diff mbox series

[scarthgap,14/18] iptables: fix memory corruption when parsing nft rules

Message ID fa3873cfcda862d8aad564966070af216e4903c6.1722790925.git.steve@sakoman.com
State Accepted
Delegated to: Steve Sakoman
Headers show
Series [scarthgap,01/18] libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust | expand

Commit Message

Steve Sakoman Aug. 4, 2024, 5:09 p.m. UTC 
From: Christian Taedcke <christian.taedcke@weidmueller.com>

This commit fixes a memory corruption issue when iptables (with
enabled PACKAGECONFIG libnftnl) is used to access rules created by
nft.

To reproduce the issue:
nft add chain ip filter TESTCHAIN { meta mark set 123 \;}
iptables -t filter -n -L TESTCHAIN

This produced the following output:
Chain TESTCHAIN (0 references)
target prot opt source     destination
MARK   0    --  0.0.0.0/0  0.0.0.0/0     MARK set 0x7b
malloc(): corrupted top size
Aborted (core dumped)

This commit fixes this issue.

Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...se-Add-missing-braces-around-ternary.patch | 37 +++++++++++++++++++
 .../iptables/iptables_1.8.10.bb               |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
diff mbox series

Patch

diff --git a/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch b/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
new file mode 100644
index 0000000000..4cbc8bdaf4
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
@@ -0,0 +1,37 @@ 
+From 2026b08bce7fe87b5964f7912e1eef30f04922c1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 26 Jan 2024 18:43:10 +0100
+Subject: [PATCH] nft: ruleparse: Add missing braces around ternary
+
+The expression evaluated the sum before the ternay, consequently not
+adding target->size if tgsize was zero.
+
+Identified by ASAN for a simple rule using standard target:
+| # ebtables -A INPUT -s de:ad:be:ef:0:00 -j RETURN
+| # ebtables -D INPUT -s de:ad:be:ef:0:00 -j RETURN
+| =================================================================
+| ==18925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000120 at pc 0x7f627a4c75c5 bp 0x7ffe882b5180 sp 0x7ffe882b4928
+| READ of size 8 at 0x603000000120 thread T0
+| [...]
+
+Upstream-Status: Backport [2026b08bce7fe87b5964f7912e1eef30f04922c1]
+
+Fixes: 2a6eee89083c8 ("nft-ruleparse: Introduce nft_create_target()")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft-ruleparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
+index 0bbdf44faf..3b1cbe4fa1 100644
+--- a/iptables/nft-ruleparse.c
++++ b/iptables/nft-ruleparse.c
+@@ -94,7 +94,7 @@ __nft_create_target(struct nft_xt_ctx *ctx, const char *name, size_t tgsize)
+ 	if (!target)
+ 		return NULL;
+ 
+-	size = XT_ALIGN(sizeof(*target->t)) + tgsize ?: target->size;
++	size = XT_ALIGN(sizeof(*target->t)) + (tgsize ?: target->size);
+ 
+ 	target->t = xtables_calloc(1, size);
+ 	target->t->u.target_size = size;
diff --git a/meta/recipes-extended/iptables/iptables_1.8.10.bb b/meta/recipes-extended/iptables/iptables_1.8.10.bb
index 0070264844..f1ee1efe28 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.10.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.10.bb
@@ -16,6 +16,7 @@  SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.xz \
            file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
            file://0002-iptables-xshared.h-add-missing-sys.types.h-include.patch \
            file://0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch \
+           file://0005-nft-ruleparse-Add-missing-braces-around-ternary.patch \
            "
 SRC_URI[sha256sum] = "5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c"