From: Phil Sutter <phil@nwl.cc>
To: dyslexicatheist <dyslexicatheist@protonmail.com>
Cc: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: Re: invalid read in
Date: Mon, 3 Feb 2020 17:31:52 +0100 [thread overview]
Message-ID: <20200203163152.GY19873@orbyte.nwl.cc> (raw)
In-Reply-To: <gwRjoIGUgI5MEgxSob7CBSUwPbYkxILRc4_ZrYWYNI7d1-T5Ej95p3XkEY_f9hLqHK5nVun7dk6RqObi0c_4482IJ6s6U33PyS6Hrm4z46E=@protonmail.com>
Hi,
On Mon, Feb 03, 2020 at 01:54:31PM +0000, dyslexicatheist wrote:
> I've written a filter to parse out punicode from DNS payloads and rewrite the packet in case it contains any IDN (xn--) marker unless the IDN is on a whitelist. Valgrind reports that nfq_create_queue() returns uninitialized
> bytes resulting in thiserror:
>
>
> sudo valgrind --tool=memcheck --leak-check=yes --show-reachable=yes \
> --num-callers=20 --track-fds=yes --track-origins=yes -s \
> ./nfq --syslog --facility LOG_LOCAL0 --log-level info \
> --port 53 --renice -20 --rewrite-answer
> ==714384==
> ==714384== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
> ==714384== at 0x4B977C7: sendto (sendto.c:27)
> ==714384== by 0x486BE02: nfnl_send (in /usr/lib/x86_64-linux-gnu/libnfnetlink.so.0.2.0)
> ==714384== by 0x486DBD2: nfnl_query (in /usr/lib/x86_64-linux-gnu/libnfnetlink.so.0.2.0)
> ==714384== by 0x4A73995: nfq_set_mode (libnetfilter_queue.c:639)
> ==714384== by 0x10B247: start_nfqueue_processing (nfq.c:532)
> ==714384== by 0x10C289: main (nfq.c:987)
> ==714384== Address 0x1ffefefbfd is on thread 1's stack
> ==714384== in frame #3, created by nfq_set_mode (libnetfilter_queue.c:623)
> ==714384== Uninitialised value was created by a stack allocation
> ==714384== at 0x10A1B0: ??? (in /src/nfq/src/nfq)
>
> After searching on this list archive, I found 1 question but without a follow-up answer:
> https://marc.info/?l=netfilter-devel&m=137132916826745&w=4
>
> Having already spent over a day chasing this. Not having come across other cases on github except this person self reporting[1] made me think it must be indeed something in my code that I'm missing and that could have triggered this. Or is it really rare (harmless) bug in libnetfilter?
I guess this is the typical "problem" situation in which userspace uses
a non-zeroed buffer to feed into sendto() and due to padding not
every byte was written to. So basically userspace "leaks" garbage to
kernel, which is something I'd consider harmless and merely a minor
inconvenience when analyzing with valgrind. I usually suffer from this
as well since libmnl()'s allocation routines don't zero the buffer
either.
In your case, I'd say the error message disappears if you add
'memset(&u, 0, sizeof(u))' to the beginning of nfq_set_mode().
Cheers, Phil
next prev parent reply other threads:[~2020-02-03 16:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-03 13:54 invalid read in dyslexicatheist
2020-02-03 16:31 ` Phil Sutter [this message]
2020-02-03 17:14 ` dyslexicatheist
2020-02-03 17:30 ` Phil Sutter
2020-02-03 17:49 ` dyslexicatheist
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200203163152.GY19873@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=dyslexicatheist@protonmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.