netfilter buglog - Apr 2020 - [Bug 1418] New: segfaults when running nft --file foo.nft --echo

https://bugzilla.netfilter.org/show_bug.cgi?id=1418

            Bug ID: 1418
           Summary: segfaults when running nft --file foo.nft --echo
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: chutzpah at gentoo.org

Here is the backtrace:

mpz_cmp (a=a at entry=0x555555654ce0, b=<optimized out>) at
mini-gmp.c:1819
1819        return mpn_cmp (a->_mp_d, b->_mp_d, asize);
(gdb) bt
#0  mpz_cmp (a=a at entry=0x555555654ce0, b=<optimized out>) at
mini-gmp.c:1819
#1  0x00005555555ad790 in expr_value_cmp (p1=p1 at entry=0x5555556ac820,
p2=p2 at entry=0x5555556ac828) at segtree.c:832
#2  0x00007ffff7d86f3d in msort_with_tmp (p=p at entry=0x7fffffffc9a0,
b=b at entry=0x5555556ac820, n=n at entry=2) at msort.c:83
#3  0x00007ffff7d86ea4 in msort_with_tmp (n=2, b=0x5555556ac820,
p=0x7fffffffc9a0) at msort.c:53
#4  msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820,
n=n at entry=5) at msort.c:53
#5  0x00007ffff7d86ea4 in msort_with_tmp (n=5, b=0x5555556ac820,
p=0x7fffffffc9a0) at msort.c:53
#6  msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820,
n=n at entry=10) at msort.c:53
#7  0x00007ffff7d872c2 in msort_with_tmp (n=10, b=0x5555556ac820,
p=0x7fffffffc9a0) at msort.c:297
#8  __GI___qsort_r (b=b at entry=0x5555556ac820, n=n at entry=10, s=s at
entry=8,
cmp=cmp at entry=0x5555555ad760 <expr_value_cmp>, arg=arg at entry=0x0) at
msort.c:297
#9  0x00007ffff7d8756f in __GI_qsort (b=b at entry=0x5555556ac820, n=n at
entry=10,
s=s at entry=8, cmp=cmp at entry=0x5555555ad760 <expr_value_cmp>) at
msort.c:308
#10 0x00005555555aed85 in interval_map_decompose (set=0x5555556115a0) at
segtree.c:978
#11 0x00005555555abaff in nlr_for_each_set (nlr=nlr at entry=0x5555556ac190,
cb=cb at entry=0x5555555ab9c0 <rule_map_decompose_cb>,
cache=0x55555560c340,
data=0x0) at monitor.c:193
#12 0x00005555555ac326 in netlink_events_rule_cb (monh=0x7fffffffcce0, type=6,
nlh=0x7fffffffcda0) at monitor.c:517
#13 netlink_events_cb (nlh=nlh at entry=0x7fffffffcda0,
data=data at entry=0x7fffffffcce0) at monitor.c:890
#14 0x00005555555ad062 in netlink_echo_callback (nlh=nlh at
entry=0x7fffffffcda0,
data=data at entry=0x7fffffffde10) at monitor.c:924
#15 0x00007ffff7fb6748 in __mnl_cb_run (cb_ctl_array_len=16,
cb_ctl_array=0x55555560a5a0 <cb_ctl_array>, data=<optimized out>,
cb_data=0x5555555ad000 <netlink_echo_callback>, portid=0, seq=0,
    numbytes=<optimized out>, buf=0x7fffffffcda0) at callback.c:78
#16 mnl_cb_run2 (buf=buf at entry=0x7fffffffcda0, numbytes=<optimized
out>,
seq=seq at entry=0, portid=portid at entry=0, cb_data=0x5555555ad000
<netlink_echo_callback>, data=data at entry=0x7fffffffde10,
    cb_ctl_array=0x55555560a5a0 <cb_ctl_array>, cb_ctl_array_len=16) at
callback.c:135
#17 0x00005555555b1aac in mnl_batch_talk (ctx=ctx at entry=0x7fffffffdf70,
err_list=err_list at entry=0x7fffffffdf60, num_cmds=num_cmds at entry=161) at
mnl.c:433
#18 0x000055555556b6c5 in nft_netlink (nft=nft at entry=0x55555560c2a0,
cmds=cmds at entry=0x7fffffffe010, msgs=msgs at entry=0x7fffffffe000,
nf_sock=<optimized out>) at libnftables.c:57
#19 0x000055555556bfa8 in nft_run_cmd_from_filename (nft=0x55555560c2a0,
filename=0x7fffffffe4ad "/etc/nftables/init.nft") at libnftables.c:508
#20 0x000055555556acb9 in main (argc=<optimized out>, argv=0x7fffffffe1c8)
at
main.c:455

When it is adding the rules and echoing, the output is kind of mangled. A rule
that looks like
table inet filter {
    chain input_XXXXXXX {
        iifname { "bond0" } ip saddr { 10.0.0.0/8 } ip daddr {
192.168.1.1 }
tcp dport { ssh } counter accept
    }
}

Gets echoed as
add rule inet filter input_XXXXXXX iifname { "bond0",
"bond0" } ip saddr {
10.0.0.0/8, 10.0.0.0/8-0xffffffff [invalid type] } ip daddr { 192.168.1.1,
192.168.1.1 } tcp dport { 22, 22 } counter packets 0 bytes 0 accept

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200409/e0483846/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1418

Patrick McLean <chutzpah at gentoo.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |critical

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200409/8e0cac59/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1418

--- Comment #1 from Patrick McLean <chutzpah at gentoo.org> ---
Created attachment 590
  --> https://bugzilla.netfilter.org/attachment.cgi?id=590&action=edit
ruleset that triggers the segfault

OK, I seem to have figured out how to reproduce it reliably. I have some
generated rule sets that I am loading, and they attempt to clean up after the
last time they were loaded by adding then deleting the tables they create. The
first time nft runs, everything works fine, the second time I get the strange
output and a segfault.

So try running "nft --echo --file test.nft" *twice* and it will cause
nft to to
echo some strange data and segfault.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200409/0128f70e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1418

Patrick McLean <chutzpah at gentoo.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
    Attachment #590|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200409/bc0d4c17/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1418

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Patrick McLean from comment #1)
> Created attachment 590 [details]
> ruleset that triggers the segfault
> 
> OK, I seem to have figured out how to reproduce it reliably. I have some
> generated rule sets that I am loading, and they attempt to clean up after
> the last time they were loaded by adding then deleting the tables they
> create. The first time nft runs, everything works fine, the second time I
> get the strange output and a segfault.
> 
> So try running "nft --echo --file test.nft" *twice* and it will
cause nft to
> to echo some strange data and segfault.
Patchset to address this problem has been posted:

https://patchwork.ozlabs.org/project/netfilter-devel/list/?series=192921

Thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200728/71b88a20/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1418

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Upstream patches:

http://git.netfilter.org/nftables/commit/?id=8eece29518257536711657c42047f14e22a7e8f2
http://git.netfilter.org/nftables/commit/?id=ac4b25b3ca045fbbed86773a91da52d9d7ee3091
http://git.netfilter.org/nftables/commit/?id=7840b9224d5b84c41a8f5a5ddd919c7f7614901f

Closing, thanks for reporting

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/9ecc69bb/attachment.html>