[pkg-netfilter-team] Bug#1017359: nftables: off-by-one error can result in memory corruption and crash

Jeremy Sowden jeremy at azazel.net
Sun Aug 14 21:45:51 BST 2022 

Package: nftables
Version: 0.9.8-3.1
Severity: normal
Tags: upstream

There's an off-by-one error in the part of error-reporting code keeps track of
the possible places where an error may occur which may result in memory-
corruption and double frees.

Here's a somewhat contrived example:

  # nft add table ip6 t
  # nft add chain ip6 t c
  # nft add rule ip6 t c \
  > meta l4proto tcp \
  > tcp flags syn \
  > tcp option sack-perm kind 1 \
  > tcp option window kind 1 \
  > tcp option nop kind 1 \
  > tcp option maxseg count 1234 \
  > tcp option sack kind 1 \
  > tcp option eol kind 1 \
  > tcp dport 12345 \
  > ip6 saddr :: \
  > ip6 daddr :: \
  > ip6 dscp af11 \
  > ip6 dscp set af12 \
  > counter log
  free(): invalid pointer
  Aborted

Valgrind shows this:

  Invalid free() / delete / delete[] / realloc()
     at 0x484217B: free (vg_replace_malloc.c:872)
     by 0x488F969: cmd_free (rule.c:1673)
     by 0x48C0B47: nft_run_cmd_from_buffer (libnftables.c:485)
     by 0x10A8C5: main (main.c:489)
   Address 0x4c90a18 is 24 bytes inside a block of size 120 free'd
     at 0x484217B: free (vg_replace_malloc.c:872)
     by 0x4892193: stmt_free (statement.c:54)
     by 0x4892193: stmt_list_free (statement.c:63)
     by 0x488F9C7: rule_free (rule.c:688)
     by 0x488F9C7: rule_free (rule.c:684)
     by 0x488F9C7: cmd_free (rule.c:1639)
     by 0x48C0B47: nft_run_cmd_from_buffer (libnftables.c:485)
     by 0x10A8C5: main (main.c:489)
   Block was alloc'd at
     at 0x48445EF: calloc (vg_replace_malloc.c:1328)
     by 0x48B9BBD: xmalloc (utils.c:36)
     by 0x48B9BBD: xzalloc (utils.c:65)
     by 0x489248D: stmt_alloc (statement.c:41)
     by 0x489248D: log_stmt_alloc (statement.c:404)
     by 0x48D7E52: nft_parse (parser_bison.y:2808)
     by 0x48C0C16: nft_parse_bison_buffer (libnftables.c:389)
     by 0x48C0C16: nft_run_cmd_from_buffer (libnftables.c:461)
     by 0x10A8C5: main (main.c:489)

This has been fixed upstream:

  https://lore.kernel.org/netfilter-devel/20210611164104.8121-11-phil@nwl.cc/

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (900, 'stable'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (99, 'unstable'), (90, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-rc3-nf-next-ulthar-20220707+ (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  dpkg          1.21.9
ii  libc6         2.33-8
ii  libedit2      3.1-20210910-1
ii  libnftables1  0.9.8-3.1

nftables recommends no packages.

Versions of packages nftables suggests:
pn  firewalld  <none>

-- no debconf information

More information about the pkg-netfilter-team mailing list