From: Mathias Krause <minipli@grsecurity.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org
Subject: Re: [PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init()
Date: Tue, 28 Apr 2026 13:48:02 +0200 [thread overview]
Message-ID: <91091356-7e7d-4664-bd20-67c70f23e655@grsecurity.net> (raw)
In-Reply-To: <afCFlxjOiEs2ouKY@chamomile>
On 28.04.26 12:01, Pablo Neira Ayuso wrote:
> On Tue, Apr 28, 2026 at 11:09:17AM +0200, Mathias Krause wrote:
>> --- a/net/netfilter/nf_nat_core.c
>> +++ b/net/netfilter/nf_nat_core.c
>> @@ -1187,6 +1187,16 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
>> struct nf_hook_ops *nat_ops;
>> int i, ret;
>>
>> +#ifndef MODULE
>> + /* If nf_nat_core is built-in and nf_nat_init() fails, dependent
>> + * modules like nft_chain_nat.ko may still call this function.
>> + * However, nat_net would be invalid, likely pointing to some other
>> + * per-net structure.
>
> Hm, if nf_nat_init() fails, then nft_chain_nat should fail to load.
If nf_nat is a module, that is the case, yes. However, the failing case
had it built-in (CONFIG_NF_NAT=y) and there's little the kernel can do
when some init function fails -- the code and data will still be part of
vmlinux.
>
> Maybe there is a different way to validate this dependency?
Yeah, maybe. Maybe move the 'nf_nat_hook != NULL' test to
nft_chain_nat_init()? It's exported already, so this should work --
assuming the respective init functions get called in the right order
(nf_nat_init() first, then nft_chain_nat_init()). But that should be the
case, even if both are built-in, according to the order in
net/netfilter/Makefile.
It's a little fragile, though. In case the link order changes one day,
the test would lead to a false positive, making nft_chain_nat fail for
the wrong reason.
Also, I'm uncertain if the link order is really that deterministic wrt.
init functions for LTO builds?
Mathias
>
>> + */
>> + if (WARN_ON_ONCE(!nf_nat_hook))
>> + return -EOPNOTSUPP;
>> +#endif
>> +
>> if (WARN_ON_ONCE(pf >= ARRAY_SIZE(nat_net->nat_proto_net)))
>> return -EINVAL;
>>
>> --
>> 2.47.3
>>
prev parent reply other threads:[~2026-04-28 11:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 9:09 [PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init() Mathias Krause
2026-04-28 10:01 ` Pablo Neira Ayuso
2026-04-28 11:48 ` Mathias Krause [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=91091356-7e7d-4664-bd20-67c70f23e655@grsecurity.net \
--to=minipli@grsecurity.net \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox