[PATCH nf] netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO

public inbox for netfilter-devel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH nf] netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
@ 2026-03-31 15:01 Pablo Neira Ayuso
  2026-03-31 15:07 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2026-03-31 15:01 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw, bestswngs

Weiming Shi says:

xt_match and xt_target structs registered with NFPROTO_UNSPEC can be
loaded by any protocol family through nft_compat. When such a
match/target sets .hooks to restrict which hooks it may run on, the
bitmask uses NF_INET_* constants. This is only correct for families
whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge
all share the same five hooks (PRE_ROUTING ... POST_ROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks
validation silently passes for the wrong reasons, allowing matches to
run on ARP chains where the hook assumptions (e.g. state->in being
set on input hooks) do not hold. This leads to NULL pointer
dereferences; xt_devgroup is one concrete example:

 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
 KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
 RIP: 0010:devgroup_mt+0xff/0x350
 Call Trace:
  <TASK>
  nft_match_eval (net/netfilter/nft_compat.c:407)
  nft_do_chain (net/netfilter/nf_tables_core.c:285)
  nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
  nf_hook_slow (net/netfilter/core.c:623)
  arp_xmit (net/ipv4/arp.c:666)
  </TASK>
 Kernel panic - not syncing: Fatal exception in interrupt

Fix it by restricting arptables to NFPROTO_ARP extensions only.
Note that arptables-legacy only supports:

- arpt_CLASSIFY
- arpt_mangle
- arpt_MARK

that provide explicit NFPROTO_ARP match/target declarations.

Fixes: 9291747f118d ("netfilter: xtables: add device group match")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Alternative to:

[PATCH nf v2] netfilter: x_tables: reject unsupported families in xt_check_match/xt_check_target

 net/netfilter/x_tables.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e594b3b7ad82..b39017c80548 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -501,6 +501,17 @@ int xt_check_match(struct xt_mtchk_param *par,
 				    par->match->table, par->table);
 		return -EINVAL;
 	}
+
+	/* NFPROTO_UNSPEC implies NF_INET_* hooks which do not overlap with
+	 * NF_ARP_IN,OUT,FORWARD, allow explicit extensions with NFPROTO_ARP
+	 * support.
+	 */
+	if (par->family == NFPROTO_ARP &&
+	    par->match->family != NFPROTO_ARP) {
+		pr_info_ratelimited("%s_tables: %s match: not valid for this family\n",
+				    xt_prefix[par->family], par->match->name);
+		return -EINVAL;
+	}
 	if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
 		char used[64], allow[64];
 
@@ -1016,6 +1027,18 @@ int xt_check_target(struct xt_tgchk_param *par,
 				    par->target->table, par->table);
 		return -EINVAL;
 	}
+
+	/* NFPROTO_UNSPEC implies NF_INET_* hooks which do not overlap with
+	 * NF_ARP_IN,OUT,FORWARD, allow explicit extensions with NFPROTO_ARP
+	 * support.
+	 */
+	if (par->family == NFPROTO_ARP &&
+	    par->target->family != NFPROTO_ARP) {
+		pr_info_ratelimited("%s_tables: %s target: not valid for this family\n",
+				    xt_prefix[par->family], par->target->name);
+		return -EINVAL;
+	}
+
 	if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
 		char used[64], allow[64];
 
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH nf] netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
  2026-03-31 15:01 [PATCH nf] netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Pablo Neira Ayuso
@ 2026-03-31 15:07 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2026-03-31 15:07 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, bestswngs

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> +	/* NFPROTO_UNSPEC implies NF_INET_* hooks which do not overlap with
> +	 * NF_ARP_IN,OUT,FORWARD, allow explicit extensions with NFPROTO_ARP
> +	 * support.
> +	 */
> +	if (par->family == NFPROTO_ARP &&
> +	    par->match->family != NFPROTO_ARP) {
> +		pr_info_ratelimited("%s_tables: %s match: not valid for this family\n",
> +				    xt_prefix[par->family], par->match->name);
> +		return -EINVAL;
> +	}
>  	if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
>  		char used[64], allow[64];

Thanks Pablo, this looks fine.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-31 15:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-31 15:01 [PATCH nf] netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Pablo Neira Ayuso
2026-03-31 15:07 ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox