bugzilla-daemon at netfilter.org
2019-Sep-15 11:21 UTC
[Bug 1365] New: nft crashes in chain_print_declaration()
https://bugzilla.netfilter.org/show_bug.cgi?id=1365 Bug ID: 1365 Summary: nft crashes in chain_print_declaration() Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: slyfox at inbox.ru Here is the minimal crash reproducer: $ cat nft.ruleset # filters table inet filter { chain prerouting { type filter hook prerouting priority -50 } } # dump new state list ruleset $ nft -c -f ./nft.ruleset table inet filter { chain prerouting { Segmentation fault (core dumped) Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1, size=4, endian=0, nail=0, z=0x50) at ../../gmp-6.1.2/mpz/export.c:66 66 zsize = SIZ(z); (gdb) bt #0 __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1, size=4, endian=0, nail=0, z=0x50) at ../../gmp-6.1.2/mpz/export.c:66 #1 0x00007fc1b9b2e8c4 in __mpz_export_data (data=0x7ffc919cdd1c, op=0x50, byteorder=BYTEORDER_HOST_ENDIAN, len=4) at ../../../nftables/src/gmputil.c:109 #2 0x00007fc1b9afa346 in chain_print_declaration (chain=0x561fc75ebfe0, octx=0x561fc75eb2c0) at ../../../nftables/src/rule.c:1110 #3 0x00007fc1b9afa488 in chain_print (chain=0x561fc75ebfe0, octx=0x561fc75eb2c0) at ../../../nftables/src/rule.c:1128 #4 0x00007fc1b9afae77 in table_print (table=0x561fc75ebdb0, octx=0x561fc75eb2c0) at ../../../nftables/src/rule.c:1295 #5 0x00007fc1b9afc04d in do_list_table (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500, table=0x561fc75ebdb0) at ../../../nftables/src/rule.c:1645 #6 0x00007fc1b9afe014 in do_list_ruleset (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500) at ../../../nftables/src/rule.c:2208 #7 0x00007fc1b9afe5bc in do_command_list (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500) at ../../../nftables/src/rule.c:2330 #8 0x00007fc1b9afef56 in do_command (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500) at ../../../nftables/src/rule.c:2572 #9 0x00007fc1b9b363e2 in nft_netlink (nft=0x561fc75eb2a0, cmds=0x7ffc919ce090, msgs=0x7ffc919ce080, nf_sock=0x561fc75ebc30) at ../../../nftables/src/libnftables.c:42 #10 0x00007fc1b9b3754a in nft_run_cmd_from_filename (nft=0x561fc75eb2a0, filename=0x7ffc919cecff "./nft.ruleset") at ../../../nftables/src/libnftables.c:508 #11 0x0000561fc5f6e70e in main (argc=4, argv=0x7ffc919ce1f8) at ../../../nftables/src/main.c:328 valgrind says it's a NULL dereference: $ valgrind --quiet nft -c -f ./nft.ruleset table inet filter { chain prerouting { ==214535== Invalid read of size 4 ==214535== at 0x49DF288: __gmpz_export (export.c:66) ==214535== by 0x48908C3: __mpz_export_data (gmputil.c:109) ==214535== by 0x485C345: chain_print_declaration (rule.c:1110) ==214535== by 0x485C487: chain_print (rule.c:1128) ==214535== by 0x485CE76: table_print (rule.c:1295) ==214535== by 0x485E04C: do_list_table (rule.c:1645) ==214535== by 0x4860013: do_list_ruleset (rule.c:2208) ==214535== by 0x48605BB: do_command_list (rule.c:2330) ==214535== by 0x4860F55: do_command (rule.c:2572) ==214535== by 0x48983E1: nft_netlink (libnftables.c:42) ==214535== by 0x4899549: nft_run_cmd_from_filename (libnftables.c:508) ==214535== by 0x10970D: main (main.c:328) ==214535== Address 0x54 is not stack'd, malloc'd or (recently) free'd -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190915/83642595/attachment.html>
bugzilla-daemon at netfilter.org
2019-Sep-15 21:11 UTC
[Bug 1365] nft crashes in chain_print_declaration()
https://bugzilla.netfilter.org/show_bug.cgi?id=1365 --- Comment #1 from Sergei Trofimovich <slyfox at inbox.ru> --- If I add the following asserts to nftables: --- a/src/rule.c +++ b/src/rule.c @@ -1107,6 +1107,8 @@ static void chain_print_declaration(const struct chain *chain, nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id); nft_print(octx, "\n"); if (chain->flags & CHAIN_F_BASECHAIN) { + assert(chain); + assert(chain->policy); mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); nft_print(octx, "\t\ttype %s hook %s", chain->type, those crash as: $ nft -c -f ./nft.ruleset table inet filter { chain prerouting { nft: ../../../nftables/src/rule.c:1111: chain_print_declaration: Assertion `chain->policy' failed. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190915/8a69facc/attachment.html>
bugzilla-daemon at netfilter.org
2019-Sep-16 07:29 UTC
[Bug 1365] nft crashes in chain_print_declaration()
https://bugzilla.netfilter.org/show_bug.cgi?id=1365 --- Comment #2 from Sergei Trofimovich <slyfox at inbox.ru> --- Created attachment 569 --> https://bugzilla.netfilter.org/attachment.cgi?id=569&action=edit 0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch 0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch fixes crash for me. It avoids pretty-printing policy if it's not present as an expression. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190916/1e08e0a9/attachment.html>
bugzilla-daemon at netfilter.org
2019-Sep-16 07:55 UTC
[Bug 1365] nft crashes in chain_print_declaration()
https://bugzilla.netfilter.org/show_bug.cgi?id=1365 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED CC| |fw at strlen.de --- Comment #3 from Florian Westphal <fw at strlen.de> --- (In reply to Sergei Trofimovich from comment #2)> Created attachment 569 [details] > 0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch > > 0001-nftables-don-t-crash-in-list-ruleset-if-policy-is-no.patch fixes crash > for me. It avoids pretty-printing policy if it's not present as an > expression.Patch applied to nftables.git, thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190916/7378ada9/attachment.html>
Seemingly Similar Threads
- [Bug 1444] New: nftables-0.9.6 crashes on some set notations:
- [Bug 1763] New: Segfault when resetting rules with meta l4proto { tcp, udp }
- [Bug 1351] New: Segfault in v0.9.1
- [ANNOUNCE] nftables 0.8 release
- CESA-2017:1365 Important CentOS 7 nss Security Update