From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft] netlink: fix stack buffer overrun when emitting ranged expressions
Date: Tue, 18 Mar 2025 14:24:26 +0100 [thread overview]
Message-ID: <20250318132426.GB20865@breakpoint.cc> (raw)
In-Reply-To: <Z9lmBhYELKyJHHOk@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi Florian,
>
> On Fri, Mar 14, 2025 at 01:41:49PM +0100, Florian Westphal wrote:
> > Included bogon input generates following Sanitizer splat:
> >
> > AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7...
> > WRITE of size 2 at 0x7fffffffcbe4 thread T0
> > #0 0x0000003a68b8 in __asan_memset (src/nft+0x3a68b8) (BuildId: 3678ff51a5405c77e3e0492b9a985910efee73b8)
> > #1 0x0000004eb603 in __mpz_export_data src/gmputil.c:108:2
> > #2 0x0000004eb603 in netlink_export_pad src/netlink.c:256:2
> > #3 0x0000004eb603 in netlink_gen_range src/netlink.c:471:2
> > #4 0x0000004ea250 in __netlink_gen_data src/netlink.c:523:10
> > #5 0x0000004e8ee3 in alloc_nftnl_setelem src/netlink.c:205:3
> > #6 0x0000004d4541 in mnl_nft_setelem_batch src/mnl.c:1816:11
> >
> > Problem is that the range end is emitted to the buffer at the *padded*
> > location (rounded up to next register size), but buffer sizing is
> > based of the expression length, not the padded length.
> >
> > Also extend the test script: Capture stderr and if we see
> > AddressSanitizer warning, make it fail.
> >
> > Same bug as the one fixed in 600b84631410 ("netlink: fix stack buffer overflow with sub-reg sized prefixes"),
> > just in a different function.
> >
> > Apply same fix: no dynamic array + add a length check.
>
> While at it, extend it for similar code too until there is a way to
> consolidate this? See attachment.
Sure, I can merge your snippet and push it out, is that okay?
next prev parent reply other threads:[~2025-03-18 13:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-14 12:41 [PATCH nft] netlink: fix stack buffer overrun when emitting ranged expressions Florian Westphal
2025-03-18 12:24 ` Pablo Neira Ayuso
2025-03-18 13:24 ` Florian Westphal [this message]
2025-03-18 15:34 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250318132426.GB20865@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).