]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab185e0)
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
authorDavide Ornaghi <d.ornaghi97@gmail.com>
Wed, 10 Jun 2026 10:39:13 +0000 (12:39 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 10 Jun 2026 16:00:32 +0000 (18:00 +0200)
NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.

Zero the second register before the memcpy so the full declared span is
written.

Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/bridge/netfilter/nft_meta_bridge.c patch | blob | blame | history

diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index 7763e78abb00af93dde59f402d0c6030dc23935f..219c4068026026e308df9020236fdaffe4872c7b 100644 (file)
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -64,6 +64,8 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
                if (!br_dev)
                        goto err;
 
+               /* ETH_ALEN (6) is shorter than the destination register span (8) */
+               dest[1] = 0;
                memcpy(dest, br_dev->dev_addr, ETH_ALEN);
                return;
        default:
A mirror of Linus' kernel repository