Bug#1017359: marked as done (nftables: off-by-one error can result in memory corruption and crash)

Fri, 09 Dec 2022 11:36:22 -0800 

Your message dated Fri, 09 Dec 2022 19:32:08 +0000
with message-id <[email protected]>
and subject line Bug#1017359: fixed in nftables 0.9.8-3.1+deb11u1
has caused the Debian Bug report #1017359,
regarding nftables: off-by-one error can result in memory corruption and crash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1017359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: nftables
Version: 0.9.8-3.1
Severity: normal
Tags: upstream

There's an off-by-one error in the part of error-reporting code keeps track of
the possible places where an error may occur which may result in memory-
corruption and double frees.

Here's a somewhat contrived example:

  # nft add table ip6 t
  # nft add chain ip6 t c
  # nft add rule ip6 t c \
  > meta l4proto tcp \
  > tcp flags syn \
  > tcp option sack-perm kind 1 \
  > tcp option window kind 1 \
  > tcp option nop kind 1 \
  > tcp option maxseg count 1234 \
  > tcp option sack kind 1 \
  > tcp option eol kind 1 \
  > tcp dport 12345 \
  > ip6 saddr :: \
  > ip6 daddr :: \
  > ip6 dscp af11 \
  > ip6 dscp set af12 \
  > counter log
  free(): invalid pointer
  Aborted

Valgrind shows this:

  Invalid free() / delete / delete[] / realloc()
     at 0x484217B: free (vg_replace_malloc.c:872)
     by 0x488F969: cmd_free (rule.c:1673)
     by 0x48C0B47: nft_run_cmd_from_buffer (libnftables.c:485)
     by 0x10A8C5: main (main.c:489)
   Address 0x4c90a18 is 24 bytes inside a block of size 120 free'd
     at 0x484217B: free (vg_replace_malloc.c:872)
     by 0x4892193: stmt_free (statement.c:54)
     by 0x4892193: stmt_list_free (statement.c:63)
     by 0x488F9C7: rule_free (rule.c:688)
     by 0x488F9C7: rule_free (rule.c:684)
     by 0x488F9C7: cmd_free (rule.c:1639)
     by 0x48C0B47: nft_run_cmd_from_buffer (libnftables.c:485)
     by 0x10A8C5: main (main.c:489)
   Block was alloc'd at
     at 0x48445EF: calloc (vg_replace_malloc.c:1328)
     by 0x48B9BBD: xmalloc (utils.c:36)
     by 0x48B9BBD: xzalloc (utils.c:65)
     by 0x489248D: stmt_alloc (statement.c:41)
     by 0x489248D: log_stmt_alloc (statement.c:404)
     by 0x48D7E52: nft_parse (parser_bison.y:2808)
     by 0x48C0C16: nft_parse_bison_buffer (libnftables.c:389)
     by 0x48C0C16: nft_run_cmd_from_buffer (libnftables.c:461)
     by 0x10A8C5: main (main.c:489)

This has been fixed upstream:

  https://lore.kernel.org/netfilter-devel/[email protected]/

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (900, 'stable'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'stable-security'), (99, 'unstable'), (90, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-rc3-nf-next-ulthar-20220707+ (SMP w/16 CPU threads; 
PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  dpkg          1.21.9
ii  libc6         2.33-8
ii  libedit2      3.1-20210910-1
ii  libnftables1  0.9.8-3.1

nftables recommends no packages.

Versions of packages nftables suggests:
pn  firewalld  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: nftables
Source-Version: 0.9.8-3.1+deb11u1
Done: Jeremy Sowden <[email protected]>

We believe that the bug you reported is fixed in the latest version of
nftables, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Sowden <[email protected]> (supplier of updated nftables package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Sep 2022 09:34:11 +0100
Source: nftables
Architecture: source
Version: 0.9.8-3.1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Netfilter Packaging Team 
<[email protected]>
Changed-By: Jeremy Sowden <[email protected]>
Closes: 1017359
Changes:
 nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium
 .
   * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
     It fixes an off-by-one error in the check for NFT_NLATTR_LOC_MAX
     which leads to double free or corruption (out) error.
     Thanks to Sven Auhagen <[email protected]> for
     suggesting the fix (closes: #1017359).
   * d/control: add myself to uploaders.
Checksums-Sha1:
 77c88e73b0bf36be03e1197ed12a43b197cf840c 2765 nftables_0.9.8-3.1+deb11u1.dsc
 2d3d9085a9bd80abaa6655f5238b92c5f4c7bc3c 22544 
nftables_0.9.8-3.1+deb11u1.debian.tar.xz
 97b5eeb6091c79babd05cc734405e6ba059e8277 8803 
nftables_0.9.8-3.1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 aca37220bce66a6722384b14d91cf3d25d218c4814e65e843c6ea98fa6d38a28 2765 
nftables_0.9.8-3.1+deb11u1.dsc
 9f4f528448537bedffa9009b3a2b713cea39a2f35dcbca5e4173f0d6d9d60edf 22544 
nftables_0.9.8-3.1+deb11u1.debian.tar.xz
 e6ccc498b1f967f0f2e11abc7962153b6f86e35839d518c7634757c79b5aa3eb 8803 
nftables_0.9.8-3.1+deb11u1_amd64.buildinfo
Files:
 24cb965d965dc7cba069c653dea45400 2765 net important 
nftables_0.9.8-3.1+deb11u1.dsc
 99ef2ab935b1cd7a3fb14c6e355cd06e 22544 net important 
nftables_0.9.8-3.1+deb11u1.debian.tar.xz
 7f4ca1d93e0643424510db0a98ccc03a 8803 net important 
nftables_0.9.8-3.1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAmOSR0gACgkQaOcTmB0V
FfigPhAAi2N6UuvbW62CBiiir+7yX01iQQeMrhYhc6QcxXVfDlILmABa8nSQC3tb
T4ZNWuKzkj5LQl1djjdxq9PIc3Zkt+KSwLkLedA/3FpKVRMBZfq+Q17WPMm7MtTj
uRFhtBONs0jGVYNbkdOD5+425lvTsqSWcOqr4kuXNXeTgVQji8g6W76Mp99vvh0Z
Cf2J4VJR6kia5Xjk+UGt6uifk118zZ2mz3IOO5Dcsz48szRzmsT6WXp+1YuCT8cI
zjBUNpfaqO/UZvYe2UXVOCtSAiz3H4qNjxUc8PX1XSYfD/gEXscdSPm09vnpk9qL
YLXdVsoJhNKlqUBwT0UBG+VT7+96fFXo8gA1HrhNjF8Z98p1WcImmL/wxYbsjAji
2q7XCNI5gP9PkNtsU3Jb6ESAfc6SiC3WlWatCgwJpyLgOWtBzo86itPsAyndkGwV
slCA1yosW2M2qqJ+UYk8kVvTGc3hX+dJkLYYOGxUQxEPCZ5nkqtvc/+urA/chzOx
P44MplUNgQC6P1dPSOZdxu/gYaVMmKZiXSzUAwlA/I5oyczIbiw+AiaBW7J1YHOw
q4Pr3iCSbNaRwxC1C6QmRu99QLUMajQ8V3WTwLRAu84BnCM6ttfjAslJhXjeoRyf
u/cdIYPiKTUWmYsw8XVswn5bN+9ThU8691Pl1rC3ISTdrvxTdtk=
=LyRT
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to