<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1432">1432</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ebtables ebtables-2.0.11 buffer overflow on getting kernel data ( ebtables compiled with address sanitizer)
</td>
</tr>
<tr>
<th>Product</th>
<td>netfilter/iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>bridging
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>scourge86@mail.ru
</td>
</tr></table>
<p>
<div>
<pre>root@ebtablesfuzz:~/SOURCE/ebtables-2.0.11# ./ebtables-legacy --list
=================================================================
==18489==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff0c4ecc48 at pc 0x7f89fdb7aa0b bp 0x7fff0c4eca70 sp 0x7fff0c4ec220
WRITE of size 264 at 0x7fff0c4ecc48 thread T0
#0 0x7f89fdb7aa0a (/lib/x86_64-linux-gnu/libasan.so.5+0x68a0a)
#1 0x7f89fda8220e in retrieve_from_kernel
/root/SOURCE/ebtables-2.0.11/communication.c:702
#2 0x7f89fda8220e in ebt_get_table
/root/SOURCE/ebtables-2.0.11/communication.c:723
#3 0x7f89fdaa2b3e in ebt_get_kernel_table
/root/SOURCE/ebtables-2.0.11/libebtc.c:182
#4 0x7f89fda8da61 in do_command /root/SOURCE/ebtables-2.0.11/ebtables.c:719
#5 0x55aa44bc6423 in main
/root/SOURCE/ebtables-2.0.11/ebtables-standalone.c:15
#6 0x7f89fd8c509a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#7 0x55aa44bc65b9 in _start
(/root/SOURCE/ebtables-2.0.11/.libs/ebtables-legacy+0x15b9)
Address 0x7fff0c4ecc48 is located in stack of thread T0 at offset 216 in frame
#0 0x7f89fda8170f in ebt_get_table
/root/SOURCE/ebtables-2.0.11/communication.c:709
This frame has 2 object(s):
[32, 36) 'optlen'
[96, 216) 'repl' <== Memory access at offset 216 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x68a0a)
Shadow bytes around the buggy address:
0x100061895930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061895940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061895950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061895960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100061895970: f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
=>0x100061895980: 00 00 00 00 00 00 00 00 00[f2]f3 f3 f3 f3 00 00
0x100061895990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000618959a0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2
0x1000618959b0: f2 f2 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
0x1000618959c0: f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00
0x1000618959d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18489==ABORTING</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>