netfilter buglog - Jul 2019 - [Bug 1351] New: Segfault in v0.9.1

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

            Bug ID: 1351
           Summary: Segfault in v0.9.1
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: 4bzilla at mailbox.org

OS: Arch Linux

After updating to v0.9.1 I am getting a segfault when loading my rules using
nft -f $rule_file.
This also happens when I build from the current master branch.
Cant post my rules because they are made of multiple include files and I
currently dont have the time to strip them down to a minimum.
But I think the following trace might help:

(gdb) bt
#0  0x00007ffff7d78162 in __strcmp_avx2 () from /usr/lib/libc.so.6
#1  0x00007ffff7ef95df in chain_lookup_fuzzy (h=0x555555593090,
cache=0x55555555baa0, t=0x7fffffffe718) at rule.c:858
#2  0x00007ffff7f06cc5 in chain_not_found (ctx=0x7fffffffe970) at
evaluate.c:189
#3  0x00007ffff7f0f4c9 in rule_cache_update (ctx=0x7fffffffe970,
op=CMD_INVALID) at evaluate.c:3238
#4  0x00007ffff7f0f8d3 in rule_evaluate (ctx=0x7fffffffe970,
rule=0x555555568f60, op=CMD_INVALID) at evaluate.c:3324
#5  0x00007ffff7f0fc73 in chain_evaluate (ctx=0x7fffffffe970,
chain=0x555555568c80) at evaluate.c:3405
#6  0x00007ffff7f0fff0 in table_evaluate (ctx=0x7fffffffe970,
table=0x555555568a70) at evaluate.c:3464
#7  0x00007ffff7f10255 in cmd_evaluate_add (ctx=0x7fffffffe970,
cmd=0x555555593050) at evaluate.c:3496
#8  0x00007ffff7f1140d in cmd_evaluate (ctx=0x7fffffffe970, cmd=0x555555593050)
at evaluate.c:3957
#9  0x00007ffff7f335a2 in nft_evaluate (nft=0x55555555ba20,
msgs=0x7fffffffeb00, cmds=0x7fffffffeb10) at libnftables.c:396
#10 0x00007ffff7f339d8 in nft_run_cmd_from_filename (nft=0x55555555ba20,
filename=0x7fffffffeea2 "/etc/nftables/nftables.conf") at
libnftables.c:479
#11 0x00005555555567a2 in main (argc=3, argv=0x7fffffffec78) at main.c:310

(gdb) info r rdi
rdi            0x555555562f40      93824992292672
(gdb) info r rsi
rsi            0x0                 0

Please note that rsi (the second argument to strcmp) is NULL.

Build with the default configuration Arch Linux is using + C/CPP-FLAGS:
CFLAGS="-g -O0" CPPFLAGS="-g -O0" ./configure \
    --prefix=/usr \
    --sbindir=/usr/bin \
    --sysconfdir=/usr/share \
    --with-json \
    --with-python-bin=''

Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190710/d7255166/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de
           Assignee|pablo at netfilter.org         |fw at strlen.de

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/44ed40db/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to 4bzilla from comment #0)
> OS: Arch Linux
> 
> After updating to v0.9.1 I am getting a segfault when loading my rules
using
> nft -f $rule_file.
> This also happens when I build from the current master branch.
> Cant post my rules because they are made of multiple include files and I
> currently dont have the time to strip them down to a minimum.
> But I think the following trace might help:
> 
> (gdb) bt
> #0  0x00007ffff7d78162 in __strcmp_avx2 () from /usr/lib/libc.so.6
> #1  0x00007ffff7ef95df in chain_lookup_fuzzy (h=0x555555593090,
> cache=0x55555555baa0, t=0x7fffffffe718) at rule.c:858
> #2  0x00007ffff7f06cc5 in chain_not_found (ctx=0x7fffffffe970) at
> evaluate.c:189
> #3  0x00007ffff7f0f4c9 in rule_cache_update (ctx=0x7fffffffe970,
> op=CMD_INVALID) at evaluate.c:3238
> #4  0x00007ffff7f0f8d3 in rule_evaluate (ctx=0x7fffffffe970,
> rule=0x555555568f60, op=CMD_INVALID) at evaluate.c:3324
> #5  0x00007ffff7f0fc73 in chain_evaluate (ctx=0x7fffffffe970,
> chain=0x555555568c80) at evaluate.c:3405
> #6  0x00007ffff7f0fff0 in table_evaluate (ctx=0x7fffffffe970,
> table=0x555555568a70) at evaluate.c:3464
> #7  0x00007ffff7f10255 in cmd_evaluate_add (ctx=0x7fffffffe970,
> cmd=0x555555593050) at evaluate.c:3496
> #8  0x00007ffff7f1140d in cmd_evaluate (ctx=0x7fffffffe970,
> cmd=0x555555593050) at evaluate.c:3957
> #9  0x00007ffff7f335a2 in nft_evaluate (nft=0x55555555ba20,
> msgs=0x7fffffffeb00, cmds=0x7fffffffeb10) at libnftables.c:396
> #10 0x00007ffff7f339d8 in nft_run_cmd_from_filename (nft=0x55555555ba20,
> filename=0x7fffffffeea2 "/etc/nftables/nftables.conf") at
libnftables.c:479
> #11 0x00005555555567a2 in main (argc=3, argv=0x7fffffffec78) at main.c:310
> 
> (gdb) info r rdi
> rdi            0x555555562f40      93824992292672
> (gdb) info r rsi
> rsi            0x0                 0
> 
> Please note that rsi (the second argument to strcmp) is NULL.
In this case this patch should prevent a crash, but i sure would like
to understand why chain.name is NULL in first place, or what the ruleset
that triggers this looks like.

All nft shell test cases pass at this time.
Can you run with this patch, does that give any clue where the problem/the
problematic rule (combination) is?

diff --git a/src/rule.c b/src/rule.c
--- a/src/rule.c
+++ b/src/rule.c
@@ -851,6 +851,9 @@ struct chain *chain_lookup_fuzzy(const struct handle *h,
        struct table *table;
        struct chain *chain;

+       if (!h->chain.name)
+               return NULL;
+
        string_misspell_init(&st);

        list_for_each_entry(table, &cache->list, list) {

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190716/1ad6404a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

--- Comment #2 from 4bzilla at mailbox.org ---
I should have some spare time this weekend to dig into this.
Will report back.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190717/556158f2/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

--- Comment #3 from 4bzilla at mailbox.org ---
Hi, had no time for debugging yet but you should be able to reproduce using the
following:

Release: 0.9.1
Build with: CFLAGS="-g -O0" CPPFLAGS="-g -O0" ./configure
--prefix=/usr
--sbindir=/usr/bin --sysconfdir=/usr/share --with-json
--with-python-bin=''

#############
nftables.conf:
#############
#!/usr/sbin/nft -f
flush ruleset

table inet filter {
}
table inet filter {
      chain test {
        counter
    }
}
#############
# EOF
#############

stack trace:
(gdb) bt
#0  0x00007ffff7f56ac9 in erec_print (octx=0x55555555ba40, erec=0x55555555c740,
debug_mask=0) at erec.c:95
#1  0x00007ffff7f57215 in erec_print_list (octx=0x55555555ba40,
list=0x7fffffffe2e0, debug_mask=0) at erec.c:190
#2  0x00007ffff7f5ea39 in nft_run_cmd_from_filename (nft=0x55555555ba20,
filename=0x7fffffffe810 "nftables.conf") at libnftables.c:491
#3  0x00005555555567a2 in main (argc=3, argv=0x7fffffffe458) at main.c:310

Please let me know if you could reproduce. If not I will try to dig into this
further.
Thanks

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190720/321a53ae/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

--- Comment #4 from Florian Westphal <fw at strlen.de> ---
(In reply to 4bzilla from comment #3)
> Hi, had no time for debugging yet but you should be able to reproduce using
> the following:
> 
> Release: 0.9.1
> Build with: CFLAGS="-g -O0" CPPFLAGS="-g -O0"
./configure --prefix=/usr
> --sbindir=/usr/bin --sysconfdir=/usr/share --with-json
--with-python-bin=''
> 
> #############
> nftables.conf:
> #############
> #!/usr/sbin/nft -f
> flush ruleset
> 
> table inet filter {
> }
> table inet filter {
>   	chain test {
> 		counter
> 	}
> }
> #############
> # EOF
> #############
> 
> stack trace:
> (gdb) bt
> #0  0x00007ffff7f56ac9 in erec_print (octx=0x55555555ba40,
> erec=0x55555555c740, debug_mask=0) at erec.c:95
> #1  0x00007ffff7f57215 in erec_print_list (octx=0x55555555ba40,
> list=0x7fffffffe2e0, debug_mask=0) at erec.c:190
> #2  0x00007ffff7f5ea39 in nft_run_cmd_from_filename (nft=0x55555555ba20,
> filename=0x7fffffffe810 "nftables.conf") at libnftables.c:491
> #3  0x00005555555567a2 in main (argc=3, argv=0x7fffffffe458) at main.c:310
> 
> Please let me know if you could reproduce. If not I will try to dig into
> this further.
> Thanks
Reproducible, thanks.

This is caused by

commit e5382c0d08e3c6d8246afa95b7380f0d6b8c1826
src: Support intra-transaction rule references
> table inet filter {
> }
> table inet filter {
>   	chain test {
> 		counter
> 	}
> }
before this commit, the above results in an add table,
and another 'add table' in the same transaction (which is harmless).

After this change, we attempt to lookup chain 'test' in table 'inet
filter',
but the lookup fails because table evaluation places the first definition into
the cache, not the second.
The crash is a followup error during error record creation (we call
chain_not_found(), and the location doesn't even exist.

Changing it to be the table correctly lists the location of the first table
definition, which is a bit confusing.

Not sure yet how to fix this, attempting to merge identical table definitons
seems error prone.

(The crash is easily fixable, but then nft -f returns and 'chain not
found'
error).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190720/86f14462/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1351

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #5 from Florian Westphal <fw at strlen.de> ---
This is fixed in 0.9.2.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191225/ef491a25/attachment.html>