From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval
Date: Thu, 28 May 2026 12:26:20 +0800 [thread overview]
Message-ID: <20260528042620.263828-1-jiayuan.chen@linux.dev> (raw)
I noticed this issue while looking at a historic syzbot report [1].
syzbot forces dreg[19] to be used as the storage for the ipv4 address,
together with a raw priority chain, which makes nf_ct_l3num(ct) be 0
so that 16 bytes get copied into dreg[19]. Even when the dreg is not
[19], the same larger-than-expected copy can clobber other regs.
I am not sure whether there are other paths; here we add a check to
fix the deprecated NFT_CT_SRC and NFT_CT_DST branches.
[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
Fixes: 45d9bcda21f4 ("netfilter: nf_tables: validate len in nft_validate_data_load()")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
net/netfilter/nft_ct.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index fa2cc556331c..813467de1479 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -61,6 +61,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
const struct nf_conntrack_tuple *tuple;
const struct nf_conntrack_helper *helper;
unsigned int state;
+ u8 addr_len;
ct = nf_ct_get(pkt->skb, &ctinfo);
@@ -178,14 +179,17 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
}
tuple = &ct->tuplehash[priv->dir].tuple;
+ addr_len = nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16;
switch (priv->key) {
case NFT_CT_SRC:
- memcpy(dest, tuple->src.u3.all,
- nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+ if (priv->len != addr_len)
+ goto err;
+ memcpy(dest, tuple->src.u3.all, addr_len);
return;
case NFT_CT_DST:
- memcpy(dest, tuple->dst.u3.all,
- nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+ if (priv->len != addr_len)
+ goto err;
+ memcpy(dest, tuple->dst.u3.all, addr_len);
return;
case NFT_CT_PROTO_SRC:
nft_reg_store16(dest, (__force u16)tuple->src.u.all);
--
2.43.0
next reply other threads:[~2026-05-28 4:26 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 4:26 Jiayuan Chen [this message]
2026-05-28 5:19 ` [PATCH nf] netfilter: nft_ct: fix OOB in NFT_CT_SRC/DST eval Florian Westphal
2026-05-28 5:43 ` Florian Westphal
2026-05-28 7:02 ` Jiayuan Chen
2026-05-28 7:10 ` Florian Westphal
2026-05-28 7:27 ` Jiayuan Chen
2026-05-28 8:01 ` Florian Westphal
2026-05-28 8:25 ` Jiayuan Chen
2026-05-28 9:31 ` Florian Westphal
2026-05-28 10:03 ` Pablo Neira Ayuso
2026-05-28 10:24 ` Florian Westphal
2026-05-28 10:26 ` Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528042620.263828-1-jiayuan.chen@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox