netfilter buglog - May 2017 - [Bug 1152] New: iptables-xml crashed on -D rules

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

            Bug ID: 1152
           Summary: iptables-xml crashed on -D rules
           Product: iptables
           Version: 1.4.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: unknown
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: ivan.agarkov at gmail.com

[root at server ~]# cat /etc/iptables.post
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5103:1388026]
-D INPUT -p tcp --dport 2200 -j ACCEPT

[root at server ~]# gdb /usr/bin/iptables-xml 
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/xtables-multi...Reading symbols from
/usr/lib/debug/usr/sbin/xtables-multi.debug...done.
done.
(gdb) run < /etc/iptables.post
Starting program: /usr/bin/iptables-xml < /etc/iptables.post
<iptables-rules version="1.0">
<!-- # Managed by puppet -->
  <table name="filter" >

Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:165
165        movdqu    (%rsi), %xmm2
(gdb) bt
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:165
#1  0x00000000004041f8 in needChain (chain=0x0) at iptables-xml.c:276
#2  iptables_xml_main (argc=<optimized out>, argv=<optimized out>)
at
iptables-xml.c:848
#3  0x00007ffff711eb35 in __libc_start_main (main=0x403200 <main>, argc=1,
ubp_av=0x7fffffffe2a8, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe298)
at ../csu/libc-start.c:274
#4  0x0000000000403233 in _start ()

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170529/3e4a193f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

Ivan Agarkov <ivan.agarkov at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|All                         |RedHat Linux
           Hardware|All                         |x86_64

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170529/bedb9756/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

Ivan Agarkov <ivan.agarkov at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|iptables-xml crashed on -D  |iptables-xml crashes on -D
                   |rules                       |rules

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170529/c2866b02/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ojford at gmail.com
           Assignee|netfilter-buglog at lists.netf |ojford at gmail.com
                   |ilter.org                   |
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170601/2c348b55/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

--- Comment #1 from Oliver Ford <ojford at gmail.com> ---
This particular issue was fixed by commit
f53b78e423d82b0c71c076480f52edeb5eaec5f8 and included in the 1.6.0 release.

However, there are other ways to cause a segfault. Including a jump without a
target segfaults, e.g.: 

*filter
-A INPUT -p tcp --dport 2200 -j


I will add a check for this malformed jump and look for any other ways to cause
a crash.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170602/be9f820b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|iptables-xml crashes on -D  |iptables-xml crashes on
                   |rules                       |malformed input

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170602/65daf527/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de

--- Comment #2 from Florian Westphal <fw at strlen.de> ---
What would be great would be to hook up all netfilter projects
(iptables, nftables, libnftnl, libmnl, etc etc) with oss-fuzz project.

It would require some effort though to provide fuzz targets in all our
projects:
https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170602/96875df4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

--- Comment #3 from Oliver Ford <ojford at gmail.com> ---
I've sent a patch for the jump without target segfault. I'll look in to
adding
iptables to oss-fuzz as a starting point.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170602/bddc2feb/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1152

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Oliver Ford <ojford at gmail.com> ---
The two segfaults already mentioned have been fixed, and I can't find any
more
in iptables-xml. So I'll resolve this bug and we can track fuzz testing
separately.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170620/53d42923/attachment.html>