[Bug 1432] New: ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed May 27 17:59:08 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1432
Bug ID: 1432
Summary: ebtables ebtables-2.0.11 buffer overflow on getting
kernel data ( ebtables compiled with address
sanitizer)
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: bridging
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: scourge86 at mail.ru
root at ebtablesfuzz:~/SOURCE/ebtables-2.0.11# ./ebtables-legacy --list
=================================================================
==18489==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff0c4ecc48 at pc 0x7f89fdb7aa0b bp 0x7fff0c4eca70 sp 0x7fff0c4ec220
WRITE of size 264 at 0x7fff0c4ecc48 thread T0
#0 0x7f89fdb7aa0a (/lib/x86_64-linux-gnu/libasan.so.5+0x68a0a)
#1 0x7f89fda8220e in retrieve_from_kernel
/root/SOURCE/ebtables-2.0.11/communication.c:702
#2 0x7f89fda8220e in ebt_get_table
/root/SOURCE/ebtables-2.0.11/communication.c:723
#3 0x7f89fdaa2b3e in ebt_get_kernel_table
/root/SOURCE/ebtables-2.0.11/libebtc.c:182
#4 0x7f89fda8da61 in do_command /root/SOURCE/ebtables-2.0.11/ebtables.c:719
#5 0x55aa44bc6423 in main
/root/SOURCE/ebtables-2.0.11/ebtables-standalone.c:15
#6 0x7f89fd8c509a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#7 0x55aa44bc65b9 in _start
(/root/SOURCE/ebtables-2.0.11/.libs/ebtables-legacy+0x15b9)
Address 0x7fff0c4ecc48 is located in stack of thread T0 at offset 216 in frame
#0 0x7f89fda8170f in ebt_get_table
/root/SOURCE/ebtables-2.0.11/communication.c:709
This frame has 2 object(s):
[32, 36) 'optlen'
[96, 216) 'repl' <== Memory access at offset 216 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x68a0a)
Shadow bytes around the buggy address:
0x100061895930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061895940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061895950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061895960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100061895970: f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
=>0x100061895980: 00 00 00 00 00 00 00 00 00[f2]f3 f3 f3 f3 00 00
0x100061895990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000618959a0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2
0x1000618959b0: f2 f2 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
0x1000618959c0: f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00
0x1000618959d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18489==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200527/84d6c057/attachment.html>
More information about the netfilter-buglog
mailing list