thr3ads.net - netfilter buglog - [Bug 871] New: Running two instances of ulog causes abort in libnfnetlink [Nov 2013]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2013-Nov-08 23:23 UTC

[Bug 871] New: Running two instances of ulog causes abort in libnfnetlink

https://bugzilla.netfilter.org/show_bug.cgi?id=871

           Summary: Running two instances of ulog causes abort in
                    libnfnetlink
           Product: ulogd
           Version: SVN (please provide timestamp)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ulogd
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: bootc at bootc.net
   Estimated Hours: 0.0


ulogd_inppkt_NFLOG.c:start() has a bug in out_bind:

out_bind:
    nflog_close(ui->nful_h);
    if (group_ce(upi->config_kset).u.value == 0) {
        nflog_unbind_pf(ui->nful_h, AF_INET);
        nflog_unbind_pf(ui->nful_h, AF_INET6);
        nflog_unbind_pf(ui->nful_h, AF_BRIDGE);
    }

Essentially, nflog_close() is called first, freeing the nflog handle and all of
its data, *then* nflog_unbind_pf() is called with the freed handle. This causes
use-after-free and NULL pointer dereference in nflog_unbind_pf().

To fix this, the nflog_close() should be moved after the if () block.

To replicate this: attempt to run two instances of ulogd with the NFLOG plugin
enabled and with the same groups. The second instance will abort:

firebox bootc # ulogd 
ulogd: libnfnetlink.c:1566: nfnl_query: Assertion `h' failed.
Aborted

#4  0xb7e497b7 in __GI___assert_fail (assertion=assertion at entry=0xb7e10aed
"h",
file=file at entry=0xb7e10970 "libnfnetlink.c", line=line at
entry=1566,
function=function at entry=0xb7e10e6e <__PRETTY_FUNCTION__.5013>
"nfnl_query") at
assert.c:101
#5  0xb7e0fd0b in nfnl_query (h=0x0, nlh=0xbffff320) at libnfnetlink.c:1566
#6  0xb7fd9044 in __build_send_cfg_msg (h=0x80013d48, command=<optimized
out>,
groupnum=<optimized out>, pf=<optimized out>) at
libnetfilter_log.c:143
#7  0xb7e1b68c in start (upi=upi at entry=0x80010090) at
ulogd_inppkt_NFLOG.c:623
#8  0x800041bd in create_stack_start_instances (stack=0x80010078) at
ulogd.c:809

Syslog contains:

Nov  8 23:22:13 firebox ulogd[27321]: unable to bind to log group 0

Regards,
Chris

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Nov-08 23:28 UTC

head link

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

https://bugzilla.netfilter.org/show_bug.cgi?id=871

--- Comment #1 from Chris Boot <bootc at bootc.net> 2013-11-09 00:28:43
CET ---
This corresponds to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729055 in
Debian.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Nov-15 14:25 UTC

head link

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

https://bugzilla.netfilter.org/show_bug.cgi?id=871

--- Comment #2 from Chris Boot <bootc at bootc.net> 2013-11-15 15:25:48
CET ---
Created attachment 425
  --> https://bugzilla.netfilter.org/attachment.cgi?id=425
Patch being applied to the Debian package

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Nov-15 20:26 UTC

head link

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

https://bugzilla.netfilter.org/show_bug.cgi?id=871

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter at linuxace.com

--- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-11-15
21:26:29 CET ---
I confirm your patch fixes the issue (at least the error it spits out is
prettier than the failed assertion).  For upstream inclusion, please submit it
to netfilter-devel at vger.kernel.org with your signed-off-by.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Nov-19 04:32 UTC

head link

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

https://bugzilla.netfilter.org/show_bug.cgi?id=871

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from Phil Oester <netfilter at linuxace.com> 2013-11-19
05:32:14 CET ---
Patch applied to ulogd2 tree via commit f482f35b63b1 (ulogd:
ulogd_inppkt_NFLOG: close nflog handle after unbinding).  Closing.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

Reasonably Related Threads

Search for more possibly parallel threads

netfilter buglog - Nov 2013 - [Bug 871] New: Running two instances of ulog causes abort in libnfnetlink

[Bug 871] New: Running two instances of ulog causes abort in libnfnetlink

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

[Bug 871] Running two instances of ulog causes abort in libnfnetlink

Reasonably Related Threads