{"id":2226536,"url":"http://patchwork.ozlabs.org/api/patches/2226536/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260422145419.2927088-1-n05ec@lzu.edu.cn/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260422145419.2927088-1-n05ec@lzu.edu.cn>","list_archive_url":null,"date":"2026-04-22T14:54:18","name":"[nf,v2,1/1] netfilter: reject zero shift in nft_bitwise","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"edcaec31ab47b3e3a2c66d0393f4497305824cda","submitter":{"id":92912,"url":"http://patchwork.ozlabs.org/api/people/92912/?format=json","name":"Ren Wei","email":"n05ec@lzu.edu.cn"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260422145419.2927088-1-n05ec@lzu.edu.cn/mbox/","series":[{"id":501029,"url":"http://patchwork.ozlabs.org/api/series/501029/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501029","date":"2026-04-22T14:54:18","name":"[nf,v2,1/1] netfilter: reject zero shift in nft_bitwise","version":2,"mbox":"http://patchwork.ozlabs.org/series/501029/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226536/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226536/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12138-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.97.182.222","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=lzu.edu.cn","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=lzu.edu.cn"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g12Wm0vXNz1y2d\n\tfor ; Thu, 23 Apr 2026 01:02:28 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id D9BB53025A41\n\tfor ; Wed, 22 Apr 2026 15:01:56 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7E11A3101B8;\n\tWed, 22 Apr 2026 15:01:56 +0000 (UTC)","from zg8tmja5ljk3lje4mi4ymjia.icoremail.net\n (zg8tmja5ljk3lje4mi4ymjia.icoremail.net [209.97.182.222])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 6066F2E5B2A\n\tfor ; Wed, 22 Apr 2026 15:01:53 +0000 (UTC)","from enjou-Legion-Y7000P-2019.coin-barley.ts.net (unknown\n [172.23.56.36])\n\tby app1 (Coremail) with SMTP id ygmowACH+PjI4uhpnePaAA--.37402S2;\n\tWed, 22 Apr 2026 23:01:28 +0800 (CST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776870116; cv=none;\n b=riwXb1NojtuLJ9yzcIl26AaqhIuvTvw/TjBaXxRA/Uo+INc99w6tM1Vg3KZ5GCoxCdEW++Tfg1Jr526bRo3VN7S96lz2UbV8z3zYAcIAuijtF0p59rdauqT6bxg9Ix6pBrPn3RtAVj3f8Z220xqbl3Wa/nxy0WHB8xHn6cxkCBA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776870116; c=relaxed/simple;\n\tbh=OziEh/U4GbhSFqLEoiOSPKCZJ1EX8ykixJaanViiuew=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=aZRRFOwlz/bnkZkChZb68ai4dhENsNlKBj7ykBjRT8qMhLnbKsgV7JDaLEh4kUETMeKeyGT66znsOg83pOfDxkSEViQJRgNQN9HzxWCn33ABJvkfLzHdqOR+rcEHzN2MrRCZQeIQuIKZ9falQAeP2REAYveaCTHWHWVMQflHOPE=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=lzu.edu.cn;\n spf=pass smtp.mailfrom=lzu.edu.cn; arc=none smtp.client-ip=209.97.182.222","From":"Ren Wei ","To":"netfilter-devel@vger.kernel.org","Cc":"pablo@netfilter.org,\n\tfw@strlen.de,\n\tphil@nwl.cc,\n\tdavem@davemloft.net,\n\tedumazet@google.com,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\thorms@kernel.org,\n\tjeremy@azazel.net,\n\tyuantan098@gmail.com,\n\tyifanwucs@gmail.com,\n\ttomapufckgml@gmail.com,\n\tbird@lzu.edu.cn,\n\tk4729.23098@gmail.com,\n\tn05ec@lzu.edu.cn","Subject":"[PATCH nf v2 1/1] netfilter: reject zero shift in nft_bitwise","Date":"Wed, 22 Apr 2026 22:54:18 +0800","Message-ID":"<20260422145419.2927088-1-n05ec@lzu.edu.cn>","X-Mailer":"git-send-email 2.51.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-CM-TRANSID":"ygmowACH+PjI4uhpnePaAA--.37402S2","X-Coremail-Antispam":"1UD129KBjvJXoW7KFWrKF1kCw4UCFW7Cr4fuFg_yoW8AFW5p3\n\ty3Gw47tFZFgrW5Kw4vyFWYkFs8JF1FkF1UWrsrZF98ZFn5Xr18Jw1Fg3ySq3WjkFs0gFsI\n\tqrsFqFnIgwnxAr7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2\n\t9KBjDU0xBIdaVrnRJUUUBY1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE\n\tw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2\n\tIY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2\n\tz280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV\n\tAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r10\n\t6r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64\n\tvIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0E\n\tn4kS14v26r1q6r43MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6c\n\tx26r48MxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCj\n\tr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8ZVWrXwCIc40Y0x0EwIxGrwCI42IY6x\n\tIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAI\n\tw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x\n\t0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VU13ku3UUUUU==","X-CM-SenderInfo":"zqqvvuo6o23hxhgxhubq/1tbiAQ0FCWnoi2EHoAACsO"},"content":"From: Kai Ma \n\nReject zero shift operands for nft_bitwise left and right shift\nexpressions during initialization.\n\nThe carry propagation logic computes the carry from the adjacent 32-bit\nword using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this\ninto a 32-bit shift, which is undefined behaviour.\n\nReject zero shift operands in the control plane, alongside the existing\ncheck for values greater than or equal to 32, so malformed rules never\nreach the packet path.\n\nFixes: 567d746b55bc (\"netfilter: bitwise: add support for shifts.\")\nCc: stable@kernel.org\nReported-by: Yuan Tan \nReported-by: Yifan Wu \nReported-by: Juefei Pu \nReported-by: Xin Liu \nSigned-off-by: Kai Ma \nSigned-off-by: Ren Wei \n---\nchanges in v2:\n - Reject zero shift operands in nft_bitwise_init_shift() and drop the\n runtime zero-shift handling in the eval path.\n - v1 Link: https://lore.kernel.org/all/5166c80ac3006080e4542ef4c3bf28bc78c696bc.1776667409.git.k4729.23098@gmail.com/\n\n net/netfilter/nft_bitwise.c | 3 ++-\n 1 file changed, 2 insertions(+), 1 deletion(-)","diff":"diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c\nindex 13808e9cd999..94dccdcfa06b 100644\n--- a/net/netfilter/nft_bitwise.c\n+++ b/net/netfilter/nft_bitwise.c\n@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,\n \tif (err < 0)\n \t\treturn err;\n \n-\tif (priv->data.data[0] >= BITS_PER_TYPE(u32)) {\n+\tif (!priv->data.data[0] ||\n+\t priv->data.data[0] >= BITS_PER_TYPE(u32)) {\n \t\tnft_data_release(&priv->data, desc.type);\n \t\treturn -EINVAL;\n \t}\n","prefixes":["nf","v2","1/1"]}