Bug#968457: iptables: segfault with specific command when run as non-root

[Bernhard Übelacker]

Dear Maintainer,
following is a backtrace where the crash happens.
This seems to affect just stable.
Testing shows a permission denied warning.

By default it seems iptables is not contained in the path,
nevertheless it crashes when executed by full path.

Kind regards,
Bernhard


Program received signal SIGSEGV, Segmentation fault.
nftnl_rule_list_add (r=r@entry=0x5555555f5900, list=0x0) at rule.c:782
782             list_add(&r->head, &list->list);
(gdb) bt
#0  nftnl_rule_list_add (r=r@entry=0x5555555f5900, list=0x0) at rule.c:782
#1  0x0000555555567eac in nft_rule_insert (h=h@entry=0x7fffffffe480, 
chain=chain@entry=0x7fffffffe848 "OUTPUT", table=table@entry=0x55555557b126 
"filter", data=data@entry=0x7fffffffe300, rulenum=rulenum@entry=0, 
verbose=verbose@entry=false) at nft.c:2146
#2  0x0000555555562629 in add_entry (chain=0x7fffffffe848 "OUTPUT", 
table=0x55555557b126 "filter", cs=cs@entry=0x7fffffffe300, rulenum=0, family=2, 
s=..., d=..., verbose=false, h=0x7fffffffe480, append=false) at xtables.c:412
#3  0x0000555555564270 in do_commandx (h=h@entry=0x7fffffffe480, 
argc=argc@entry=3, argv=argv@entry=0x7fffffffe608, 
table=table@entry=0x7fffffffe478, restore=restore@entry=false) at xtables.c:1122
#4  0x0000555555562350 in xtables_main (family=family@entry=2, 
progname=progname@entry=0x55555557a011 "iptables", argc=3, argv=0x7fffffffe608) 
at xtables-standalone.c:72
#5  0x000055555556248a in xtables_ip4_main (argc=<optimized out>, 
argv=<optimized out>) at xtables-standalone.c:96
#6  0x00007ffff763809b in __libc_start_main (main=0x55555555cfb0 <main>, 
argc=3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:308
#7  0x000055555555cfea in _start ()

# Buster/stable amd64 qemu VM 2020-08-16

apt update
apt dist-upgrade


apt install systemd-coredump mc gdb iptables-dbgsym libnftnl11-dbgsym
apt build-dep iptables


mkdir /home/benutzer/source/iptables/orig -p
cd    /home/benutzer/source/iptables/orig
apt source iptables
cd

mkdir /home/benutzer/source/libnftnl11/orig -p
cd    /home/benutzer/source/libnftnl11/orig
apt source libnftnl11
cd



gdb -q --args /usr/sbin/iptables -I OUTPUT

directory /home/benutzer/source/libnftnl11/orig/libnftnl-1.1.2/src
directory /home/benutzer/source/iptables/orig/iptables-1.8.2/iptables
set width 0
set pagination off
run


##########




benutzer@debian:~$ /usr/sbin/iptables -I OUTPUT
Speicherzugriffsfehler (Speicherabzug geschrieben)


dmesg:
[So Aug 16 13:58:00 2020] iptables[1170]: segfault at 0 ip 00007f27c75541f0 sp 
00007ffc0c5bd208 error 4 in libnftnl.so.11.0.0[7f27c754d000+17000]
[So Aug 16 13:58:00 2020] Code: 83 c4 08 48 89 ef 5b 5d e9 6d 8e ff ff 66 66 2e 
0f 1f 84 00 00 00 00 00 66 90 31 c0 48 39 3f 0f 94 c0 c3 0f 1f 80 00 00 00 00 
<48> 8b 06 48 89 78 08 48 89 07 48 89 77 08 48 89 3e c3 66 66 2e 0f


root@debian:~# coredumpctl list
TIME                            PID   UID   GID SIG COREFILE  EXE
Sun 2020-08-16 13:58:01 CEST   1170  1000  1000  11 present   
/usr/sbin/xtables-nft-multi


root@debian:~# coredumpctl gdb 1170
           PID: 1170 (iptables)
           UID: 1000 (benutzer)
           GID: 1000 (benutzer)
        Signal: 11 (SEGV)
     Timestamp: Sun 2020-08-16 13:58:01 CEST (54s ago)
  Command Line: /usr/sbin/iptables -I OUTPUT
    Executable: /usr/sbin/xtables-nft-multi
 Control Group: /user.slice/user-1000.slice/session-3.scope
          Unit: session-3.scope
         Slice: user-1000.slice
       Session: 3
     Owner UID: 1000 (benutzer)
       Boot ID: 90c355c183dc4e728cac96d0d7b28324
    Machine ID: 33f18f39d2a9438eb75b0ed52848afcd
      Hostname: debian
       Storage: 
/var/lib/systemd/coredump/core.iptables.1000.90c355c183dc4e728cac96d0d7b28324.1170.1597579081000000.lz4
       Message: Process 1170 (iptables) of user 1000 dumped core.
                
                Stack trace of thread 1170:
                #0  0x00007f27c75541f0 nftnl_rule_list_add (libnftnl.so.11)
                #1  0x0000556112a23eac n/a (xtables-nft-multi)
                #2  0x0000556112a1e629 n/a (xtables-nft-multi)
                #3  0x0000556112a20270 n/a (xtables-nft-multi)
                #4  0x0000556112a1e350 n/a (xtables-nft-multi)
                #5  0x0000556112a1e48a n/a (xtables-nft-multi)
                #6  0x00007f27c6de909b __libc_start_main (libc.so.6)
                #7  0x0000556112a18fea n/a (xtables-nft-multi)

GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/xtables-nft-multi...(no debugging symbols 
found)...done.

warning: core file may not match specified executable file.
[New LWP 1170]
Core was generated by `/usr/sbin/iptables -I OUTPUT'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f27c75541f0 in nftnl_rule_list_add () from 
/lib/x86_64-linux-gnu/libnftnl.so.11




benutzer@debian:~$ gdb -q --args /usr/sbin/iptables -I OUTPUT
Reading symbols from /usr/sbin/iptables...Reading symbols from 
/usr/lib/debug/.build-id/9f/df12bff550f04deaa338f8f4c1986e19e1d5e2.debug...done.
done.
(gdb) directory /home/benutzer/source/libnftnl11/orig/libnftnl-1.1.2/src
Source directories searched: 
/home/benutzer/source/libnftnl11/orig/libnftnl-1.1.2/src:$cdir:$cwd
(gdb) set width 0
(gdb) set pagination off
(gdb) run
Starting program: /usr/sbin/iptables -I OUTPUT

Program received signal SIGSEGV, Segmentation fault.
nftnl_rule_list_add (r=r@entry=0x5555555f5900, list=0x0) at rule.c:782
782             list_add(&r->head, &list->list);
(gdb) bt
#0  nftnl_rule_list_add (r=r@entry=0x5555555f5900, list=0x0) at rule.c:782
#1  0x0000555555567eac in nft_rule_insert (h=h@entry=0x7fffffffe480, 
chain=chain@entry=0x7fffffffe848 "OUTPUT", table=table@entry=0x55555557b126 
"filter", data=data@entry=0x7fffffffe300, rulenum=rulenum@entry=0, 
verbose=verbose@entry=false) at nft.c:2146
#2  0x0000555555562629 in add_entry (chain=0x7fffffffe848 "OUTPUT", 
table=0x55555557b126 "filter", cs=cs@entry=0x7fffffffe300, rulenum=0, family=2, 
s=..., d=..., verbose=false, h=0x7fffffffe480, append=false) at xtables.c:412
#3  0x0000555555564270 in do_commandx (h=h@entry=0x7fffffffe480, 
argc=argc@entry=3, argv=argv@entry=0x7fffffffe608, 
table=table@entry=0x7fffffffe478, restore=restore@entry=false) at xtables.c:1122
#4  0x0000555555562350 in xtables_main (family=family@entry=2, 
progname=progname@entry=0x55555557a011 "iptables", argc=3, argv=0x7fffffffe608) 
at xtables-standalone.c:72
#5  0x000055555556248a in xtables_ip4_main (argc=<optimized out>, 
argv=<optimized out>) at xtables-standalone.c:96
#6  0x00007ffff763809b in __libc_start_main (main=0x55555555cfb0 <main>, 
argc=3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:308
#7  0x000055555555cfea in _start ()