From patchwork Fri May 1 15:48:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 1281383 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=fami-braun.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49DH2K1mx2z9sTR for ; Sat, 2 May 2020 01:57:29 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729915AbgEAP5X (ORCPT ); Fri, 1 May 2020 11:57:23 -0400 Received: from smail.fem.tu-ilmenau.de ([141.24.220.41]:40302 "EHLO smail.fem.tu-ilmenau.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728495AbgEAP5W (ORCPT ); Fri, 1 May 2020 11:57:22 -0400 X-Greylist: delayed 529 seconds by postgrey-1.27 at vger.kernel.org; Fri, 01 May 2020 11:57:21 EDT Received: from mail.fem.tu-ilmenau.de (mail-zuse.net.fem.tu-ilmenau.de [172.21.220.54]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smail.fem.tu-ilmenau.de (Postfix) with ESMTPS id 7945E201B9; Fri, 1 May 2020 17:48:28 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id 4489E61DE; Fri, 1 May 2020 17:48:28 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Agp53F2ETuRt; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id EE56B306A950; Fri, 1 May 2020 17:48:24 +0200 (CEST) From: Michael Braun To: netfilter-devel@vger.kernel.org Cc: Michael Braun Subject: [PATCH 1/3] main: fix ASAN -fsanizize=address error Date: Fri, 1 May 2020 17:48:16 +0200 Message-Id: <20200501154819.2984-1-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-of-by: Michael Braun nft list table bridge t ================================================================= ==28552==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5579c662e816 at pc 0x7fc2803246aa bp 0x7fff495c86f0 sp 0x7fff495c7ea0 WRITE of size 2 at 0x5579c662e816 thread T0 #0 0x7fc2803246a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) #1 0x7fc2803249f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6) #2 0x5579c661e7d2 in get_optstring nftables/src/main.c:128 #3 0x5579c66202af in main nftables/src/main.c:315 #4 0x7fc27ea7b09a in __libc_start_main ../csu/libc-start.c:308 #5 0x5579c661e439 in _start (nftables/src/.libs/nft+0x9439) 0x5579c662e816 is located 0 bytes to the right of global variable 'optstring' defined in 'main.c:121:14' (0x5579c662e800) of size 22 0x5579c662e816 is located 42 bytes to the left of global variable 'options' defined in 'main.c:137:23' (0x5579c662e840) of size 672 SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf Shadow bytes around the buggy address: 0x0aafb8cbdcb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdcc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdcd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdce0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdcf0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 =>0x0aafb8cbdd00: 00 00[06]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0aafb8cbdd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28552==ABORTING --- src/main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main.c b/src/main.c index 3dc6b62c..d213c601 100644 --- a/src/main.c +++ b/src/main.c @@ -124,10 +124,10 @@ static const char *get_optstring(void) size_t i, j; optstring[0] = '+'; - for (i = 0, j = 1; i < NR_NFT_OPTIONS; i++) - j += sprintf(optstring + j, "%c%s", - nft_options[i].val, - nft_options[i].arg ? ":" : ""); + for (i = 0, j = 1; i < NR_NFT_OPTIONS && j < sizeof(optstring); i++) + j += snprintf(optstring + j, sizeof(optstring) - j, "%c%s", + nft_options[i].val, + nft_options[i].arg ? ":" : ""); } return optstring; } From patchwork Fri May 1 15:48:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 1281381 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=fami-braun.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49DH2G0PLyz9sTP for ; Sat, 2 May 2020 01:57:26 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729903AbgEAP5W (ORCPT ); Fri, 1 May 2020 11:57:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729858AbgEAP5V (ORCPT ); Fri, 1 May 2020 11:57:21 -0400 X-Greylist: delayed 528 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Fri, 01 May 2020 08:57:21 PDT Received: from smail.fem.tu-ilmenau.de (smail.fem.tu-ilmenau.de [IPv6:2001:638:904:ffbf::41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D14AC061A0C for ; Fri, 1 May 2020 08:57:21 -0700 (PDT) Received: from mail.fem.tu-ilmenau.de (mail-zuse.net.fem.tu-ilmenau.de [172.21.220.54]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smail.fem.tu-ilmenau.de (Postfix) with ESMTPS id C3EA92049A; Fri, 1 May 2020 17:48:29 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id 94D336208; Fri, 1 May 2020 17:48:29 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DnMbFI5nz6-A; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: from mail-backup.fem.tu-ilmenau.de (mail-backup.net.fem.tu-ilmenau.de [10.42.40.22]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.fem.tu-ilmenau.de (Postfix) with ESMTPS; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail-backup.fem.tu-ilmenau.de (Postfix) with ESMTP id A3B0555116; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id 39604306AC0A; Fri, 1 May 2020 17:48:25 +0200 (CEST) From: Michael Braun To: netfilter-devel@vger.kernel.org Cc: Michael Braun Subject: [PATCH 2/3] utils: fix UBSAN warning in fls Date: Fri, 1 May 2020 17:48:17 +0200 Message-Id: <20200501154819.2984-2-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200501154819.2984-1-michael-dev@fami-braun.de> References: <20200501154819.2984-1-michael-dev@fami-braun.de> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org ../include/utils.h:120:5: runtime error: left shift of 1103101952 by 1 places cannot be represented in type 'int' Signed-off-by: Michael Braun --- include/utils.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/utils.h b/include/utils.h index 647e8bbe..f45f2513 100644 --- a/include/utils.h +++ b/include/utils.h @@ -94,7 +94,7 @@ * This is defined the same way as ffs. * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32. */ -static inline int fls(int x) +static inline int fls(uint32_t x) { int r = 32; From patchwork Fri May 1 15:48:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 1281382 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=fami-braun.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49DH2J1jd9z9sTH for ; Sat, 2 May 2020 01:57:28 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729914AbgEAP5W (ORCPT ); Fri, 1 May 2020 11:57:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729860AbgEAP5V (ORCPT ); Fri, 1 May 2020 11:57:21 -0400 Received: from smail.fem.tu-ilmenau.de (smail.fem.tu-ilmenau.de [IPv6:2001:638:904:ffbf::41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1071C061A0E for ; Fri, 1 May 2020 08:57:21 -0700 (PDT) Received: from mail.fem.tu-ilmenau.de (mail-zuse.net.fem.tu-ilmenau.de [172.21.220.54]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smail.fem.tu-ilmenau.de (Postfix) with ESMTPS id EB52E203F8; Fri, 1 May 2020 17:48:28 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id B51FD6207; Fri, 1 May 2020 17:48:28 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5wK7f9jpT6P; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP; Fri, 1 May 2020 17:48:26 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id 95B2C306A96B; Fri, 1 May 2020 17:48:26 +0200 (CEST) From: Michael Braun To: netfilter-devel@vger.kernel.org Cc: Michael Braun Subject: [PATCH 3/3] datatype: fix double-free resulting in use-after-free in datatype_free Date: Fri, 1 May 2020 17:48:18 +0200 Message-Id: <20200501154819.2984-3-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200501154819.2984-1-michael-dev@fami-braun.de> References: <20200501154819.2984-1-michael-dev@fami-braun.de> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org nft list table bridge t table bridge t { set s4 { typeof ip saddr . ip daddr elements = { 1.0.0.1 . 2.0.0.2 } } } ================================================================= ==24334==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000000a8 at pc 0x7fe0e67df0ad bp 0x7ffff83e88c0 sp 0x7ffff83e88b8 READ of size 4 at 0x6080000000a8 thread T0 #0 0x7fe0e67df0ac in datatype_free nftables/src/datatype.c:1110 #1 0x7fe0e67e2092 in expr_free nftables/src/expression.c:89 #2 0x7fe0e67a855e in set_free nftables/src/rule.c:359 #3 0x7fe0e67b2f3e in table_free nftables/src/rule.c:1263 #4 0x7fe0e67a70ce in __cache_flush nftables/src/rule.c:299 #5 0x7fe0e67a71c7 in cache_release nftables/src/rule.c:305 #6 0x7fe0e68dbfa9 in nft_ctx_free nftables/src/libnftables.c:292 #7 0x55f00fbe0051 in main nftables/src/main.c:469 #8 0x7fe0e553309a in __libc_start_main ../csu/libc-start.c:308 #9 0x55f00fbdd429 in _start (nftables/src/.libs/nft+0x9429) 0x6080000000a8 is located 8 bytes inside of 96-byte region [0x6080000000a0,0x608000000100) freed by thread T0 here: #0 0x7fe0e6e70fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0) #1 0x7fe0e68b8122 in xfree nftables/src/utils.c:29 #2 0x7fe0e67df2e5 in datatype_free nftables/src/datatype.c:1117 #3 0x7fe0e67e2092 in expr_free nftables/src/expression.c:89 #4 0x7fe0e67a83fe in set_free nftables/src/rule.c:356 #5 0x7fe0e67b2f3e in table_free nftables/src/rule.c:1263 #6 0x7fe0e67a70ce in __cache_flush nftables/src/rule.c:299 #7 0x7fe0e67a71c7 in cache_release nftables/src/rule.c:305 #8 0x7fe0e68dbfa9 in nft_ctx_free nftables/src/libnftables.c:292 #9 0x55f00fbe0051 in main nftables/src/main.c:469 #10 0x7fe0e553309a in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7fe0e6e71330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7fe0e68b813d in xmalloc nftables/src/utils.c:36 #2 0x7fe0e68b8296 in xzalloc nftables/src/utils.c:65 #3 0x7fe0e67de7d5 in dtype_alloc nftables/src/datatype.c:1065 #4 0x7fe0e67df862 in concat_type_alloc nftables/src/datatype.c:1146 #5 0x7fe0e67ea852 in concat_expr_parse_udata nftables/src/expression.c:954 #6 0x7fe0e685dc94 in set_make_key nftables/src/netlink.c:718 #7 0x7fe0e685e177 in netlink_delinearize_set nftables/src/netlink.c:770 #8 0x7fe0e685f667 in list_set_cb nftables/src/netlink.c:895 #9 0x7fe0e4f95a03 in nftnl_set_list_foreach src/set.c:904 SUMMARY: AddressSanitizer: heap-use-after-free nftables/src/datatype.c:1110 in datatype_free Shadow bytes around the buggy address: 0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff8010: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c107fff8020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24334==ABORTING --- src/datatype.c | 2 ++ src/expression.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/datatype.c b/src/datatype.c index 095598d9..0110846f 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -1083,6 +1083,8 @@ struct datatype *datatype_get(const struct datatype *ptr) void datatype_set(struct expr *expr, const struct datatype *dtype) { + if (dtype == expr->dtype) + return; // do not free dtype before incrementing refcnt again datatype_free(expr->dtype); expr->dtype = datatype_get(dtype); } diff --git a/src/expression.c b/src/expression.c index 6605beb3..a6bde70f 100644 --- a/src/expression.c +++ b/src/expression.c @@ -955,7 +955,7 @@ static struct expr *concat_expr_parse_udata(const struct nftnl_udata *attr) if (!dtype) goto err_free; - concat_expr->dtype = dtype; + concat_expr->dtype = datatype_get(dtype); concat_expr->len = dtype->size; return concat_expr;