From patchwork Wed Feb 19 09:11:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ziao Li X-Patchwork-Id: 13981784 X-Patchwork-Delegate: dsahern@gmail.com Received: from mail-yb1-f193.google.com (mail-yb1-f193.google.com [209.85.219.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17F4B1D54E9 for ; Wed, 19 Feb 2025 09:12:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739956326; cv=none; b=HLnWnwlcRdh2c5GeWSIPTYYV82OsezvGznxGk6m3zoKmRHv1ZlhkxYBngPO3FE4A+aOofhycOsP7pGLxNyEzkdvdZgG70mjdW/2Mp9myVG4Qh7eAPu8lfQLxFqEOGLIhiTdfFC+U5SB8JoJFRWfF+8N9/YMzOcCG70Xl94W/KRY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739956326; c=relaxed/simple; bh=pbTzYBJE4AFKgFapl1MfKOGC5SaYbVMGlhMNj7e1KL0=; h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type; b=e+utUmUSx0qGhTYco+VrskuHtT8naWiSij08dY0deuD5f0TVr7UTkQiBDA+r+vbKa0Xqw0jpxs4pt7nzq65DgUGDxV+keaIsipRemuLFWU8iOaMLLGMg04CRWBUcvxD1ZGH7dRk+pVF6AiP/K5WECvVCoSxKCi3A0wzJJseRh9Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lOewRHQk; arc=none smtp.client-ip=209.85.219.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lOewRHQk" Received: by mail-yb1-f193.google.com with SMTP id 3f1490d57ef6-e5ddd781316so2635784276.2 for ; Wed, 19 Feb 2025 01:12:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1739956324; x=1740561124; darn=vger.kernel.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=gKBYeQZ/zMZ7HaHeU7WC4uQk1qKlfAH2p72Rn0YlF4c=; b=lOewRHQkEEOrJTXMbk2maR1OVFC4mUwSDtPmLwJ7+47AA62i87bKuBRuh+mHRx1aAg g9bkVgYLIK+mp8NUo8itcyOxyRy2s5MwNInbZejfxd8PRNsJjHlJPouAveh+QXHjJrVl cDziFJQieKVzAZYrdctprrt/7hOq0BCBzV/By/0F6rKLbFyKAamwwxvx9W7XsDDj5/MU h8R9mYgaoMQfYqLQxRMyxJQOaOp04adBPXkoN+cZB/qo7GCogCeJqH6LMQSMP89LpUOl OLMryGtigdzRjKDGopYjVjXcmqgVQ6OtwpsN5GPq/JwoPNmYXLkTZEVxb3/dodslsG4L JYng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739956324; x=1740561124; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=gKBYeQZ/zMZ7HaHeU7WC4uQk1qKlfAH2p72Rn0YlF4c=; b=HmCAsKhTdq0d5l1qRJzIzITHk9s9SQzu2zcDsHaZtEZId3/UffO6t/anMSlLBCaAA6 gwR9cQzJLYPcRHUh6tU8OpY5A/baDreV2rnKDo8re88ZVLzm4wH17eP9TjLjv2UME/K2 Ba7vTWzle7xjS5/xIzsMC3fs7EC93qDKEtuncV/rrIZjq3ym8afDLfhejQ4t8YODb04E Af4cM2/XRqLyHaWe7OpBH1KgGCyGS6IDkfCJW4C5wuKr9XAVXZK46Xzof3ySIwW1tNTd zOJtjSsI4/wIkTi7PlCsrH7k2vNzBFZMFLf8jzQChHUeYv6NFbUji0tK0h02FAhH51pa AUKQ== X-Gm-Message-State: AOJu0YwZVr3YgEcthKyoyebOcQeE6DVQH/PUuqTaSBL/TsrwS4eOnESW Ejf/J+W095XPcs51O3K0u4dkrOcK+0yJFn/mv64u3t1I5/k2NPOlC3bcn+KO36LPfC6/aqNa+5t U+Rex9Rrusner/V6p7LvsZ/dorYyeHwRon+Hk6g== X-Gm-Gg: ASbGncsUyI6aquQaZ/QtabjLEbbSBky97NMyLRACgvoRRS9rVa7BpVRI2KSH8QjuF1i WihIbNNpOAFfE4pDdw67jJU3ClOStlxfVcqyvx05MKm2/Nbf1SipI1wWg76IR28BkeSGg/3+L X-Google-Smtp-Source: AGHT+IFfoRXIqkZDYNpdi+pNPPxepZz3aoaPb/crOxR0SvimF+9f2esQpcBVR8GCB8xcl3/PcekzBeEODA3E/cFE4OA= X-Received: by 2002:a05:6902:27c7:b0:e5d:bf59:3343 with SMTP id 3f1490d57ef6-e5dc92fd40emr13296135276.38.1739956323719; Wed, 19 Feb 2025 01:12:03 -0800 (PST) Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Ziao Li Date: Wed, 19 Feb 2025 17:11:51 +0800 X-Gm-Features: AWEUYZnt_53tRhWGWGa5uAWXHsdCaxLvZFFX6NPXMXQkTXRfDzOwtqEkbGoGBMg Message-ID: Subject: [PATCH iproute2] NULL Pointer Dereference vulnerability and patch To: netdev@vger.kernel.org X-Patchwork-Delegate: dsahern@gmail.com NULL Pointer Dereference vulnerability in iproute2. The vulnerability happens in load_ugly_table(), misc/nstat.c, in the latest version of iproute2 (41710ace5e8fadff354f3dba67bf27ed3a3c5ae7) How the vulnerability happens: 1. db is set to NULL at struct nstat_ent *db = NULL; 2. n is set to NULL at n = db; 3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1 static void load_ugly_table(FILE *fp) { char *buf = NULL; size_t buflen = 0; ssize_t nread; struct nstat_ent *db = NULL; struct nstat_ent *n; while ((nread = getline(&buf, &buflen, fp)) != -1) { char idbuf[4096]; int off; char *p; int count1, count2, skip = 0; p = strchr(buf, ':'); if (!p) { fprintf(stderr, "%s:%d: error parsing history file\n", __FILE__, __LINE__); exit(-2); } count1 = count_spaces(buf); *p = 0; idbuf[0] = 0; strncat(idbuf, buf, sizeof(idbuf) - 1); off = p - buf; p += 2; while (*p) { ...... } n = db; nread = getline(&buf, &buflen, fp); if (nread == -1) { fprintf(stderr, "%s:%d: error parsing history file\n", __FILE__, __LINE__); exit(-2); } count2 = count_spaces(buf); if (count2 > count1) skip = count2 - count1; do { p = strrchr(buf, ' '); if (!p) { fprintf(stderr, "%s:%d: error parsing history file\n", __FILE__, __LINE__); exit(-2); } *p = 0; if (sscanf(p+1, "%llu", &n->val) != 1) { fprintf(stderr, "%s:%d: error parsing history file\n", __FILE__, __LINE__); exit(-2); } /* Trick to skip "dummy" trailing ICMP MIB in 2.4 */ if (skip) skip--; else n = n->next; } while (p > buf + off + 2); } free(buf); ...... } --- Steps to reproduce: 1. Put attachment files file at misc/poc.c and misc/crash.txt 2. Compile poc.c file with: gcc -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wold-style-definition -Wformat=2 -g -O0 -pipe -I../include -I../include/uapi -DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib\" -DCONF_USR_DIR=\"/usr/share/iproute2\" -DCONF_ETC_DIR=\"/etc/iproute2\" -DNETNS_RUN_DIR=\"/var/run/netns\" -DNETNS_ETC_DIR=\"/etc/netns\" -DARPDDIR=\"/var/lib/arpd\" -DCONF_COLOR=COLOR_OPT_NEVER -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DHAVE_SETNS -DHAVE_HANDLE_AT -DHAVE_SELINUX -DHAVE_RPC -I/usr/include/tirpc -DHAVE_ELF -DNEED_STRLCPY -DHAVE_LIBCAP -DHAVE_SETNS -DHAVE_HANDLE_AT -DHAVE_SELINUX -DHAVE_RPC -I/usr/include/tirpc -DHAVE_ELF -DNEED_STRLCPY -DHAVE_LIBCAP -o poc poc.c -lselinux -ltirpc -lelf -lcap ../lib/libutil.a ../lib/libnetlink.a -lselinux -ltirpc -lelf -lcap -lm 3. Run the poc by $ ./poc crash.txt zsh: segmentation fault (core dumped) ./poc crash.txt --- Patch for the vulnerability: From 2f462d5adf071827285291d2ce13119e220681fd Mon Sep 17 00:00:00 2001 From: lza Date: Wed, 19 Feb 2025 08:38:48 +0000 Subject: [PATCH] Fix Null Dereference when no entries are specified --- misc/nstat.c | 4 ++++ 1 file changed, 4 insertions(+) fprintf(stderr, "%s:%d: error parsing history file\n", diff --git a/misc/nstat.c b/misc/nstat.c index fce3e9c1..b2e19bde 100644 --- a/misc/nstat.c +++ b/misc/nstat.c @@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp) p = next; } n = db; + if (n == NULL) { + fprintf(stderr, "Error: Invalid input – line has ':' but no entries. Add values after ':'.\n"); + exit(-2); + } nread = getline(&buf, &buflen, fp); if (nread == -1) {