bugzilla-daemon at netfilter.org
2023-Oct-08 01:37 UTC
[Bug 1713] New: iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Bug ID: 1713
Summary: iptables-restore cmd crash
Product: iptables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: iptables-restore
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: xwlpt at 126.com
Recently I met an issue on the iptables-restore command, when I run the
command:
iptables-restore -T filter --noflush < replace
It shows the Segmentation fault error.
Then I did further check. Here are my findings.
The backtrace:
Reading symbols from /home/centos/bin/iptbales/sbin/iptables-restore...
[New LWP 3272596]
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/centos/bin/iptbales/sbin/iptables-restore -T
filter --noflush'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:139
139 ../sysdeps/x86_64/multiarch/strcmp-evex.S: No such file or directory.
(gdb) bt
#0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:139
#1 0x00007f2c961c4810 in __iptcc_bsearch_chain_index
(name=name at entry=0x55b9b4177490 "SNTL_F_set_d2ebb6067e1f5247",
offset=offset at entry=0,
idx=idx at entry=0x7ffc5ed6e654, handle=handle at entry=0x55b9b37ad2b0,
type=type at entry=BSEARCH_NAME) at /root/iptables-1.8.9/libiptc/libiptc.c:402
#2 0x00007f2c961c4c2c in iptcc_bsearch_chain_index (handle=0x55b9b37ad2b0,
idx=0x7ffc5ed6e654, name=0x55b9b4177490 "SNTL_F_set_d2ebb6067e1f5247")
at /root/iptables-1.8.9/libiptc/libiptc.c:425
#3 iptcc_find_label (name=name at entry=0x55b9b4177490
"SNTL_F_set_d2ebb6067e1f5247", handle=handle at entry=0x55b9b37ad2b0)
at /root/iptables-1.8.9/libiptc/libiptc.c:734
#4 0x00007f2c961c67d0 in iptc_rename_chain
(oldname=oldname at entry=0x55b9b4177460
"STMP_F_set_d2ebb6067e1f5247",
newname=newname at entry=0x55b9b4177490
"SNTL_F_set_d2ebb6067e1f5247",
handle=0x55b9b37ad2b0) at /root/iptables-1.8.9/libiptc/libiptc.c:2373
#5 0x000055b9b2db67a5 in do_command4 (argc=<optimized out>,
argv=argv at entry=0x7ffc5ed6ea58, table=table at entry=0x7ffc5ed6ea68,
handle=handle at entry=0x7ffc5ed6ea28, restore=restore at entry=true) at
iptables.c:861
#6 0x000055b9b2db3f30 in ip46tables_restore_main (cb=0x55b9b2dbca00
<ipt_restore_cb>, argc=argc at entry=4, argv=argv at entry=0x7ffc5ed71ff8,
cb=0x55b9b2dbca00 <ipt_restore_cb>) at iptables-restore.c:338
#7 0x000055b9b2db4744 in iptables_restore_main (argc=4, argv=0x7ffc5ed71ff8)
at iptables-restore.c:388
#8 0x00007f2c95fbbd90 in __libc_start_call_main
(main=main at entry=0x55b9b2daddc0 <main>, argc=argc at entry=4,
argv=argv at entry=0x7ffc5ed71ff8)
at ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x00007f2c95fbbe40 in __libc_start_main_impl (main=0x55b9b2daddc0
<main>,
argc=4, argv=0x7ffc5ed71ff8, init=<optimized out>, fini=<optimized
out>,
rtld_fini=<optimized out>, stack_end=0x7ffc5ed71fe8) at
../csu/libc-start.c:392
#10 0x000055b9b2daddf5 in _start ()
This is the line that code crashed:
https://git.netfilter.org/iptables/tree/libiptc/libiptc.c#n402
Looks like the pos+1 out of the bound of array handle->chain_index
After I enabled the debug logs of iptables, then we can see the context:
https://git.netfilter.org/iptables/tree/libiptc/libiptc.c#n341
bsearch Find chain:SNTL_F_set_cf70fcb2da2c9d75 (pos:2 end:5) (offset:0)
bsearch Index[2] name:SNTL_F_set_847f79f7c669e9bb res:43 jump forward to pos:3
(end:5)
bsearch Index[3] name:SNTL_F_set_c8da4e747a025ea3 res:46
We can see that when pos=3, then pos+1 will out the boundary of array
handle->chain_index, but the array size supposed to be
handle->chain_index_sz 5.
So there should be code bugs in the iptables-restore command.
After check for more, I'd think it triggered by following code path:
TC_RENAME_CHAIN->iptcc_chain_index_delete_chain->iptcc_chain_index_rebuild
In this function, there are chain deleted
(https://git.netfilter.org/iptables/tree/libiptc/libiptc.c#n605), which makes
the num_chain to be decreased from 161 to 160 (In the test, we are restore for
161 chains), then it will generate the array handle->chain_index with only 4
elements (160/40), but keep handle->chain_index_sz = 5.
https://git.netfilter.org/iptables/tree/libiptc/libiptc.c#n544
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231008/59b6894a/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-10 13:59 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at nwl.cc
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
What iptables version are you seeing this with? There is a fix to the
iptcc_chain_index_delete_chain() function in v1.8.9 which seems relevant.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231010/9289e450/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-11 02:02 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713 --- Comment #2 from xwlpt at 126.com --- @Phil Sutter Thanks for reply. I am using 1.8.9, which had fix https://git.netfilter.org/iptables/commit/?h=v1.8.9&id=97bf4e68fc0794adba3243fd96f40f4568e7216f already. But it still having issues. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231011/576f358b/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-11 11:28 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713 --- Comment #3 from Phil Sutter <phil at nwl.cc> --- Do you have a reproducer at hand? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231011/efc7b5df/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-12 07:57 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713 --- Comment #4 from xwlpt at 126.com --- Created attachment 723 --> https://bugzilla.netfilter.org/attachment.cgi?id=723&action=edit Chains that need to be restored -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231012/de232cf5/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-12 07:58 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713 --- Comment #5 from xwlpt at 126.com --- Created attachment 724 --> https://bugzilla.netfilter.org/attachment.cgi?id=724&action=edit Chain rename Chains need to be renamed -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231012/c1b6e546/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-12 08:02 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713 --- Comment #6 from xwlpt at 126.com --- (In reply to Phil Sutter from comment #3)> Do you have a reproducer at hand?I upload two attachments. For how to reproduce this: 1. use iptables-restore command to restore the contents in `Chains that need to be restored` iptables-restore -T filter --noflush < `Chains that need to be restored`>iptables -L|grep -i chain|grep -i references Chain SENTINEL_CHAIN (0 references) Chain STMP_F (0 references) Chain STMP_F_set_00f5a621947a6b46 (0 references) Chain STMP_F_set_012be292000a009f (0 references) Chain STMP_F_set_01abf768637a2fca (0 references) Chain STMP_F_set_03966cd99708cd71 (0 references) Chain STMP_F_set_0430a7a670621db5 (0 references) Chain STMP_F_set_066bd701c3464f4b (0 references) Chain STMP_F_set_06c4d8194eb5ad49 (0 references) Chain STMP_F_set_0772547610aaea46 (0 references) Chain STMP_F_set_07ca79e7ff05aa43 (0 references) Chain STMP_F_set_0807427d6d6294bd (0 references) Chain STMP_F_set_0893e7fc845ac2a4 (0 references) Chain STMP_F_set_08b593745cdba401 (0 references) Chain STMP_F_set_0921dd978af699a8 (0 references) Chain STMP_F_set_09d8a7cbdcf729ba (0 references) Chain STMP_F_set_0a0623b124808517 (0 references) Chain STMP_F_set_0b39af41e1e8f4b1 (0 references) Chain STMP_F_set_0c479c8462c1033f (0 references) Chain STMP_F_set_0e0b2b80e2e9806d (0 references) Chain STMP_F_set_0e5686ab83f0b893 (0 references) Chain STMP_F_set_0f0b2420f6f02568 (0 references) Chain STMP_F_set_1239457e375713df (0 references) Chain STMP_F_set_1291119c57da1e30 (0 references) Chain STMP_F_set_153f253c9a3c7de6 (0 references) Chain STMP_F_set_17182cfbe21bb223 (0 references) Chain STMP_F_set_179dc7e551f68e04 (0 references) Chain STMP_F_set_180397750b4fc7d8 (0 references) Chain STMP_F_set_197569a6c4e63408 (0 references) Chain STMP_F_set_1ad796b9fabd283b (0 references) Chain STMP_F_set_1c13ea994d6af84a (0 references) Chain STMP_F_set_1eac980ee2b0de74 (0 references) Chain STMP_F_set_2074d423dab7b13d (0 references) Chain STMP_F_set_20b883917bac11f0 (0 references) Chain STMP_F_set_21b775c4860bf142 (0 references) Chain STMP_F_set_246a584b93213a7e (0 references) Chain STMP_F_set_27762a2fe6841907 (0 references) Chain STMP_F_set_280eb289a707a049 (0 references) Chain STMP_F_set_2b6b8b6ac05551f3 (0 references) Chain STMP_F_set_2e60575badecb8b6 (0 references) Chain STMP_F_set_2f89ec71c6741a97 (0 references) Chain STMP_F_set_2feed1b9e8348276 (0 references) Chain STMP_F_set_30ec180e68c739e4 (0 references) Chain STMP_F_set_3489f5e137094d66 (0 references) Chain STMP_F_set_34b815a036ccdcb5 (0 references) Chain STMP_F_set_356225850346a23b (0 references) Chain STMP_F_set_384e64bd65573b01 (0 references) Chain STMP_F_set_3a1aad8cc977cf8c (0 references) Chain STMP_F_set_3acf78e679d749ce (0 references) Chain STMP_F_set_3c2dc05f5f39cac0 (0 references) Chain STMP_F_set_3e7948fe7d108392 (0 references) Chain STMP_F_set_3f3e60932231db5b (0 references) Chain STMP_F_set_3faddb476086e752 (0 references) Chain STMP_F_set_42e89a47b5310efe (0 references) Chain STMP_F_set_42f66e4467157bba (0 references) Chain STMP_F_set_4578f0d8e67627b9 (0 references) Chain STMP_F_set_4a7f8b35ea07c50e (0 references) Chain STMP_F_set_4ab365dafda0c628 (0 references) Chain STMP_F_set_4c438d01b2d1d75a (0 references) Chain STMP_F_set_4ff3357247b6fe47 (0 references) Chain STMP_F_set_5064152efbcbfc8b (0 references) Chain STMP_F_set_51d223bbf3b82546 (0 references) Chain STMP_F_set_51f0d01b4d84ba99 (0 references) Chain STMP_F_set_5332f1c3403051b9 (0 references) Chain STMP_F_set_5345913b0af891c0 (0 references) Chain STMP_F_set_540da95eb3f37e00 (0 references) Chain STMP_F_set_5fd6934c60dc4424 (0 references) Chain STMP_F_set_604f7da5f5b65419 (0 references) Chain STMP_F_set_62ce248dcef68e05 (0 references) Chain STMP_F_set_63e285175566f086 (0 references) Chain STMP_F_set_6574df691f38437f (0 references) Chain STMP_F_set_679ce4f0a5c8f5a3 (0 references) Chain STMP_F_set_69fa776ac4465ef0 (0 references) Chain STMP_F_set_6bb1dced3ea9d629 (0 references) Chain STMP_F_set_6cbd51d84acb2276 (0 references) Chain STMP_F_set_705e241760ac032a (0 references) Chain STMP_F_set_7157d794e333438c (0 references) Chain STMP_F_set_781712bc1402f19e (0 references) Chain STMP_F_set_79dec7f110d1b4d8 (0 references) Chain STMP_F_set_7a0ad498436f5035 (0 references) Chain STMP_F_set_7a75c92eb3d91831 (0 references) Chain STMP_F_set_7b439be87fcb7ba9 (0 references) Chain STMP_F_set_7edd02b2aa0eaf10 (0 references) Chain STMP_F_set_8143bee9759060a5 (0 references) Chain STMP_F_set_81ccd83998667333 (0 references) Chain STMP_F_set_847f79f7c669e9bb (0 references) Chain STMP_F_set_8497ed3465efe13a (0 references) Chain STMP_F_set_8861234e2278c95f (0 references) Chain STMP_F_set_8a37261a1afc4761 (0 references) Chain STMP_F_set_8c57936c625b5680 (0 references) Chain STMP_F_set_8de38f51c893e3b1 (0 references) Chain STMP_F_set_92e8cc739fbc3017 (0 references) Chain STMP_F_set_9426b283cb3c4dc3 (0 references) Chain STMP_F_set_964ec5b092aed48b (0 references) Chain STMP_F_set_97b44040b54e0858 (0 references) Chain STMP_F_set_98c56f506746b2bf (0 references) Chain STMP_F_set_99003becfb67a09d (0 references) Chain STMP_F_set_9cf1fd00952cccee (0 references) Chain STMP_F_set_a1f8973e60746d66 (0 references) Chain STMP_F_set_a3ba9f0028d783c5 (0 references) Chain STMP_F_set_a49158e92f0b82bc (0 references) Chain STMP_F_set_a5e5128e0168e816 (0 references) Chain STMP_F_set_a752f6a74db3c4c0 (0 references) Chain STMP_F_set_a795678e74123277 (0 references) Chain STMP_F_set_ac45dba2d11b71b1 (0 references) Chain STMP_F_set_ac9a07e7350d2145 (0 references) Chain STMP_F_set_b2f8d0dcef172e5c (0 references) Chain STMP_F_set_b35456455bf490f7 (0 references) Chain STMP_F_set_b546966e8ce87823 (0 references) Chain STMP_F_set_b740b1ef4d2f2681 (0 references) Chain STMP_F_set_b8b2d3acfb1d528a (0 references) Chain STMP_F_set_b8d29ab1f31e0ce1 (0 references) Chain STMP_F_set_b9f567dc4b69382c (0 references) Chain STMP_F_set_bc4f71872a81141a (0 references) Chain STMP_F_set_bcccbc68799440f9 (0 references) Chain STMP_F_set_bdf70d753ff0a3a8 (0 references) Chain STMP_F_set_bf6315cf222fe876 (0 references) Chain STMP_F_set_c23839ee20b12bd7 (0 references) Chain STMP_F_set_c32834ec71c82d78 (0 references) Chain STMP_F_set_c4f932c2b3d10ef6 (0 references) Chain STMP_F_set_c5405c79e41a9d18 (0 references) Chain STMP_F_set_c56010f902536806 (0 references) Chain STMP_F_set_c674f870af1f974f (0 references) Chain STMP_F_set_c77017f2156c761a (0 references) Chain STMP_F_set_c7d5721f30c4f9e9 (0 references) Chain STMP_F_set_c8da4e747a025ea3 (0 references) Chain STMP_F_set_ca7da9733d31b7a6 (0 references) Chain STMP_F_set_cba0385ac904ea81 (0 references) Chain STMP_F_set_cec631073c8e1ab6 (0 references) Chain STMP_F_set_cf70fcb2da2c9d75 (0 references) Chain STMP_F_set_d0ec69296248ff07 (0 references) Chain STMP_F_set_d1daa9a6c29d6b80 (0 references) Chain STMP_F_set_d1eb03a998df0cda (0 references) Chain STMP_F_set_d2ebb6067e1f5247 (0 references) Chain STMP_F_set_d70e3f0d2169607c (0 references) Chain STMP_F_set_ddac9baaf970b054 (0 references) Chain STMP_F_set_deee0f8895c46f37 (0 references) Chain STMP_F_set_df903af5962b9dd1 (0 references) Chain STMP_F_set_e0ad6a41049eaece (0 references) Chain STMP_F_set_e12a69f603204a81 (0 references) Chain STMP_F_set_e6fdc30082d6d22d (0 references) Chain STMP_F_set_e82d02149decdb03 (0 references) Chain STMP_F_set_eb6605279cb7069b (0 references) Chain STMP_F_set_f13d02a4cf0851d7 (0 references) Chain STMP_F_set_f18189a68c3ff306 (0 references) Chain STMP_F_set_f1af4b4751c6268c (0 references) Chain STMP_F_set_f45094355d273d69 (0 references) Chain STMP_F_set_f49f89d7c34f49ad (0 references) Chain STMP_F_set_f5741ca22b74881c (0 references) Chain STMP_F_set_f5b909df763b7519 (0 references) Chain STMP_F_set_f5c790d668a65445 (0 references) Chain STMP_F_set_f8778dd911af7804 (0 references) Chain STMP_F_set_f8a5b74e8d8c3969 (0 references) Chain STMP_F_set_f9845e3972944dc7 (0 references) Chain STMP_F_set_fd56dbeec44f06e1 (0 references) Chain STMP_F_set_fd8caf342c564932 (0 references) Chain STMP_F_set_fd9b572a627111e1 (0 references) Chain STMP_F_set_fdaffd959cf3702b (0 references) Chain STMP_F_set_fe4191e7f649c1dd (0 references) Chain STMP_F_set_fe5318781df705e5 (0 references) Chain STMP_L (0 references) iptables -L|grep -i chain|grep -i references |wc -l> 1612. Use iptabels-restore command to restore the contents in `Chain rename` iptables-restore -T filter --noflush < `Chain rename`> Segmentation faultI'd hope this can reproduce the issue -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231012/edef33d4/attachment-0001.html>
bugzilla-daemon at netfilter.org
2023-Oct-12 18:19 UTC
[Bug 1713] iptables-restore cmd crash
https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Phil Sutter <phil at nwl.cc> ---
(In reply to xwlpt from comment #6)> I'd hope this can reproduce the issue
It did indeed, thanks a lot!
I just pushed a fix upstream:
e2d7ee9c49b58 ("libiptc: Fix for another segfault due to chain index NULL
pointer")
If possible, please test current HEAD. Feel free to reopen in case it still
happens for you.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231012/379a4f1d/attachment.html>