thr3ads.net - netfilter buglog - [Bug 1432] New: ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer) [May 2020]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2020-May-27 15:59 UTC

[Bug 1432] New: ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)

https://bugzilla.netfilter.org/show_bug.cgi?id=1432

            Bug ID: 1432
           Summary: ebtables ebtables-2.0.11 buffer overflow on getting
                    kernel data ( ebtables compiled with address
                    sanitizer)
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: bridging
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: scourge86 at mail.ru

root at ebtablesfuzz:~/SOURCE/ebtables-2.0.11#  ./ebtables-legacy --list
==================================================================18489==ERROR:
AddressSanitizer: stack-buffer-overflow on address
0x7fff0c4ecc48 at pc 0x7f89fdb7aa0b bp 0x7fff0c4eca70 sp 0x7fff0c4ec220
WRITE of size 264 at 0x7fff0c4ecc48 thread T0
    #0 0x7f89fdb7aa0a  (/lib/x86_64-linux-gnu/libasan.so.5+0x68a0a)
    #1 0x7f89fda8220e in retrieve_from_kernel
/root/SOURCE/ebtables-2.0.11/communication.c:702
    #2 0x7f89fda8220e in ebt_get_table
/root/SOURCE/ebtables-2.0.11/communication.c:723
    #3 0x7f89fdaa2b3e in ebt_get_kernel_table
/root/SOURCE/ebtables-2.0.11/libebtc.c:182
    #4 0x7f89fda8da61 in do_command /root/SOURCE/ebtables-2.0.11/ebtables.c:719
    #5 0x55aa44bc6423 in main
/root/SOURCE/ebtables-2.0.11/ebtables-standalone.c:15
    #6 0x7f89fd8c509a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #7 0x55aa44bc65b9 in _start
(/root/SOURCE/ebtables-2.0.11/.libs/ebtables-legacy+0x15b9)

Address 0x7fff0c4ecc48 is located in stack of thread T0 at offset 216 in frame
    #0 0x7f89fda8170f in ebt_get_table
/root/SOURCE/ebtables-2.0.11/communication.c:709

  This frame has 2 object(s):
    [32, 36) 'optlen'
    [96, 216) 'repl' <== Memory access at offset 216 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x68a0a)
Shadow bytes around the buggy address:
  0x100061895930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100061895940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100061895950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100061895960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x100061895970: f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
=>0x100061895980: 00 00 00 00 00 00 00 00 00[f2]f3 f3 f3 f3 00 00
  0x100061895990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000618959a0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2
  0x1000618959b0: f2 f2 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
  0x1000618959c0: f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00
  0x1000618959d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18489==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200527/84d6c057/attachment.html>

bugzilla-daemon at netfilter.org

2020-May-27 15:59 UTC

head link

[Bug 1432] ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)

https://bugzilla.netfilter.org/show_bug.cgi?id=1432

Sergey Trufanov <scourge86 at mail.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |scourge86 at mail.ru

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200527/bcf85d63/attachment.html>

Seemingly Similar Threads

Search for more possibly parallel threads

netfilter buglog - May 2020 - [Bug 1432] New: ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)

[Bug 1432] New: ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)

[Bug 1432] ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)

Seemingly Similar Threads