* [PATCH net] netfilter: nf_conntrack_sctp: validate state value in nlattr_to_sctp()
@ 2026-03-07 17:22 Hyunwoo Kim
2026-03-07 18:24 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Hyunwoo Kim @ 2026-03-07 17:22 UTC (permalink / raw)
To: pablo, fw, phil, davem, edumazet, kuba, pabeni, horms
Cc: netfilter-devel, coreteam, netdev, imv4bel
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. The state value is later used as an array index
in sctp_print_conntrack() (sctp_conntrack_names[state]) and
sctp_new_state() (sctp_conntracks[dir][i][state]), causing
global-out-of-bounds reads.
This is the same class of bug that was fixed for DCCP in CVE-2023-39197,
but the SCTP counterpart was missed.
Add a range check against SCTP_CONNTRACK_MAX, consistent with the
existing validation in nlattr_to_tcp() for TCP conntrack state.
KASAN report:
[ 1.101351] BUG: KASAN: global-out-of-bounds in sctp_print_conntrack+0x30/0x50
[ 1.101574] Read of size 8 at addr ffffffff847a5770 by task poc_sctp/131
[ 1.101770]
[ 1.101824] CPU: 1 UID: 0 PID: 131 Comm: poc_sctp Not tainted 7.0.0-rc2+ #6 PREEMPTLAZY
[ 1.101827] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 1.101829] Call Trace:
[ 1.101833] <TASK>
[ 1.101834] dump_stack_lvl+0x64/0x80
[ 1.101844] print_report+0xce/0x660
[ 1.101849] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 1.101857] ? __virt_addr_valid+0xef/0x1a0
[ 1.101863] ? sctp_print_conntrack+0x30/0x50
[ 1.101866] kasan_report+0xce/0x100
[ 1.101868] ? sctp_print_conntrack+0x30/0x50
[ 1.101870] sctp_print_conntrack+0x30/0x50
[ 1.101874] ct_seq_show+0x392/0x7f0
[ 1.101878] ? __pfx_ct_seq_show+0x10/0x10
[ 1.101880] ? __kasan_kmalloc+0x8f/0xa0
[ 1.101884] ? ktime_get_with_offset+0xa3/0x140
[ 1.101889] ? ct_get_next+0x14e/0x190
[ 1.101892] seq_read_iter+0x292/0x7d0
[ 1.101897] seq_read+0x214/0x290
[ 1.101901] ? __pfx_seq_read+0x10/0x10
[ 1.101903] ? apparmor_file_permission+0x114/0x340
[ 1.101911] proc_reg_read+0xe4/0x140
[ 1.101916] vfs_read+0x141/0x570
[ 1.101919] ? kmem_cache_free+0x100/0x440
[ 1.101924] ? __pfx_vfs_read+0x10/0x10
[ 1.101926] ? do_sys_openat2+0xed/0x150
[ 1.101930] ? __pfx_do_sys_openat2+0x10/0x10
[ 1.101932] ksys_read+0xcc/0x160
[ 1.101934] ? __pfx_ksys_read+0x10/0x10
[ 1.101936] do_syscall_64+0xc3/0x6e0
[ 1.101940] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 1.101944] RIP: 0033:0x41b301
[ 1.101949] Code: f7 d8 64 89 02 b8 ff ff ff ff eb ba e8 e8 16 00 00 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d 5d 8d 09 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
[ 1.101951] RSP: 002b:00007ffca1da7f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 1.101957] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000041b301
[ 1.101958] RDX: 0000000000001fff RSI: 00007ffca1da7f10 RDI: 0000000000000004
[ 1.101959] RBP: 00007ffca1da7f10 R08: 0000000000000000 R09: 0000000000000000
[ 1.101962] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffca1daa820
[ 1.101963] R13: 00007ffca1dab988 R14: 0000000000000003 R15: 00007ffca1da9f84
[ 1.101965] </TASK>
[ 1.101966]
[ 1.107833] The buggy address belongs to the variable:
[ 1.107977] sctp_conntrack_names+0x50/0xc0
[ 1.108107]
[ 1.108155] The buggy address belongs to the physical page:
[ 1.108309] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47a5
[ 1.108536] flags: 0x100000000002000(reserved|node=0|zone=1)
[ 1.108702] raw: 0100000000002000 ffffea000011e948 ffffea000011e948 0000000000000000
[ 1.108916] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 1.109132] page dumped because: kasan: bad access detected
[ 1.109288]
[ 1.109337] Memory state around the buggy address:
[ 1.109476] ffffffff847a5600: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 06 f9 f9
[ 1.109690] ffffffff847a5680: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 07 f9 f9
[ 1.109910] >ffffffff847a5700: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
[ 1.110118] ^
[ 1.110309] ffffffff847a5780: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
[ 1.110515] ffffffff847a5800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
[ 1.110720] ==================================================================
Fixes: a258860e01b8 ("netfilter: ctnetlink: add full support for SCTP to ctnetlink")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
net/netfilter/nf_conntrack_proto_sctp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 7c6f7c9f7332..cbee99be7b5e 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -612,6 +612,9 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
!tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
return -EINVAL;
+ if (nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]) >= SCTP_CONNTRACK_MAX)
+ return -EINVAL;
+
spin_lock_bh(&ct->lock);
ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] netfilter: nf_conntrack_sctp: validate state value in nlattr_to_sctp()
2026-03-07 17:22 [PATCH net] netfilter: nf_conntrack_sctp: validate state value in nlattr_to_sctp() Hyunwoo Kim
@ 2026-03-07 18:24 ` Florian Westphal
2026-03-08 10:42 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2026-03-07 18:24 UTC (permalink / raw)
To: Hyunwoo Kim
Cc: pablo, phil, davem, edumazet, kuba, pabeni, horms,
netfilter-devel, coreteam, netdev
Hyunwoo Kim <imv4bel@gmail.com> wrote:
> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
> index 7c6f7c9f7332..cbee99be7b5e 100644
> --- a/net/netfilter/nf_conntrack_proto_sctp.c
> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> @@ -612,6 +612,9 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
> !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
> return -EINVAL;
>
> + if (nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]) >= SCTP_CONNTRACK_MAX)
> + return -EINVAL;
Like other, similar bug classes, I would prefer this to be solved via
netlink policy fixup.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] netfilter: nf_conntrack_sctp: validate state value in nlattr_to_sctp()
2026-03-07 18:24 ` Florian Westphal
@ 2026-03-08 10:42 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2026-03-08 10:42 UTC (permalink / raw)
To: Florian Westphal
Cc: Hyunwoo Kim, phil, davem, edumazet, kuba, pabeni, horms,
netfilter-devel, coreteam, netdev
On Sat, Mar 07, 2026 at 07:24:00PM +0100, Florian Westphal wrote:
> Hyunwoo Kim <imv4bel@gmail.com> wrote:
> > diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
> > index 7c6f7c9f7332..cbee99be7b5e 100644
> > --- a/net/netfilter/nf_conntrack_proto_sctp.c
> > +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> > @@ -612,6 +612,9 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
> > !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
> > return -EINVAL;
> >
> > + if (nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]) >= SCTP_CONNTRACK_MAX)
> > + return -EINVAL;
>
> Like other, similar bug classes, I would prefer this to be solved via
> netlink policy fixup.
Agreed, policy is the way to go to restrict this.
A single patch for all protocol trackers should be fine.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-08 10:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-07 17:22 [PATCH net] netfilter: nf_conntrack_sctp: validate state value in nlattr_to_sctp() Hyunwoo Kim
2026-03-07 18:24 ` Florian Westphal
2026-03-08 10:42 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox