thr3ads.net - netfilter buglog - [Bug 915] New: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null [Apr 2014]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2014-Apr-13 07:47 UTC

[Bug 915] New: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null

https://bugzilla.netfilter.org/show_bug.cgi?id=915

           Summary: segfault in error case : expr_evaluate_payload not
                    checking payload->payload.desc being null
           Product: nftables
           Version: unspecified
          Platform: x86_64
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
        AssignedTo: pablo at netfilter.org
        ReportedBy: laurent at guerby.net
   Estimated Hours: 0.0


With latest git libmnl / libnftnl / nftables :

root at h7:~# nft add rule filter output @nh,16,4 8.8.8.8 counter
Segmentation fault
root at h7:~# gdb nft
GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test/sbin/nft...done.
(gdb) r add rule filter output @nh,16,4 8.8.8.8 counter
Starting program: /root/test/sbin/nft add rule filter output @nh,16,4 8.8.8.8
counter
warning: no loadable sections found in added symbol-file system-supplied DSO at
0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?

Program received signal SIGSEGV, Segmentation fault.
0x000000000040d183 in expr_evaluate_payload (ctx=0x7fffffffe438, expr=0x64c740)
at src/evaluate.c:284
284            return expr_error(ctx->msgs, payload,
(gdb) bt
#0  0x000000000040d183 in expr_evaluate_payload (ctx=0x7fffffffe438,
expr=0x64c740) at src/evaluate.c:284
#1  0x000000000040f71d in expr_evaluate (ctx=0x7fffffffe438, expr=0x64c740) at
src/evaluate.c:1071
#2  0x000000000040ee9d in expr_evaluate_relational (ctx=0x7fffffffe438,
expr=0x64c7a8) at src/evaluate.c:874
#3  0x000000000040f81f in expr_evaluate (ctx=0x7fffffffe438, expr=0x64c7a8) at
src/evaluate.c:1093
#4  0x000000000040f8a5 in stmt_evaluate_expr (ctx=0x7fffffffe438,
stmt=0x64c760) at src/evaluate.c:1102
#5  0x000000000040fc50 in stmt_evaluate (ctx=0x7fffffffe438, stmt=0x64c760) at
src/evaluate.c:1198
#6  0x0000000000410017 in rule_evaluate (ctx=0x7fffffffe438, rule=0x64c840) at
src/evaluate.c:1283
#7  0x000000000041049e in cmd_evaluate_add (ctx=0x7fffffffe438, cmd=0x64c8d0)
at src/evaluate.c:1380
#8  0x000000000041066e in cmd_evaluate (ctx=0x7fffffffe438, cmd=0x64c8d0) at
src/evaluate.c:1424
#9  0x0000000000420dfe in nft_parse (scanner=0x64c490, state=0x7fffffffde50) at
src/parser.y:573
#10 0x00000000004055cb in nft_run (scanner=0x64c490, state=0x7fffffffde50,
msgs=0x7fffffffde40) at src/main.c:221
#11 0x0000000000405a47 in main (argc=8, argv=0x7fffffffe658) at src/main.c:332
(gdb) p payload
$1 = (struct expr *) 0x64c5a0
(gdb) p *payload
$2 = {list = {next = 0x64c5a0, prev = 0x64c5a0}, location = {indesc
0x7fffffffde58, {{token_offset = 24, line_offset = 0, first_line = 1, last_line
= 1, first_column = 24, last_column = 31}, {nle = 0x18}}}, refcnt = 1, flags 0, 
  dtype = 0x42df60 <integer_type>, byteorder = BYTEORDER_INVALID, len = 4,
ops
= 0x433f00 <payload_expr_ops>, op = OP_INVALID, {{scope = 0x0, identifier
0x42fcf0 <proto_unknown_template> "\332\374B", symtype =
SYMBOL_SET}, {
      verdict = 0, chain = 0x42fcf0 <proto_unknown_template>
"\332\374B"},
{value = {{_mp_alloc = 0, _mp_size = 0, _mp_d = 0x42fcf0
<proto_unknown_template>}}}, {prefix = 0x0, prefix_len = 4390128},
{expressions
= {next = 0x0, 
        prev = 0x42fcf0 <proto_unknown_template>}, size = 2, set_flags =
16},
{set = 0x0}, {arg = 0x0}, {left = 0x0, right = 0x42fcf0
<proto_unknown_template>}, {map = 0x0, mappings = 0x42fcf0
<proto_unknown_template>}, payload = {
      desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>, base
PROTO_BASE_NETWORK_HDR, offset = 16}, exthdr = {desc = 0x0, tmpl = 0x42fcf0
<proto_unknown_template>}, meta = {key = NFT_META_LEN, base
PROTO_BASE_INVALID}, ct = {
      key = NFT_CT_STATE}}}
(gdb) p *ctx
$3 = {msgs = 0x7fffffffde40, cmd = 0x64c8d0, table = 0x0, set = 0x0, stmt
0x64c760, ectx = {dtype = 0x0, len = 0}, pctx = {family = 2, protocol {{location
= {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line 0,
              last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}},
desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {
              nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x4321a0
<proto_ip>},
{location = {
          indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0}}}}
(gdb) p base
$4 = PROTO_BASE_NETWORK_HDR
(gdb) p ctx->msgs
$5 = (struct list_head *) 0x7fffffffde40
(gdb) p ctx->pctx.protocol
$6 = {{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle 0x0}}},
desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset
= 0, 
          first_line = 0, last_line = 0, first_column = 0, last_column = 0},
{nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0,
line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column
0}, {
          nle = 0x0}}}, desc = 0x4321a0 <proto_ip>}, {location = {indesc =
0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0}}
(gdb) p (int)base
$7 = 2
(gdb) p ctx->pctx.protocol[0]
$8 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line
= 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0}
(gdb) p ctx->pctx.protocol[1]
$9 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line
= 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0}
(gdb) p ctx->pctx.protocol[2]
$10 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle 0x0}}},
desc = 0x4321a0 <proto_ip>}
(gdb) p ctx->pctx.protocol[2].desc
$11 = (const struct proto_desc *) 0x4321a0 <proto_ip>
(gdb) p *(ctx->pctx.protocol[2].desc)
$12 = {name = 0x432150 "ip", base = PROTO_BASE_NETWORK_HDR,
protocol_key = 8,
protocols = {{num = 1, desc = 0x430c80 <proto_icmp>}, {num = 50, desc
0x430440 <proto_esp>}, {num = 51, desc = 0x430140 <proto_ah>}, {num
= 108,
      desc = 0x430740 <proto_comp>}, {num = 17, desc = 0x430fa0
<proto_udp>},
{num = 136, desc = 0x4312a0 <proto_udplite>}, {num = 6, desc = 0x4316e0
<proto_tcp>}, {num = 33, desc = 0x431b60 <proto_dccp>}, {num = 132, 
      desc = 0x431e60 <proto_sctp>}, {num = 0, desc = 0x0}, {num = 0, desc
0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num
= 0, desc = 0x0}, {num = 0, desc = 0x0}}, templates = {{token = 0x0, 
      dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token
0x432153 "version", dtype = 0x42df60 <integer_type>, offset = 0,
len = 4,
meta_key = NFT_META_LEN}, {token = 0x430112 "hdrlength", 
      dtype = 0x42df60 <integer_type>, offset = 4, len = 4, meta_key
NFT_META_LEN}, {token = 0x43215b "tos", dtype = 0x42df60
<integer_type>, offset
= 8, len = 8, meta_key = NFT_META_LEN}, {token = 0x430f80 "length", 
      dtype = 0x42df60 <integer_type>, offset = 16, len = 16, meta_key
NFT_META_LEN}, {token = 0x430c60 "id", dtype = 0x42df60
<integer_type>, offset
= 32, len = 16, meta_key = NFT_META_LEN}, {token = 0x43215f
"frag-off",
      dtype = 0x42df60 <integer_type>, offset = 48, len = 16, meta_key
NFT_META_LEN}, {token = 0x432168 "ttl", dtype = 0x42df60
<integer_type>, offset
= 64, len = 8, meta_key = NFT_META_LEN}, {token = 0x43216c "protocol",
      dtype = 0x42e220 <inet_protocol_type>, offset = 72, len = 8,
meta_key NFT_META_LEN}, {token = 0x430c57 "checksum", dtype = 0x42df60
<integer_type>,
offset = 80, len = 16, meta_key = NFT_META_LEN}, {token = 0x432175
"saddr",
      dtype = 0x42e100 <ipaddr_type>, offset = 96, len = 32, meta_key
NFT_META_LEN}, {token = 0x43217b "daddr", dtype = 0x42e100
<ipaddr_type>,
offset = 128, len = 32, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0,
offset = 0, 
      len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0,
len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
      meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, 
      meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}}}
(gdb) p payload->payload
$13 = {desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>, base
PROTO_BASE_NETWORK_HDR, offset = 16}
(gdb) p payload->payload.desc
$14 = (const struct proto_desc *) 0x0

        } else if (ctx->pctx.protocol[base].desc != payload->payload.desc)
                return expr_error(ctx->msgs, payload,
                                  "conflicting protocols specified: %s vs.
%s",
                                  ctx->pctx.protocol[base].desc->name,
                                  payload->payload.desc->name);

Looks like payload->payload.desc can be NULL here hence the segfault.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2014-Aug-20 13:34 UTC

head link

[Bug 915] segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null

https://bugzilla.netfilter.org/show_bug.cgi?id=915

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2014-08-20
15:34:44 CEST ---
http://git.netfilter.org/nftables/commit/?id=6f285f202d6c41db1d9071c0964b5d062a522b4e

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

Possibly Parallel Threads

Search for more maybe matching threads

netfilter buglog - Apr 2014 - [Bug 915] New: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null

[Bug 915] New: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null

[Bug 915] segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null

Possibly Parallel Threads