net/netfilter/core.c:623)
> > 
> > Check skb_dst() for NULL before calling dst_mtu().
> 
> FWIW I will apply this patch even though its wrong.
> 
> nft_compat.c is just too broken, I don't see how it can be
> fixed in any reasonable amount of time.
> 
> validation is done too early, at expression instantiation
> time.
> 
> This doesn't work because we have incomplete graph, it has
> to be done at final table validation time.

I remember this used to work, maybe it broke with recent updates on
the chain graph detection?

Once the non-basechain is added it should consider the basechain where
this can be reached.

> But then all required compat info (xtables hints) is gone
> and no longer available.

What?

> AFAICS the only way to resolve this is to cache the info in
> the nft_expr priv area (WHERE IS ABSOLUTELY DOESN'T BELONG!)
> because thats the only storage thewre is.

No.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping
  2026-04-18 19:58 ` Florian Westphal
  2026-04-19  8:00   ` Florian Westphal
  2026-04-19 10:24   ` Pablo Neira Ayuso
@ 2026-04-19 10:25   ` Pablo Neira Ayuso
  2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-19 10:25 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Weiming Shi, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Phil Sutter, Simon Horman, netfilter-devel, coreteam,
	netdev, Xiang Mei

On Sat, Apr 18, 2026 at 09:58:03PM +0200, Florian Westphal wrote:
> Weiming Shi <bestswngs@gmail.com> wrote:
> > When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base
> > chain, par->hook_mask is set to 0, bypassing the checkentry hook
> > validation. The target can then run at PRE_ROUTING where skb_dst is
> > NULL, causing a null-ptr-deref in tcpmss_mangle_packet():
> > 
> >  KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> >  RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105)
> >   tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202)
> >   nft_target_eval_xt (net/netfilter/nft_compat.c:87)
> >   nft_do_chain (net/netfilter/nf_tables_core.c:287)
> >   nf_hook_slow (net/netfilter/core.c:623)
> > 
> > Check skb_dst() for NULL before calling dst_mtu().
> 
> FWIW I will apply this patch even though its wrong.

And no please, do not apply this.

This needs to be fixes from the chain graph detection.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-19 10:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-18 16:30 [PATCH nf] netfilter: xt_TCPMSS: check skb_dst before path-MTU clamping Weiming Shi
2026-04-18 19:58 ` Florian Westphal
2026-04-19  8:00   ` Florian Westphal
2026-04-19 10:24   ` Pablo Neira Ayuso
2026-04-19 10:25   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox