diff options
| author | Florian Westphal <fw@strlen.de> | 2025-03-14 07:50:54 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-03-18 20:24:14 +0100 |
| commit | 37dfb1972cae061c09f278933af998a7c4fc2696 (patch) | |
| tree | b0467ba68f62219e701a0e58cf02ee6987e2ddfe /tests/shell/testcases/bogons | |
| parent | 3b92dc32e60e8c24c783af8d90a0928d71d520f4 (diff) | |
netlink: fix stack buffer overrun when emitting ranged expressions
Included bogon input generates following Sanitizer splat:
AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7...
WRITE of size 2 at 0x7fffffffcbe4 thread T0
#0 0x0000003a68b8 in __asan_memset (src/nft+0x3a68b8) (BuildId: 3678ff51a5405c77e3e0492b9a985910efee73b8)
#1 0x0000004eb603 in __mpz_export_data src/gmputil.c:108:2
#2 0x0000004eb603 in netlink_export_pad src/netlink.c:256:2
#3 0x0000004eb603 in netlink_gen_range src/netlink.c:471:2
#4 0x0000004ea250 in __netlink_gen_data src/netlink.c:523:10
#5 0x0000004e8ee3 in alloc_nftnl_setelem src/netlink.c:205:3
#6 0x0000004d4541 in mnl_nft_setelem_batch src/mnl.c:1816:11
Problem is that the range end is emitted to the buffer at the *padded*
location (rounded up to next register size), but buffer sizing is
based of the expression length, not the padded length.
Also extend the test script: Capture stderr and if we see
AddressSanitizer warning, make it fail.
Same bug as the one fixed in 600b84631410 ("netlink: fix stack buffer overflow with sub-reg sized prefixes"),
just in a different function.
Apply same fix: no dynamic array + add a range check.
Joint work with Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/shell/testcases/bogons')
| -rwxr-xr-x | tests/shell/testcases/bogons/assert_failures | 17 | ||||
| -rw-r--r-- | tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range | 6 |
2 files changed, 22 insertions, 1 deletions
diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures index 79099427..3dee63b3 100755 --- a/tests/shell/testcases/bogons/assert_failures +++ b/tests/shell/testcases/bogons/assert_failures @@ -1,12 +1,27 @@ #!/bin/bash dir=$(dirname $0)/nft-f/ +tmpfile=$(mktemp) + +cleanup() +{ + rm -f "$tmpfile" +} + +trap cleanup EXIT for f in $dir/*; do - $NFT --check -f "$f" + echo "Check $f" + $NFT --check -f "$f" 2> "$tmpfile" if [ $? -ne 1 ]; then echo "Bogus input file $f did not cause expected error code" 1>&2 exit 111 fi + + if grep AddressSanitizer "$tmpfile"; then + echo "Address sanitizer splat for $f" 1>&2 + cat "$tmpfile" + exit 111 + fi done diff --git a/tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range b/tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range new file mode 100644 index 00000000..2f7872e4 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range @@ -0,0 +1,6 @@ +table ip test { + chain y { + redirect to :tcp dport map { 83 : 80/3, 84 :4 } + } +} + |