[pkg-netfilter-team] Bug#965021: conntrackd: segfaults when not disabling internal cache

Thomas Schneider tschneider at asta.rwth-aachen.de
Tue Jul 14 16:04:17 BST 2020 

Package: conntrackd
Version: 1:1.4.5-2
Severity: grave
Justification: renders package unusable

Dear Maintainer,

I’m experiencing a problem with conntrackd.

* What led up to the situation?

I installed and configured conntrackd and simply started it.

* What exactly did you do (or not do) that was effective (or ineffective)?

I investigated the problem using gdb and valgrind.  As the segfault
happens in cache_ct_cmp(), by being passed a NULL pointer that it tries
to dereference, I tried to disable the caches.

Setting `DisableExternalCache on` led to the same behaviour.  Setting
`DisableInternalCache on` apparently fixed it, however this option is
only available in NOTRACK mode (and I want to use FTFW mode).

Since some hash related functions appear in the backtrace, I tried to
change the value of HashSize and HashLimit.  Based on more or less
similar reports I found online, I tried disabling TCPWindowTracking and
ExpectationSync.  Neither one fixed the problem.

* What was the outcome of this action?

It segfaulted right after starting.  Only with `DisableExternalCache
on`, it produced any output (see below), without that, no output was
produced.

* What outcome did you expect instead?

I expected it to work, or at least provide a sensible error message.


*** /tmp/gdb.log
# gdb -q --args conntrackd
Reading symbols from conntrackd...Reading symbols from /usr/lib/debug/.build-id/ce/01eee7370eaa2a78b30857a5478c1b7f600bfe.debug...done.
done.
(gdb) r
Starting program: /usr/sbin/conntrackd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Tue Jul 14 16:48:55 2020] (pid=13845) [notice] disabling external cache

Program received signal SIGSEGV, Segmentation fault.
0x0000555555564ba1 in cache_ct_cmp (data1=0x0, data2=0x5555555afd60) at cache-ct.c:104
104     cache-ct.c: No such file or directory.
(gdb) bt
#0  0x0000555555564ba1 in cache_ct_cmp (data1=0x0, data2=0x5555555afd60) at cache-ct.c:104
#1  0x000055555555f633 in hashtable_find (table=0x5555555a9810, data=data at entry=0x5555555afd60,
    id=<optimized out>) at hash.c:74
#2  0x000055555556434c in cache_find (c=c at entry=0x5555555a9710, ptr=ptr at entry=0x5555555afd60,
    id=id at entry=0x7fffffff9ec4) at cache.c:304
#3  0x0000555555564378 in cache_update_force (c=0x5555555a9710, ptr=0x5555555afd60) at cache.c:279
#4  0x00005555555663b8 in dump_handler (type=NFCT_T_UPDATE, data=<optimized out>, ct=0x5555555afd60)
    at ctnl.c:266
#5  dump_handler (type=NFCT_T_UPDATE, ct=0x5555555afd60, data=<optimized out>) at ctnl.c:257
#6  0x00007ffff7ba47db in __callback (nlh=0x7fffffffa090, nfa=0x7fffffff9f50, data=0x5555555afd40)
    at callback.c:58
#7  0x00007ffff778805c in nfnl_step (h=h at entry=0x5555555afa20, nlh=nlh at entry=0x7fffffffa090)
    at libnfnetlink.c:1340
#8  0x00007ffff7788823 in nfnl_process (h=h at entry=0x5555555afa20,
    buf=buf at entry=0x7fffffffa090 <incomplete sequence \324>, len=len at entry=3604) at libnfnetlink.c:1385
#9  0x00007ffff7788b8e in nfnl_catch (h=0x5555555afa20) at libnfnetlink.c:1539
#10 0x00007ffff7ba562f in nfct_query (h=0x5555555afc00, qt=qt at entry=NFCT_Q_DUMP,
    data=data at entry=0x5555555772e4 <family>) at api.c:970
#11 0x0000555555561f71 in nl_dump_conntrack_table (h=<optimized out>) at netlink.c:153
#12 0x000055555556661f in ctnl_init () at ctnl.c:456
#13 0x000055555555f505 in init () at run.c:301
#14 0x000055555555df72 in main (argc=1, argv=0x7fffffffe428) at main.c:367

*** /tmp/valgrind.log
# valgrind conntrackd
==13777== Memcheck, a memory error detector
==13777== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==13777== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==13777== Command: conntrackd
==13777==
[Tue Jul 14 16:44:45 2020] (pid=13777) [notice] disabling external cache
==13777== Invalid read of size 8
==13777==    at 0x113608: hashtable_find (hash.c:72)
==13777==    by 0x118377: cache_update_force (cache.c:279)
==13777==    by 0x11A3B7: dump_handler (ctnl.c:266)
==13777==    by 0x11A3B7: dump_handler (ctnl.c:257)
==13777==    by 0x4A5A7DA: __callback (callback.c:58)
==13777==    by 0x4E8A05B: nfnl_step (libnfnetlink.c:1340)
==13777==    by 0x4E8A822: nfnl_process (libnfnetlink.c:1385)
==13777==    by 0x4E8AB8D: nfnl_catch (libnfnetlink.c:1539)
==13777==    by 0x4A5B62E: nfct_query (api.c:970)
==13777==    by 0x11A61E: ctnl_init (ctnl.c:456)
==13777==    by 0x113504: init (run.c:301)
==13777==    by 0x111F71: main (main.c:367)
==13777==  Address 0x54af660 is 0 bytes after a block of size 32 alloc'd
==13777==    at 0x4837B65: calloc (vg_replace_malloc.c:752)
==13777==    by 0x113577: hashtable_create (hash.c:39)
==13777==    by 0x117E8D: cache_create (cache.c:102)
==13777==    by 0x121796: internal_cache_init (internal_cache.c:26)
==13777==    by 0x11ADAC: init_sync (sync-mode.c:396)
==13777==    by 0x11A52A: ctnl_init (ctnl.c:414)
==13777==    by 0x113504: init (run.c:301)
==13777==    by 0x111F71: main (main.c:367)
==13777==
==13777== Invalid read of size 8
==13777==    at 0x118BA1: cache_ct_cmp (cache-ct.c:104)
==13777==    by 0x113632: hashtable_find (hash.c:74)
==13777==    by 0x118377: cache_update_force (cache.c:279)
==13777==    by 0x11A3B7: dump_handler (ctnl.c:266)
==13777==    by 0x11A3B7: dump_handler (ctnl.c:257)
==13777==    by 0x4A5A7DA: __callback (callback.c:58)
==13777==    by 0x4E8A05B: nfnl_step (libnfnetlink.c:1340)
==13777==    by 0x4E8A822: nfnl_process (libnfnetlink.c:1385)
==13777==    by 0x4E8AB8D: nfnl_catch (libnfnetlink.c:1539)
==13777==    by 0x4A5B62E: nfct_query (api.c:970)
==13777==    by 0x11A61E: ctnl_init (ctnl.c:456)
==13777==    by 0x113504: init (run.c:301)
==13777==    by 0x111F71: main (main.c:367)
==13777==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==13777==
==13777==
==13777== Process terminating with default action of signal 11 (SIGSEGV)
==13777==  Access not within mapped region at address 0x10
==13777==    at 0x118BA1: cache_ct_cmp (cache-ct.c:104)
==13777==    by 0x113632: hashtable_find (hash.c:74)
==13777==    by 0x118377: cache_update_force (cache.c:279)
==13777==    by 0x11A3B7: dump_handler (ctnl.c:266)
==13777==    by 0x11A3B7: dump_handler (ctnl.c:257)
==13777==    by 0x4A5A7DA: __callback (callback.c:58)
==13777==    by 0x4E8A05B: nfnl_step (libnfnetlink.c:1340)
==13777==    by 0x4E8A822: nfnl_process (libnfnetlink.c:1385)
==13777==    by 0x4E8AB8D: nfnl_catch (libnfnetlink.c:1539)
==13777==    by 0x4A5B62E: nfct_query (api.c:970)
==13777==    by 0x11A61E: ctnl_init (ctnl.c:456)
==13777==    by 0x113504: init (run.c:301)
==13777==    by 0x111F71: main (main.c:367)
==13777==  If you believe this happened as a result of a stack
==13777==  overflow in your program's main thread (unlikely but
==13777==  possible), you can try to increase the size of the
==13777==  main thread stack using the --main-stacksize= flag.
==13777==  The main thread stack size used in this run was 8388608.
==13777==
==13777== HEAP SUMMARY:
==13777==     in use at exit: 35,130 bytes in 71 blocks
==13777==   total heap usage: 88 allocs, 17 frees, 60,055 bytes allocated
==13777==
==13777== LEAK SUMMARY:
==13777==    definitely lost: 0 bytes in 0 blocks
==13777==    indirectly lost: 0 bytes in 0 blocks
==13777==      possibly lost: 0 bytes in 0 blocks
==13777==    still reachable: 35,130 bytes in 71 blocks
==13777==         suppressed: 0 bytes in 0 blocks
==13777== Rerun with --leak-check=full to see details of leaked memory
==13777==
==13777== For counts of detected and suppressed errors, rerun with: -v
==13777== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)


-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages conntrackd depends on:
ii  libc6                    2.28-10
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnetfilter-cthelper0   1.0.0-1+b1
ii  libnetfilter-queue1      1.0.3-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libsystemd0              241-7~deb10u4

conntrackd recommends no packages.

Versions of packages conntrackd suggests:
ii  nftables  0.9.0-2

-- Configuration Files:
/etc/conntrackd/conntrackd.conf changed:
Sync {
	Mode NOTRACK {
		# DisableInternalCache on
		DisableExternalCache on
	}
	Multicast {
		IPv4_address 225.0.0.50
		Group 3780
		IPv4_interface 10.10.73.3
		Interface vl-asta
		SndSocketBuffer 1249280
		RcvSocketBuffer 1249280
		Checksum on
	}
	Options {
		# TCPWindowTracking On
		# ExpectationSync On
	}
}
General {
	Systemd on
	# HashLimit 524288
	LogFile on
	Syslog on
	LockFile /var/lock/conntrackd.lock
	UNIX {
		Path /var/run/conntrackd.sock
	}
	NetlinkBufferSize 2097152
	NetlinkBufferSizeMaxGrowth 8388608
	Filter From Userspace {
		Address Ignore {
			IPv4_address 127.0.0.0/8
		}
	}
}


-- no debconf information

More information about the pkg-netfilter-team mailing list