netfilter buglog - Sep 2019 - [Bug 1365] New: nft crashes in chain_print_declaration()

https://bugzilla.netfilter.org/show_bug.cgi?id=1365

            Bug ID: 1365
           Summary: nft crashes in chain_print_declaration()
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: slyfox at inbox.ru

Here is the minimal crash reproducer:

$ cat nft.ruleset
    # filters
    table inet filter {
        chain prerouting {
            type filter hook prerouting priority -50
        }
    }

    # dump new state
    list ruleset

$ nft -c -f ./nft.ruleset
    table inet filter {
        chain prerouting {
    Segmentation fault (core dumped)

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
    at ../../gmp-6.1.2/mpz/export.c:66
66      zsize = SIZ(z);
(gdb) bt
#0  __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
    at ../../gmp-6.1.2/mpz/export.c:66
#1  0x00007fc1b9b2e8c4 in __mpz_export_data (data=0x7ffc919cdd1c, op=0x50,
byteorder=BYTEORDER_HOST_ENDIAN,
    len=4) at ../../../nftables/src/gmputil.c:109
#2  0x00007fc1b9afa346 in chain_print_declaration (chain=0x561fc75ebfe0,
octx=0x561fc75eb2c0)
    at ../../../nftables/src/rule.c:1110
#3  0x00007fc1b9afa488 in chain_print (chain=0x561fc75ebfe0,
octx=0x561fc75eb2c0)
    at ../../../nftables/src/rule.c:1128
#4  0x00007fc1b9afae77 in table_print (table=0x561fc75ebdb0,
octx=0x561fc75eb2c0)
    at ../../../nftables/src/rule.c:1295
#5  0x00007fc1b9afc04d in do_list_table (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500, table=0x561fc75ebdb0)
    at ../../../nftables/src/rule.c:1645
#6  0x00007fc1b9afe014 in do_list_ruleset (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500)
    at ../../../nftables/src/rule.c:2208
#7  0x00007fc1b9afe5bc in do_command_list (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500)
    at ../../../nftables/src/rule.c:2330
#8  0x00007fc1b9afef56 in do_command (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500)
    at ../../../nftables/src/rule.c:2572
#9  0x00007fc1b9b363e2 in nft_netlink (nft=0x561fc75eb2a0, cmds=0x7ffc919ce090,
msgs=0x7ffc919ce080,
    nf_sock=0x561fc75ebc30) at ../../../nftables/src/libnftables.c:42
#10 0x00007fc1b9b3754a in nft_run_cmd_from_filename (nft=0x561fc75eb2a0,
    filename=0x7ffc919cecff "./nft.ruleset") at
../../../nftables/src/libnftables.c:508
#11 0x0000561fc5f6e70e in main (argc=4, argv=0x7ffc919ce1f8) at
../../../nftables/src/main.c:328

valgrind says it's a NULL dereference:

$ valgrind --quiet nft -c -f ./nft.ruleset
table inet filter {
    chain prerouting {
==214535== Invalid read of size 4
==214535==    at 0x49DF288: __gmpz_export (export.c:66)
==214535==    by 0x48908C3: __mpz_export_data (gmputil.c:109)
==214535==    by 0x485C345: chain_print_declaration (rule.c:1110)
==214535==    by 0x485C487: chain_print (rule.c:1128)
==214535==    by 0x485CE76: table_print (rule.c:1295)
==214535==    by 0x485E04C: do_list_table (rule.c:1645)
==214535==    by 0x4860013: do_list_ruleset (rule.c:2208)
==214535==    by 0x48605BB: do_command_list (rule.c:2330)
==214535==    by 0x4860F55: do_command (rule.c:2572)
==214535==    by 0x48983E1: nft_netlink (libnftables.c:42)
==214535==    by 0x4899549: nft_run_cmd_from_filename (libnftables.c:508)
==214535==    by 0x10970D: main (main.c:328)
==214535==  Address 0x54 is not stack'd, malloc'd or (recently)
free'd

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190915/83642595/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1365

--- Comment #1 from Sergei Trofimovich <slyfox at inbox.ru> ---
If I add the following asserts to nftables:

--- a/src/rule.c
+++ b/src/rule.c
@@ -1107,6 +1107,8 @@ static void chain_print_declaration(const struct chain
*chain,
         nft_print(octx, " # handle %" PRIu64,
chain->handle.handle.id);
     nft_print(octx, "\n");
     if (chain->flags & CHAIN_F_BASECHAIN) {
+        assert(chain);
+        assert(chain->policy);
         mpz_export_data(&policy, chain->policy->value,
                 BYTEORDER_HOST_ENDIAN, sizeof(int));
         nft_print(octx, "\t\ttype %s hook %s", chain->type,

those crash as:

$ nft -c -f ./nft.ruleset
table inet filter {
    chain prerouting {
nft: ../../../nftables/src/rule.c:1111: chain_print_declaration: Assertion
`chain->policy' failed.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190915/8a69facc/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1365

--- Comment #2 from Sergei Trofimovich <slyfox at inbox.ru> ---
Created attachment 569
  --> https://bugzilla.netfilter.org/attachment.cgi?id=569&action=edit
0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch

0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch fixes crash for
me. It avoids pretty-printing policy if it's not present as an expression.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190916/1e08e0a9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1365

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
                 CC|                            |fw at strlen.de

--- Comment #3 from Florian Westphal <fw at strlen.de> ---
(In reply to Sergei Trofimovich from comment #2)
> Created attachment 569 [details]
> 0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch
> 
> 0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch fixes crash
> for me. It avoids pretty-printing policy if it's not present as an
> expression.
Patch applied to nftables.git, thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190916/7378ada9/attachment.html>