[Bug 1741] New: Heap-buffer-overflow in iptables-restore and ip6tables-restore
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Apr 1 08:05:36 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1741
Bug ID: 1741
Summary: Heap-buffer-overflow in iptables-restore and
ip6tables-restore
Product: iptables
Version: 1.8.x
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: major
Priority: P5
Component: iptables-restore
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: gorbanev.es at gmail.com
Created attachment 738
--> https://bugzilla.netfilter.org/attachment.cgi?id=738&action=edit
Patch
When running fuzzing tests with AddressSanitizer I found 2 bugs for
iptables-restore and ip6tables-restore.
I also attach a patch to fix the bugs for v1.8.10.
Logs:
[root at ubuntu sbin]# ./iptables-restore
*filter
-c ""
=================================================================
==19922==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000091 at pc 0x7f8f5e83dd68 bp 0x7ffc57c3e1c0 sp 0x7ffc57c3d968
READ of size 1 at 0x602000000091 thread T0
#0 0x7f8f5e83dd67 (/usr/lib64/libasan.so.6+0x3dd67)
#1 0x555e8d206111 in do_parse
/home/user/test/iptables/iptables/xshared.c:1888
#2 0x555e8d210a46 in do_command4
/home/user/test/iptables/iptables/iptables.c:694
#3 0x555e8d20b474 in ip46tables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:334
#4 0x555e8d20b936 in iptables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:384
#5 0x555e8d1f9ef9 in subcmd_main
/home/user/test/iptables/iptables/xshared.c:219
#6 0x555e8d2092d1 in main
/home/user/test/iptables/iptables/xtables-legacy-multi.c:49
#7 0x7f8f5e64eefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
#8 0x555e8d1f4a79 in _start
(/home/user/test/iptables/buildroot/sbin/xtables-legacy-multi+0xfa79)
0x602000000091 is located 0 bytes to the right of 1-byte region
[0x602000000090,0x602000000091)
allocated by thread T0 here:
#0 0x7f8f5e859707 in strdup (/usr/lib64/libasan.so.6+0x59707)
#1 0x7f8f5f23aca6 in xtables_strdup
/home/user/test/iptables/libxtables/xtables.c:466
#2 0x555e8d1fb571 in add_argv
/home/user/test/iptables/iptables/xshared.c:434
#3 0x555e8d1fbfef in add_param_to_argv
/home/user/test/iptables/iptables/xshared.c:529
#4 0x555e8d20b3db in ip46tables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:328
#5 0x555e8d20b936 in iptables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:384
#6 0x555e8d1f9ef9 in subcmd_main
/home/user/test/iptables/iptables/xshared.c:219
#7 0x555e8d2092d1 in main
/home/user/test/iptables/iptables/xtables-legacy-multi.c:49
#8 0x7f8f5e64eefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/libasan.so.6+0x3dd67)
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 fa fa fa 03 fa fa fa 07 fa fa fa 03 fa
=>0x0c047fff8010: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==19922==ABORTING
[root at ubuntu sbin]# ./ip6tables-restore
*filter
-c ""
=================================================================
==19987==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000091 at pc 0x7f4df283dd68 bp 0x7ffdd6630f00 sp 0x7ffdd66306a8
READ of size 1 at 0x602000000091 thread T0
#0 0x7f4df283dd67 (/usr/lib64/libasan.so.6+0x3dd67)
#1 0x55cdcf10f111 in do_parse
/home/user/test/iptables/iptables/xshared.c:1888
#2 0x55cdcf11f85c in do_command6
/home/user/test/iptables/iptables/ip6tables.c:701
#3 0x55cdcf114474 in ip46tables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:334
#4 0x55cdcf114a66 in ip6tables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:416
#5 0x55cdcf102ef9 in subcmd_main
/home/user/test/iptables/iptables/xshared.c:219
#6 0x55cdcf1122d1 in main
/home/user/test/iptables/iptables/xtables-legacy-multi.c:49
#7 0x7f4df264eefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
#8 0x55cdcf0fda79 in _start
(/home/user/test/iptables/buildroot/sbin/xtables-legacy-multi+0xfa79)
0x602000000091 is located 0 bytes to the right of 1-byte region
[0x602000000090,0x602000000091)
allocated by thread T0 here:
#0 0x7f4df2859707 in strdup (/usr/lib64/libasan.so.6+0x59707)
#1 0x7f4df32fdca6 in xtables_strdup
/home/user/test/iptables/libxtables/xtables.c:466
#2 0x55cdcf104571 in add_argv
/home/user/test/iptables/iptables/xshared.c:434
#3 0x55cdcf104fef in add_param_to_argv
/home/user/test/iptables/iptables/xshared.c:529
#4 0x55cdcf1143db in ip46tables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:328
#5 0x55cdcf114a66 in ip6tables_restore_main
/home/user/test/iptables/iptables/iptables-restore.c:416
#6 0x55cdcf102ef9 in subcmd_main
/home/user/test/iptables/iptables/xshared.c:219
#7 0x55cdcf1122d1 in main
/home/user/test/iptables/iptables/xtables-legacy-multi.c:49
#8 0x7f4df264eefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/libasan.so.6+0x3dd67)
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 01 fa fa fa 03 fa fa fa 07 fa fa fa 03 fa
=>0x0c047fff8010: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==19987==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240401/a4c0daea/attachment.html>
More information about the netfilter-buglog
mailing list