[Bug 1714] New: Stack smash: libnftables does not enforce string length limits for log prefixes
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Oct 17 15:35:45 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1714
Bug ID: 1714
Summary: Stack smash: libnftables does not enforce string
length limits for log prefixes
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: RedHat Linux
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: Sam.Clippinger at garmin.com
Created attachment 726
--> https://bugzilla.netfilter.org/attachment.cgi?id=726&action=edit
Python script to reproduce stack smash
When creating a rule using nft, using a log prefix over 128 bytes overflows a
stack variable and causes a crash. To reproduce from bash:
# Send 140 bytes to trigger the stack protector added by gcc
LOREM_IPSUM="Lorem ipsum dolor sit amet consectetur adipiscing elit sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua Ut enim ad minim ve"
nft add rule ip filter OUTPUT log prefix "\"${LOREM_IPSUM}\""
Output:
*** stack smashing detected ***: terminated
Aborted (core dumped)
# Sending more data bypasses the stack protector
LOREM_IPSUM="Lorem ipsum dolor sit amet consectetur adipiscing elit sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua Ut enim ad minim
veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo
consequat Duis aute irure dolor in reprehenderit in voluptate velit esse cillum
dolore eu fugiat nulla pariatur Excepteur sint occaecat cupidatat non proident
sunt in culpa qui officia deserunt mollit anim id est laborum"
nft add rule ip filter OUTPUT log prefix "\"${LOREM_IPSUM}\""
Output:
Segmentation fault (core dumped)
This crash can be reproduced from Python as well, I've attached a small script
that shows the same behavior as the command line tool.
I am using nftables 1.0.4 on Rocky Linux 9 (RHEL 9 clone).
I am unable to reproduce this crash using nftables 0.9.3 on Rocky Linux 8.
Using that version, the above commands fail with the message "Error: Could not
process rule: Numerical result out of range".
>From what I can see, the log prefix buffer size is defined in
include/linux/netfilter/nf_log.h and used to create stack variables in
src/json.c and src/statement.c. The stack variables are then passed to
expr_to_string() without any indication of the maximum size.
Please let me know if there's anything I can do to assist fixing this bug!
-- Sam
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231017/a2795247/attachment.html>
More information about the netfilter-buglog
mailing list