Re: [nft] segfault bug in simple ruleset, regression?

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: Netfilter Development Mailing list
	<netfilter-devel@vger.kernel.org>,
	Patrick McHardy <kaber@trash.net>,
	fw@strlen.de
Subject: Re: [nft] segfault bug in simple ruleset, regression?
Date: Wed, 9 Sep 2015 16:29:03 +0200	[thread overview]
Message-ID: <20150909142903.GA3447@salvia> (raw)
In-Reply-To: <CAOkSjBhk00k9H98Nx0hdxvrf5b8vAP5ad=iiKrdB2v4rHimoMw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1349 bytes --]

On Wed, Sep 09, 2015 at 01:28:38PM +0200, Arturo Borrero Gonzalez wrote:
> Hi,
> 
> with current HEAD of nftables [0663bfe ("mnl: rework netlink socket
> receive path for events")] and with current nf-next HEAD kernel
> [851345c ("netfilter: reduce sparse warnings")] i'm hitting a
> segfault.
> There seem to be a strcmp over a NULL string.
> 
> Unfortunately I can't try to solve this myself right now.
> 
> It can be reproduced with this simple file:
> 
> ========== 8< ==========
> flush ruleset
> table inet filter {
>         chain test0 {
>         }
> 
>         chain test1 {
>         }
> 
>         chain test2 {
>         }
> 
>         chain test {
>                 oif vmap {
>                         eth0 : jump test0,
>                         eth1 : jump test1,
>                         eth2 : jump test2
>                 }
>         }
> }
> ========== 8< ==========
> 
> loaded with:
>  % nft -f file

I cannot reproduce this here using this:

table inet filter {
        chain test0 {
        }

        chain test1 {
        }

        chain test2 {
        }

        chain test {
                oif vmap {
                        eth0 : jump test0,
                        wlan0 : jump test1,
                        lo : jump test2
                }
        }
}


See file attached. Are you sure you're using latest nft?

[-- Attachment #2: out.txt --]
[-- Type: text/plain, Size: 9945 bytes --]

# valgrind nft -f file
==4151== Memcheck, a memory error detector
==4151== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==4151== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==4151== Command: nft -f l
==4151== 
==4151== Conditional jump or move depends on uninitialised value(s)
==4151==    at 0x4017741: index (strchr.S:40)
==4151==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151==    by 0x400756B: fillin_rpath (dl-load.c:495)
==4151==    by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4151==    by 0x4002BC9: dl_main (rtld.c:1348)
==4151==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151==    by 0x4004A15: _dl_start (rtld.c:331)
==4151==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151==    by 0x2: ???
==4151==    by 0x7FF0006FE: ???
==4151==    by 0x7FF000702: ???
==4151==    by 0x7FF000705: ???
==4151== 
==4151== Use of uninitialised value of size 8
==4151==    at 0x401774F: index (strchr.S:47)
==4151==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151==    by 0x400756B: fillin_rpath (dl-load.c:495)
==4151==    by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4151==    by 0x4002BC9: dl_main (rtld.c:1348)
==4151==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151==    by 0x4004A15: _dl_start (rtld.c:331)
==4151==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151==    by 0x2: ???
==4151==    by 0x7FF0006FE: ???
==4151==    by 0x7FF000702: ???
==4151==    by 0x7FF000705: ???
==4151== 
==4151== Conditional jump or move depends on uninitialised value(s)
==4151==    at 0x40177B4: index (strchr.S:77)
==4151==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151==    by 0x400800D: _dl_map_object (dl-load.c:2538)
==4151==    by 0x400137D: map_doit (rtld.c:626)
==4151==    by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4151==    by 0x4000B2E: do_preload (rtld.c:815)
==4151==    by 0x4004127: dl_main (rtld.c:1634)
==4151==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151==    by 0x4004A15: _dl_start (rtld.c:331)
==4151==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151==    by 0x2: ???
==4151==    by 0x7FF0006FE: ???
==4151== 
==4151== Use of uninitialised value of size 8
==4151==    at 0x401786D: index (strchr.S:135)
==4151==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151==    by 0x400800D: _dl_map_object (dl-load.c:2538)
==4151==    by 0x400137D: map_doit (rtld.c:626)
==4151==    by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4151==    by 0x4000B2E: do_preload (rtld.c:815)
==4151==    by 0x4004127: dl_main (rtld.c:1634)
==4151==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151==    by 0x4004A15: _dl_start (rtld.c:331)
==4151==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151==    by 0x2: ???
==4151==    by 0x7FF0006FE: ???
==4151== 
==4151== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)
==4151==    at 0x58080B0: __sendmsg_nocancel (syscall-template.S:81)
==4151==    by 0x41A027: mnl_batch_talk (mnl.c:241)
==4151==    by 0x4064E7: nft_run (main.c:203)
==4151==    by 0x40601C: main (main.c:357)
==4151==  Address 0x5cfac27 is 71 bytes inside a block of size 200,703 alloc'd
==4151==    at 0x4C29BED: malloc (vg_replace_malloc.c:263)
==4151==    by 0x503F171: nftnl_batch_page_alloc.isra.0 (batch.c:36)
==4151==    by 0x503F1FF: nft_batch_alloc (batch.c:73)
==4151==    by 0x419D98: mnl_batch_init (mnl.c:135)
==4151==    by 0x4063EE: nft_run (main.c:185)
==4151==    by 0x40601C: main (main.c:357)
==4151== 
==4151== 
==4151== HEAP SUMMARY:
==4151==     in use at exit: 834 bytes in 3 blocks
==4151==   total heap usage: 123 allocs, 120 frees, 227,812 bytes allocated
==4151== 
==4151== LEAK SUMMARY:
==4151==    definitely lost: 2 bytes in 1 blocks
==4151==    indirectly lost: 0 bytes in 0 blocks
==4151==      possibly lost: 0 bytes in 0 blocks
==4151==    still reachable: 832 bytes in 2 blocks
==4151==         suppressed: 0 bytes in 0 blocks
==4151== Rerun with --leak-check=full to see details of leaked memory
==4151== 
==4151== For counts of detected and suppressed errors, rerun with: -v
==4151== Use --track-origins=yes to see where uninitialised values come from
==4151== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)

# valgrind nft -f file
==4154== Memcheck, a memory error detector
==4154== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==4154== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==4154== Command: nft -f l
==4154== 
==4154== Conditional jump or move depends on uninitialised value(s)
==4154==    at 0x4017741: index (strchr.S:40)
==4154==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154==    by 0x400756B: fillin_rpath (dl-load.c:495)
==4154==    by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4154==    by 0x4002BC9: dl_main (rtld.c:1348)
==4154==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154==    by 0x4004A15: _dl_start (rtld.c:331)
==4154==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154==    by 0x2: ???
==4154==    by 0x7FF0006FE: ???
==4154==    by 0x7FF000702: ???
==4154==    by 0x7FF000705: ???
==4154== 
==4154== Use of uninitialised value of size 8
==4154==    at 0x401774F: index (strchr.S:47)
==4154==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154==    by 0x400756B: fillin_rpath (dl-load.c:495)
==4154==    by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4154==    by 0x4002BC9: dl_main (rtld.c:1348)
==4154==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154==    by 0x4004A15: _dl_start (rtld.c:331)
==4154==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154==    by 0x2: ???
==4154==    by 0x7FF0006FE: ???
==4154==    by 0x7FF000702: ???
==4154==    by 0x7FF000705: ???
==4154== 
==4154== Conditional jump or move depends on uninitialised value(s)
==4154==    at 0x40177B4: index (strchr.S:77)
==4154==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154==    by 0x400800D: _dl_map_object (dl-load.c:2538)
==4154==    by 0x400137D: map_doit (rtld.c:626)
==4154==    by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4154==    by 0x4000B2E: do_preload (rtld.c:815)
==4154==    by 0x4004127: dl_main (rtld.c:1634)
==4154==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154==    by 0x4004A15: _dl_start (rtld.c:331)
==4154==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154==    by 0x2: ???
==4154==    by 0x7FF0006FE: ???
==4154== 
==4154== Use of uninitialised value of size 8
==4154==    at 0x401786D: index (strchr.S:135)
==4154==    by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154==    by 0x400800D: _dl_map_object (dl-load.c:2538)
==4154==    by 0x400137D: map_doit (rtld.c:626)
==4154==    by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4154==    by 0x4000B2E: do_preload (rtld.c:815)
==4154==    by 0x4004127: dl_main (rtld.c:1634)
==4154==    by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154==    by 0x4004A15: _dl_start (rtld.c:331)
==4154==    by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154==    by 0x2: ???
==4154==    by 0x7FF0006FE: ???
==4154== 
==4154== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==4154==    at 0x5808113: __sendto_nocancel (syscall-template.S:81)
==4154==    by 0x4198B2: nft_mnl_talk (mnl.c:80)
==4154==    by 0x41AED3: mnl_nft_set_dump (mnl.c:772)
==4154==    by 0x41322B: netlink_list_sets (netlink.c:1248)
==4154==    by 0x407647: cache_update (rule.c:79)
==4154==    by 0x40E759: cmd_evaluate (evaluate.c:2081)
==4154==    by 0x424E05: nft_parse (parser_bison.y:566)
==4154==    by 0x4063AC: nft_run (main.c:231)
==4154==    by 0x40601C: main (main.c:357)
==4154==  Address 0x7feff956f is on thread 1's stack
==4154== 
==4154== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==4154==    at 0x5808113: __sendto_nocancel (syscall-template.S:81)
==4154==    by 0x4198B2: nft_mnl_talk (mnl.c:80)
==4154==    by 0x41B2C2: mnl_nft_setelem_get (mnl.c:904)
==4154==    by 0x41356A: netlink_get_setelems (netlink.c:1512)
==4154==    by 0x4076AC: cache_update (rule.c:87)
==4154==    by 0x40E759: cmd_evaluate (evaluate.c:2081)
==4154==    by 0x424E05: nft_parse (parser_bison.y:566)
==4154==    by 0x4063AC: nft_run (main.c:231)
==4154==    by 0x40601C: main (main.c:357)
==4154==  Address 0x7feff955f is on thread 1's stack
==4154== 
==4154== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)
==4154==    at 0x58080B0: __sendmsg_nocancel (syscall-template.S:81)
==4154==    by 0x41A027: mnl_batch_talk (mnl.c:241)
==4154==    by 0x4064E7: nft_run (main.c:203)
==4154==    by 0x40601C: main (main.c:357)
==4154==  Address 0x5cfd047 is 71 bytes inside a block of size 200,703 alloc'd
==4154==    at 0x4C29BED: malloc (vg_replace_malloc.c:263)
==4154==    by 0x503F171: nftnl_batch_page_alloc.isra.0 (batch.c:36)
==4154==    by 0x503F1FF: nft_batch_alloc (batch.c:73)
==4154==    by 0x419D98: mnl_batch_init (mnl.c:135)
==4154==    by 0x4063EE: nft_run (main.c:185)
==4154==    by 0x40601C: main (main.c:357)
==4154== 
==4154== 
==4154== HEAP SUMMARY:
==4154==     in use at exit: 834 bytes in 3 blocks
==4154==   total heap usage: 189 allocs, 186 frees, 232,448 bytes allocated
==4154== 
==4154== LEAK SUMMARY:
==4154==    definitely lost: 2 bytes in 1 blocks
==4154==    indirectly lost: 0 bytes in 0 blocks
==4154==      possibly lost: 0 bytes in 0 blocks
==4154==    still reachable: 832 bytes in 2 blocks
==4154==         suppressed: 0 bytes in 0 blocks
==4154== Rerun with --leak-check=full to see details of leaked memory
==4154== 
==4154== For counts of detected and suppressed errors, rerun with: -v
==4154== Use --track-origins=yes to see where uninitialised values come from
==4154== ERROR SUMMARY: 7 errors from 7 contexts (suppressed: 0 from 0)

next prev parent reply	other threads:[~2015-09-09 14:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-09 11:28 [nft] segfault bug in simple ruleset, regression? Arturo Borrero Gonzalez
2015-09-09 14:29 ` Pablo Neira Ayuso [this message]
2015-09-09 15:29   ` Florian Westphal
2015-09-09 16:01     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150909142903.GA3447@salvia \
    --to=pablo@netfilter.org \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=fw@strlen.de \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).