[pkg-netfilter-team] Bug#949101: iptables-restore: segmentation fault

Alexander E. Patrakov patrakov at gmail.com
Thu Jan 16 22:10:36 GMT 2020 

Package: iptables
Version: 1.8.2-4
Severity: normal

Dear maintainer,

This is a reproducible way to segfault iptables-restore (the nftables variant):

0. Start with a blank state.

1. Load the initial rules:

    iptables-restore < original_rules.iptables

2. Attempt to test new rules, to be applied incrementally:

    iptables-restore -n -t < new.iptables

The second command results in a segfault.

I don't care in this bug report if the rules are actually valid, the program should point out the error instead of segfaulting.

Here is what gdb says:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7da8787 in nftnl_expr_build_payload (nlh=nlh at entry=0x7ffff75b3220, expr=expr at entry=0x0) at expr.c:210
210	expr.c: No such file or directory.
(gdb) bt full
#0  0x00007ffff7da8787 in nftnl_expr_build_payload (nlh=nlh at entry=0x7ffff75b3220, expr=expr at entry=0x0) at expr.c:210
        nest = <optimized out>
#1  0x00007ffff7da3783 in nftnl_rule_nlmsg_build_payload (nlh=0x7ffff75b3220, r=0x5555555f89d0) at rule.c:320
        expr = 0x0
        nest = 0x7ffff75b324c
        nest2 = 0x7ffff75b35a4
#2  0x0000555555564c66 in nft_compat_rule_batch_add (h=h at entry=0x7fffffffe4e0, type=type at entry=6, flags=flags at entry=3072, 
    seq=<optimized out>, rule=<optimized out>) at nft.c:2579
        nlh = <optimized out>
#3  0x000055555556593e in nft_action (h=0x7fffffffe4e0, action=1) at nft.c:2673
        n = 0x5555555f8c30
        tmp = <optimized out>
        err = <optimized out>
        ne = <optimized out>
        buflen = <optimized out>
        i = <optimized out>
        len = <optimized out>
        show_errors = true
        errmsg = "\001\000\000\000\000\000\000\000\242\241i\367\377\177\000\000\340\344\377\377\377\177\000\000\t\000\000\000\000\000\000\000\240\305_UUU\000\000\060\253_UUU\000\000\260\272\377\377\377\177\000\000\373HVUUU\000\000\340\344\377\377\377\177\000\000\240\305_UUU\000\000\000\000\000\000\000\000\000\000\366xVUUU\000\000\340\242_UUU\000\000\000\000\000\000\000\000\000\000T{_UUU\000\000\260\272\377\377\377\177\000\000\064\217_UUU\000\000\000\000\000\000\000\000\000\000\340\242_UUU\000\000\352%VUUU\000\000\060\253_UUU\000\000\064\217_UUU\000\000\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000@\217_UUU\000\000"...
        seq = 10
        ret = 0
#4  0x0000555555561555 in xtables_restore_parse (h=h at entry=0x7fffffffe4e0, p=p at entry=0x7fffffffe4c0, 
    cb=cb at entry=0x555555589140 <restore_cb>, argc=argc at entry=4, argv=argv at entry=0x7fffffffe668) at xtables-restore.c:143
        ret = 0
        buffer = "COMMIT\n\000RD -j COMPLAIN\n\000rs -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT\n", '\000' <repeats 5979 times>...
        in_table = <optimized out>
        curtable = 0x555555589c20 <xtables_ipv4>
        ops = <optimized out>
        chain_list = 0x5555555f54b0
#5  0x0000555555561f90 in xtables_restore_main (family=2, progname=<optimized out>, argc=4, argv=0x7fffffffe668)
    at xtables-restore.c:474
        tables = <optimized out>
        h = {family = 2, nl = 0x5555555f5490, portid = 2389, seq = 0, obj_list = {next = 0x5555555f6df0, prev = 0x5555555fabf0}, 
          obj_list_num = 16, batch = 0x5555555fac20, err_list = {next = 0x7fffffffe518, prev = 0x7fffffffe518}, 
          ops = 0x555555589ee0 <nft_family_ops_ipv4>, tables = 0x555555589c20 <xtables_ipv4>, chain_cache = 0x5555555f54b0, 
          rule_cache = 0x5555555f7c30, restore = true, config_done = -1 '\377', error = {lineno = 23}}
        c = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        p = {in = 0x5555555f5260, testing = 1, tablename = 0x0, commit = true}
#6  0x00007ffff763909b in __libc_start_main (main=0x55555555cfb0 <main>, argc=4, argv=0x7fffffffe668, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5955117646945397298, 93824992268224, 140737488348768, 0, 0, 
                -572386658808703538, -572405319023536690}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffffffe690, 
              0x7ffff7ffe190}, data = {prev = 0x0, cleanup = 0x0, canceltype = -6512}}}
        not_first_call = <optimized out>
#7  0x000055555555cfea in _start ()
No symbol table info available.


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.28-10
ii  libip4tc0                1.8.2-4
ii  libip6tc0                1.8.2-4
ii  libiptc0                 1.8.2-4
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.2-2
ii  libxtables12             1.8.2-4

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
ii  kmod  26-1

-- no debconf information
-------------- next part --------------
# Generated by xtables-save v1.8.2 on Thu Jan 16 22:31:46 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jan 16 22:31:46 2020
# Generated by xtables-save v1.8.2 on Thu Jan 16 22:31:46 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [274683:92319015]
:OUTPUT ACCEPT [200201:62515593]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -i wg-customers -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg-customers -j DROP
-A FORWARD -o wg-customers -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A f2b-sshd -s 222.186.30.145/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jan 16 22:31:46 2020
-------------- next part --------------
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:COMPLAIN - [0:0]

-F INPUT
-F COMPLAIN

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A COMPLAIN -j LOG --log-prefix "FIREWALL COMPLAIN: "

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Failsafe
-A INPUT -p tcp -m tcp -s 172.31.100.5 --dport 22 -j ACCEPT

-F FORWARD
-A FORWARD -i wg-customers -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o wg-customers -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -j COMPLAIN

COMMIT

More information about the pkg-netfilter-team mailing list