iptables- accessing unallocated memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

I am currently trying to port iptables to ARM's new Morello
architecture; featuring hardware capabilities for memory protection.

One of the ways Morello affords protection is by enforcing bounds on
memory accesses at the hardware level. On Morello a segfault/bounds
fault will occur at runtime when an illegal memory access is made...

When running some of the iptables tests I am encountering some of
these faults. I have not investigated if they all occur in the same
spot yet, but at least 3 such occurrences in the same place are in
tests:
chain/0005base-delete_0
ebtables/0007-chain-policies_0
iptables/0002-verbose-output_0

Let us use ././testcases/iptables/0002-verbose-output_0 as an example
here, since I see different behaviour in two different versions of
iptables and libnftnl. (I had to update the package versions due to
another unrelated issue that I may ask about separately).

Bounds faults occur: iptables (1.8.10), libnftnl (master), libmnl
(1.0.5), kernel (6.4)
Bounds faults do not occur: iptables (1.8.7), libnftnl (1.2.1), libmnl
(1.0.5), kernel (6.4)

The segfault happens in compare_targets, when the memcmp checks the
data of the two xt_entry_target structs, when the rules are parsed and
checked using nft_rule_cmp:

https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?h=v1.8.10#n414

The reason I see a fault in the updated iptables 1.8.10 and not 1.8.7
stems from the way the xt_entry_target structs are allocated in the
different versions, in both instances inside h->ops->rule_to_cs()
which calls nft_rule_to_iptables_command_state:

https://git.netfilter.org/iptables/tree/iptables/nft.c?h=v1.8.10#n2390

In 1.8.7, I see that 40B is allocated correctly, with enough space to
hold the data at the end of the xt_entry_target struct. The allocation
for this happens in the body of nft_rule_to_iptables_command_state
itself:

https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?h=v1.8.7#n690

However, in 1.8.10, the allocation is performed while the expression
parsing happens, earlier within the nft_rule_to_iptables_command_state
function. In this instance nft_parse_immediate calls
nft_create_target. The wrapped __nft_create_target is then passed a
hard-coded 0B to the tgsize parameter. So in this instance no space is
ever allocated for the data at the end of xt_entry_target (hence the
segfault when trying to access this unallocated memory):

https://git.netfilter.org/iptables/tree/iptables/nft-ruleparse.c?h=v1.8.10#n99

If someone could give me some insight on how best to patch this and
pass an actual value to tgsize I would greatly appreciate it.
Particularly since nft_create_target is called in numerous places, and
I cannot find an obvious place where I might access the appropriate
data length to pass.

Many thanks,

Josh




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux