[{"id":3679922,"web_url":"http://patchwork.ozlabs.org/comment/3679922/","msgid":"<41c9cd18-d5dc-41e0-a453-b936f15acfc5@suse.de>","list_archive_url":null,"date":"2026-04-21T14:53:45","subject":"Re: [PATCH net 1/1] netfilter: shift-out-of-bounds in nft_bitwise","submitter":{"id":90904,"url":"http://patchwork.ozlabs.org/api/people/90904/","name":"Fernando Fernandez Mancera","email":"fmancera@suse.de"},"content":"On 4/21/26 2:42 PM, Ren Wei wrote:\n> From: Kai Ma <k4729.23098@gmail.com>\n> \n> Handle zero shift operands explicitly in nft_bitwise_eval_lshift() and\n> nft_bitwise_eval_rshift().\n> \n> Shift expressions accept values in the range [0, 31], but the carry\n> propagation code assumes a non-zero shift and computes the carry from the\n> adjacent 32-bit word unconditionally. For a zero shift operand, the\n> expected result is to leave the value unchanged.\n> \n> Treat zero shift as a no-op before entering the carry propagation loops.\n> This preserves the existing behaviour for non-zero shifts and matches the\n> expected semantics of shifting by zero.\n> \n\nI think the issue here is an Undefined Behavior actually, AFAICS when \nshifting by the size of the type is UB and depending on the architecture \nused it can lead to shift-out-of-bounds due to carry being equals to .\n\nShouldn't this be rejected in control plane during validation? As a 0 \nshift operation is pointless, we can reject it right away.\n\nIn addition, please use nf target for v2.\n\nThanks,\nFernando.\n\n> Fixes: 567d746b55bc (\"netfilter: bitwise: add support for shifts.\")\n> Cc: stable@kernel.org\n> Reported-by: Yuan Tan <yuantan098@gmail.com>\n> Reported-by: Yifan Wu <yifanwucs@gmail.com>\n> Reported-by: Juefei Pu <tomapufckgml@gmail.com>\n> Reported-by: Xin Liu <bird@lzu.edu.cn>\n> Signed-off-by: Kai Ma <k4729.23098@gmail.com>\n> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>\n> ---\n>   net/netfilter/nft_bitwise.c | 20 ++++++++++++++++----\n>   1 file changed, 16 insertions(+), 4 deletions(-)\n> \n> diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c\n> index d550910aabec..f74774b176af 100644\n> --- a/net/netfilter/nft_bitwise.c\n> +++ b/net/netfilter/nft_bitwise.c\n> @@ -39,10 +39,16 @@ static void nft_bitwise_eval_lshift(u32 *dst, const u32 *src,\n>   \t\t\t\t    const struct nft_bitwise *priv)\n>   {\n>   \tu32 shift = priv->data.data[0];\n> -\tunsigned int i;\n> +\tunsigned int i, n = DIV_ROUND_UP(priv->len, sizeof(u32));\n>   \tu32 carry = 0;\n>   \n> -\tfor (i = DIV_ROUND_UP(priv->len, sizeof(u32)); i > 0; i--) {\n> +\tif (!shift) {\n> +\t\tfor (i = 0; i < n; i++)\n> +\t\t\tdst[i] = src[i];\n> +\t\treturn;\n> +\t}\n> +\n> +\tfor (i = n; i > 0; i--) {\n>   \t\tdst[i - 1] = (src[i - 1] << shift) | carry;\n>   \t\tcarry = src[i - 1] >> (BITS_PER_TYPE(u32) - shift);\n>   \t}\n> @@ -52,10 +58,16 @@ static void nft_bitwise_eval_rshift(u32 *dst, const u32 *src,\n>   \t\t\t\t    const struct nft_bitwise *priv)\n>   {\n>   \tu32 shift = priv->data.data[0];\n> -\tunsigned int i;\n> +\tunsigned int i, n = DIV_ROUND_UP(priv->len, sizeof(u32));\n>   \tu32 carry = 0;\n>   \n> -\tfor (i = 0; i < DIV_ROUND_UP(priv->len, sizeof(u32)); i++) {\n> +\tif (!shift) {\n> +\t\tfor (i = 0; i < n; i++)\n> +\t\t\tdst[i] = src[i];\n> +\t\treturn;\n> +\t}\n> +\n> +\tfor (i = 0; i < n; i++) {\n>   \t\tdst[i] = carry | (src[i] >> shift);\n>   \t\tcarry = src[i] << (BITS_PER_TYPE(u32) - shift);\n>   \t}","headers":{"Return-Path":"\n <netfilter-devel+bounces-12111-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=k3VHMZZR;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=YEVXqqfA;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=k3VHMZZR;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=YEVXqqfA;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12111-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"k3VHMZZR\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"YEVXqqfA\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"k3VHMZZR\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"YEVXqqfA\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out2.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=k3VHMZZR;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=YEVXqqfA"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0QVS42v9z1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 00:59:12 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 006B330523E9\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 14:54:05 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 316803D905B;\n\tTue, 21 Apr 2026 14:54:04 +0000 (UTC)","from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 659F230E0E5\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 21 Apr 2026 14:54:02 +0000 (UTC)","from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 807F15BCCC;\n\tTue, 21 Apr 2026 14:54:00 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E74C6593AF;\n\tTue, 21 Apr 2026 14:53:59 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid 5kxpNYeP52n4YwAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Tue, 21 Apr 2026 14:53:59 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776783243; cv=none;\n b=bxuqrt6W1x/0JfuRwTpB7o389jqQYk7333v4qYiA9gaUKyCz5FdUsb83zeM8vI5NRxPwkc6bPKovkdIjmIr3fu7H/Rh38zviUPZjA/lmBArYmeoz3+A////AX0Cecp/D1y1EM65iJRRlXnXLSMWrOFyUw3Z2PUN70VAGlAVk3gk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776783243; c=relaxed/simple;\n\tbh=c1HUwhBeIUyF9MulnGSXF0HqDqtVg4ut2Hb/SHeGqvI=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=BSzDoT0bGrwbnZcpGGNH2nDFx0eB1nupJjUC+FbjVWQTvHWOlDZ2vhlSSVKEjhvTA5IHFDAxsDp+a3YkEGDRk4qloLXH8e88XmjRuosnr9zbu7IMTbuq/fTiaMnB9T/mFWCHZftCQCEQd3AXw0FRuseasJJ7BBHttTWjwAlHJKc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=k3VHMZZR;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=YEVXqqfA;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=k3VHMZZR;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=YEVXqqfA; arc=none smtp.client-ip=195.135.223.131","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776783240;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=HMbkMgHUA8X/aTaFPx60Avg2ZG67p91c+qO62srgKO4=;\n\tb=k3VHMZZRJK07c85Uj6EwEFrGyqO3XxPRZo0xRf17JZYSEfuC2LQqMLAH3kWyFPUYyCV18h\n\tLv3jpJO+OxhsmJC26Z5yskzDRctb0jFnThd+RRMBFhumYhuyTddTgvlJD5kzkc8R3grXzl\n\tczZiVlH6u+2zXvmUjaCaHltCAPNq/SA=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776783240;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=HMbkMgHUA8X/aTaFPx60Avg2ZG67p91c+qO62srgKO4=;\n\tb=YEVXqqfAkj5k6iC7PYLJoenurC67cIrgQnYe5Iv56KgZxdHRvmym0WHqzRIqNqhgibZp/k\n\tusbwJZ6ENA0ySNDw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776783240;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=HMbkMgHUA8X/aTaFPx60Avg2ZG67p91c+qO62srgKO4=;\n\tb=k3VHMZZRJK07c85Uj6EwEFrGyqO3XxPRZo0xRf17JZYSEfuC2LQqMLAH3kWyFPUYyCV18h\n\tLv3jpJO+OxhsmJC26Z5yskzDRctb0jFnThd+RRMBFhumYhuyTddTgvlJD5kzkc8R3grXzl\n\tczZiVlH6u+2zXvmUjaCaHltCAPNq/SA=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776783240;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=HMbkMgHUA8X/aTaFPx60Avg2ZG67p91c+qO62srgKO4=;\n\tb=YEVXqqfAkj5k6iC7PYLJoenurC67cIrgQnYe5Iv56KgZxdHRvmym0WHqzRIqNqhgibZp/k\n\tusbwJZ6ENA0ySNDw=="],"Message-ID":"<41c9cd18-d5dc-41e0-a453-b936f15acfc5@suse.de>","Date":"Tue, 21 Apr 2026 16:53:45 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH net 1/1] netfilter: shift-out-of-bounds in nft_bitwise","To":"Ren Wei <n05ec@lzu.edu.cn>, netfilter-devel@vger.kernel.org","Cc":"pablo@netfilter.org, fw@strlen.de, jeremy@azazel.net,\n yuantan098@gmail.com, yifanwucs@gmail.com, tomapufckgml@gmail.com,\n bird@lzu.edu.cn, k4729.23098@gmail.com","References":"<cover.1776667409.git.k4729.23098@gmail.com>\n <5166c80ac3006080e4542ef4c3bf28bc78c696bc.1776667409.git.k4729.23098@gmail.com>","Content-Language":"en-US","From":"Fernando Fernandez Mancera <fmancera@suse.de>","In-Reply-To":"\n <5166c80ac3006080e4542ef4c3bf28bc78c696bc.1776667409.git.k4729.23098@gmail.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spamd-Result":"default: False [-4.01 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tSUSPICIOUS_RECIPS(1.50)[];\n\tDWL_DNSWL_LOW(-1.00)[suse.de:dkim];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tARC_NA(0.00)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tTO_DN_SOME(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tRCVD_TLS_ALL(0.00)[];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tFREEMAIL_CC(0.00)[netfilter.org,strlen.de,azazel.net,gmail.com,lzu.edu.cn];\n\tMID_RHS_MATCH_FROM(0.00)[];\n\tTAGGED_RCPT(0.00)[];\n\tRCPT_COUNT_SEVEN(0.00)[10];\n\tDKIM_TRACE(0.00)[suse.de:+];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim,suse.de:mid]","X-Rspamd-Action":"no action","X-Spam-Flag":"NO","X-Spam-Score":"-4.01","X-Spam-Level":"","X-Rspamd-Server":"rspamd1.dmz-prg2.suse.org","X-Rspamd-Queue-Id":"807F15BCCC"}}]