From: Florian Westphal <fw@strlen.de>
To: bestswngs@gmail.com
Cc: pablo@netfilter.org, phil@nwl.cc, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, xmei5@asu.edu, stable@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: xt_devgroup: reject unsupported families in checkentry
Date: Sun, 22 Mar 2026 09:39:30 +0100 [thread overview]
Message-ID: <ab-qwvT576uYX6ny@strlen.de> (raw)
In-Reply-To: <20260322041844.983129-3-bestswngs@gmail.com>
bestswngs@gmail.com <bestswngs@gmail.com> wrote:
> From: Weiming Shi <bestswngs@gmail.com>
>
> devgroup_mt_checkentry() validates hook_mask using NF_INET_* constants,
> but the match is registered with NFPROTO_UNSPEC, which allows it to be
> used from any protocol family through nft_compat.
>
> On an ARP nftables output chain, nft_compat passes
> hook_mask = 1 << NF_ARP_OUT. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN,
> the source-group hook validation incorrectly accepts the rule. At runtime
> arp_xmit() invokes the chain with state->in == NULL, and devgroup_mt()
> dereferences xt_in(par)->group, crashing the kernel:
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
> RIP: 0010:devgroup_mt+0xff/0x350
> Call Trace:
> <TASK>
> nft_match_eval (net/netfilter/nft_compat.c:407)
> nft_do_chain (net/netfilter/nf_tables_core.c:285)
> nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
> nf_hook_slow (net/netfilter/core.c:623)
> arp_xmit (net/ipv4/arp.c:666)
> arp_solicit (net/ipv4/arp.c:393)
> neigh_probe (net/core/neighbour.c:1098)
> __neigh_event_send (net/core/neighbour.c:1277)
> neigh_resolve_output (net/core/neighbour.c:1604)
> ip_finish_output2 (net/ipv4/ip_output.c:237)
> </TASK>
> Kernel panic - not syncing: Fatal exception in interrupt
>
> Reject families whose hook numbering differs from the NF_INET_* scheme
> early in checkentry. NFPROTO_INET and NFPROTO_BRIDGE share the same
> five-hook layout (PRE_ROUTING ... POST_ROUTING) and the same
> state->in/state->out semantics as IPv4/IPv6, so they are safe.
> ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
> semantics, causing the numbering collision that triggers this bug.
I think we should solve this in x_tables.c so we don't have to ensure
all the .checkentry functions provide for this.
While this patch solves the specific module at hand, it begs
the question if the same bug pattern exist exlsewhere.
xt_check_match and xt_check_target should call a common
helper, this helper checks that if the match/target is UNSPEC
and has .hooks != 0, then the calling family is IPV4, IPV6 or BRIDGE.
All others can be rejected.
Would you make such a patch?
Thanks!
next prev parent reply other threads:[~2026-03-22 8:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-22 4:18 [PATCH nf] netfilter: xt_devgroup: reject unsupported families in checkentry bestswngs
2026-03-22 8:39 ` Florian Westphal [this message]
2026-03-22 9:03 ` Weiming Shi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ab-qwvT576uYX6ny@strlen.de \
--to=fw@strlen.de \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=stable@vger.kernel.org \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox