[Bug 1714] New: Stack smash: libnftables does not enforce string length limits for log prefixes

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Oct 17 15:35:45 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1714

            Bug ID: 1714
           Summary: Stack smash: libnftables does not enforce string
                    length limits for log prefixes
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: RedHat Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: Sam.Clippinger at garmin.com

Created attachment 726
  --> https://bugzilla.netfilter.org/attachment.cgi?id=726&action=edit
Python script to reproduce stack smash

When creating a rule using nft, using a log prefix over 128 bytes overflows a
stack variable and causes a crash.  To reproduce from bash:

# Send 140 bytes to trigger the stack protector added by gcc
LOREM_IPSUM="Lorem ipsum dolor sit amet consectetur adipiscing elit sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua Ut enim ad minim ve"
nft add rule ip filter OUTPUT log prefix "\"${LOREM_IPSUM}\""

Output:
*** stack smashing detected ***: terminated
Aborted (core dumped)

# Sending more data bypasses the stack protector
LOREM_IPSUM="Lorem ipsum dolor sit amet consectetur adipiscing elit sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua Ut enim ad minim
veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo
consequat Duis aute irure dolor in reprehenderit in voluptate velit esse cillum
dolore eu fugiat nulla pariatur Excepteur sint occaecat cupidatat non proident
sunt in culpa qui officia deserunt mollit anim id est laborum"
nft add rule ip filter OUTPUT log prefix "\"${LOREM_IPSUM}\""

Output:
Segmentation fault (core dumped)

This crash can be reproduced from Python as well, I've attached a small script
that shows the same behavior as the command line tool.

I am using nftables 1.0.4 on Rocky Linux 9 (RHEL 9 clone).

I am unable to reproduce this crash using nftables 0.9.3 on Rocky Linux 8. 
Using that version, the above commands fail with the message "Error: Could not
process rule: Numerical result out of range".

>From what I can see, the log prefix buffer size is defined in
include/linux/netfilter/nf_log.h and used to create stack variables in
src/json.c and src/statement.c.  The stack variables are then passed to
expr_to_string() without any indication of the maximum size.

Please let me know if there's anything I can do to assist fixing this bug!

-- Sam

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231017/a2795247/attachment.html>

More information about the netfilter-buglog mailing list