[nft PATCH 0/4] Fixes for a recent covscan run

[nft PATCH 0/4] Fixes for a recent covscan run

[Phil Sutter]

Minor issues only, mostly in hard to reach code paths.

Phil Sutter (4):
  netlink: Fix leak in unterminated string deserializer
  netlink: Fix leaks in netlink_parse_cmp()
  segtree: Fix for potential NULL-pointer deref in ei_insert()
  netlink: Avoid potential NULL-pointer deref in
    netlink_gen_payload_stmt()

 src/netlink_delinearize.c | 25 +++++++++++++++++--------
 src/netlink_linearize.c   |  2 +-
 src/segtree.c             | 18 +++++++++++++-----
 3 files changed, 31 insertions(+), 14 deletions(-)

-- 
2.24.1

[nft PATCH 1/4] netlink: Fix leak in unterminated string deserializer

[Phil Sutter]

Allocated 'mask' expression is not freed before returning to caller,
although it is used temporarily only.

Fixes: b851ba4731d9f ("src: add interface wildcard matching")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/netlink_delinearize.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 154353b8161a0..06a0312b9921a 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2030,7 +2030,7 @@ static bool __expr_postprocess_string(struct expr **exprp)
 
 static struct expr *expr_postprocess_string(struct expr *expr)
 {
-	struct expr *mask;
+	struct expr *mask, *out;
 
 	assert(expr_basetype(expr)->type == TYPE_STRING);
 	if (__expr_postprocess_string(&expr))
@@ -2040,7 +2040,9 @@ static struct expr *expr_postprocess_string(struct expr *expr)
 				   BYTEORDER_HOST_ENDIAN,
 				   expr->len + BITS_PER_BYTE, NULL);
 	mpz_init_bitmask(mask->value, expr->len);
-	return string_wildcard_expr_alloc(&expr->location, mask, expr);
+	out = string_wildcard_expr_alloc(&expr->location, mask, expr);
+	expr_free(mask);
+	return out;
 }
 
 static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
-- 
2.24.1

[nft PATCH 2/4] netlink: Fix leaks in netlink_parse_cmp()

[Phil Sutter]

This fixes several problems at once:

* Err path would leak expr 'right' in two places and 'left' in one.
* Concat case would leak 'right' by overwriting the pointer. Introduce a
  temporary variable to hold the new pointer.

Fixes: 6377380bc265f ("netlink_delinearize: handle relational and lookup concat expressions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/netlink_delinearize.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 06a0312b9921a..88dbd5a8ecdf3 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -274,7 +274,7 @@ static void netlink_parse_cmp(struct netlink_parse_ctx *ctx,
 {
 	struct nft_data_delinearize nld;
 	enum nft_registers sreg;
-	struct expr *expr, *left, *right;
+	struct expr *expr, *left, *right, *tmp;
 	enum ops op;
 
 	sreg = netlink_parse_register(nle, NFTNL_EXPR_CMP_SREG);
@@ -291,19 +291,26 @@ static void netlink_parse_cmp(struct netlink_parse_ctx *ctx,
 
 	if (left->len > right->len &&
 	    expr_basetype(left) != &string_type) {
-		return netlink_error(ctx, loc, "Relational expression size mismatch");
+		netlink_error(ctx, loc, "Relational expression size mismatch");
+		goto err_free;
 	} else if (left->len > 0 && left->len < right->len) {
 		expr_free(left);
 		left = netlink_parse_concat_expr(ctx, loc, sreg, right->len);
 		if (left == NULL)
-			return;
-		right = netlink_parse_concat_data(ctx, loc, sreg, right->len, right);
-		if (right == NULL)
-			return;
+			goto err_free;
+		tmp = netlink_parse_concat_data(ctx, loc, sreg, right->len, right);
+		if (tmp == NULL)
+			goto err_free;
+		expr_free(right);
+		right = tmp;
 	}
 
 	expr = relational_expr_alloc(loc, op, left, right);
 	ctx->stmt = expr_stmt_alloc(loc, expr);
+	return;
+err_free:
+	expr_free(left);
+	expr_free(right);
 }
 
 static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
-- 
2.24.1

[nft PATCH 3/4] segtree: Fix for potential NULL-pointer deref in ei_insert()

[Phil Sutter]

Covscan complained about potential deref of NULL 'lei' pointer,
Interestingly this can't happen as the relevant goto leading to that
(in line 260) sits in code checking conflicts between new intervals and
since those are sorted upon insertion, only the lower boundary may
conflict (or both, but that's covered before).

Given the needed investigation to proof covscan wrong and the actually
wrong (but impossible) code, better fix this as if element ordering was
arbitrary to avoid surprises if at some point it really becomes that.

Fixes: 4d6ad0f310d6c ("segtree: check for overlapping elements at insertion")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/segtree.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/segtree.c b/src/segtree.c
index e8e32412f3a41..04c0e915263b9 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -205,8 +205,11 @@ static int ei_insert(struct list_head *msgs, struct seg_tree *tree,
 		pr_gmp_debug("insert: [%Zx %Zx]\n", new->left, new->right);
 
 	if (lei != NULL && rei != NULL && lei == rei) {
-		if (!merge)
+		if (!merge) {
+			expr_binary_error(msgs, lei->expr, new->expr,
+					  "conflicting intervals specified");
 			goto err;
+		}
 		/*
 		 * The new interval is entirely contained in the same interval,
 		 * split it into two parts:
@@ -228,8 +231,11 @@ static int ei_insert(struct list_head *msgs, struct seg_tree *tree,
 		ei_destroy(lei);
 	} else {
 		if (lei != NULL) {
-			if (!merge)
+			if (!merge) {
+				expr_binary_error(msgs, lei->expr, new->expr,
+						  "conflicting intervals specified");
 				goto err;
+			}
 			/*
 			 * Left endpoint is within lei, adjust it so we have:
 			 *
@@ -248,8 +254,11 @@ static int ei_insert(struct list_head *msgs, struct seg_tree *tree,
 			}
 		}
 		if (rei != NULL) {
-			if (!merge)
+			if (!merge) {
+				expr_binary_error(msgs, rei->expr, new->expr,
+						  "conflicting intervals specified");
 				goto err;
+			}
 			/*
 			 * Right endpoint is within rei, adjust it so we have:
 			 *
@@ -276,8 +285,7 @@ static int ei_insert(struct list_head *msgs, struct seg_tree *tree,
 	return 0;
 err:
 	errno = EEXIST;
-	return expr_binary_error(msgs, lei->expr, new->expr,
-				 "conflicting intervals specified");
+	return -1;
 }
 
 /*
-- 
2.24.1

[nft PATCH 4/4] netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt()

[Phil Sutter]

With payload_needs_l4csum_update_pseudohdr() unconditionally
dereferencing passed 'desc' parameter and a previous check for it to be
non-NULL, make sure to call the function only if input is sane.

Fixes: 68de70f2b3fc6 ("netlink_linearize: fix IPv6 layer 4 checksum mangling")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/netlink_linearize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 498326d0087a1..cb1b7fe1748b2 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -941,7 +941,7 @@ static void netlink_gen_payload_stmt(struct netlink_linearize_ctx *ctx,
 		nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_CSUM_OFFSET,
 				   csum_off / BITS_PER_BYTE);
 	}
-	if (expr->payload.base == PROTO_BASE_NETWORK_HDR &&
+	if (expr->payload.base == PROTO_BASE_NETWORK_HDR && desc &&
 	    payload_needs_l4csum_update_pseudohdr(expr, desc))
 		nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS,
 				   NFT_PAYLOAD_L4CSUM_PSEUDOHDR);
-- 
2.24.1

Re: [nft PATCH 1/4] netlink: Fix leak in unterminated string deserializer

[Pablo Neira Ayuso]

On Mon, Jan 20, 2020 at 05:25:37PM +0100, Phil Sutter wrote:
> Allocated 'mask' expression is not freed before returning to caller,
> although it is used temporarily only.
> 
> Fixes: b851ba4731d9f ("src: add interface wildcard matching")
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH 2/4] netlink: Fix leaks in netlink_parse_cmp()

[Pablo Neira Ayuso]

On Mon, Jan 20, 2020 at 05:25:38PM +0100, Phil Sutter wrote:
> This fixes several problems at once:
> 
> * Err path would leak expr 'right' in two places and 'left' in one.
> * Concat case would leak 'right' by overwriting the pointer. Introduce a
>   temporary variable to hold the new pointer.
> 
> Fixes: 6377380bc265f ("netlink_delinearize: handle relational and lookup concat expressions")
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH 3/4] segtree: Fix for potential NULL-pointer deref in ei_insert()

[Pablo Neira Ayuso]

On Mon, Jan 20, 2020 at 05:25:39PM +0100, Phil Sutter wrote:
> Covscan complained about potential deref of NULL 'lei' pointer,
> Interestingly this can't happen as the relevant goto leading to that
> (in line 260) sits in code checking conflicts between new intervals and
> since those are sorted upon insertion, only the lower boundary may
> conflict (or both, but that's covered before).
> 
> Given the needed investigation to proof covscan wrong and the actually
> wrong (but impossible) code, better fix this as if element ordering was
> arbitrary to avoid surprises if at some point it really becomes that.
> 
> Fixes: 4d6ad0f310d6c ("segtree: check for overlapping elements at insertion")

Not fixing anything. Tell them to fix covscan :-)

Re: [nft PATCH 4/4] netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt()

[Pablo Neira Ayuso]

On Mon, Jan 20, 2020 at 05:25:40PM +0100, Phil Sutter wrote:
> With payload_needs_l4csum_update_pseudohdr() unconditionally
> dereferencing passed 'desc' parameter and a previous check for it to be
> non-NULL, make sure to call the function only if input is sane.
> 
> Fixes: 68de70f2b3fc6 ("netlink_linearize: fix IPv6 layer 4 checksum mangling")
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks.

Re: [nft PATCH 3/4] segtree: Fix for potential NULL-pointer deref in ei_insert()

[Phil Sutter]

Hi Pablo,

On Tue, Jan 21, 2020 at 01:56:12PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Jan 20, 2020 at 05:25:39PM +0100, Phil Sutter wrote:
> > Covscan complained about potential deref of NULL 'lei' pointer,
> > Interestingly this can't happen as the relevant goto leading to that
> > (in line 260) sits in code checking conflicts between new intervals and
> > since those are sorted upon insertion, only the lower boundary may
> > conflict (or both, but that's covered before).
> > 
> > Given the needed investigation to proof covscan wrong and the actually
> > wrong (but impossible) code, better fix this as if element ordering was
> > arbitrary to avoid surprises if at some point it really becomes that.
> > 
> > Fixes: 4d6ad0f310d6c ("segtree: check for overlapping elements at insertion")
> 
> Not fixing anything. Tell them to fix covscan :-)

Well, I guess covscan is simply not intelligent enough to detect the
impact of previous element sorting. :)

Please see my follow-up series which changes the code to actually make
use of the sorted input data. As noted in its cover letter, the code may
change again if we implement merging new with existing elements.
Depending on actual implementation, a completely different logic may be
required then since "changed" existing elements have to be recorded (so
their original version is removed from kernel).

Cheers, Phil

Re: [nft PATCH 3/4] segtree: Fix for potential NULL-pointer deref in ei_insert()

[Phil Sutter]

On Mon, Jan 27, 2020 at 02:24:48PM +0100, Phil Sutter wrote:
> Hi Pablo,
> 
> On Tue, Jan 21, 2020 at 01:56:12PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Jan 20, 2020 at 05:25:39PM +0100, Phil Sutter wrote:
> > > Covscan complained about potential deref of NULL 'lei' pointer,
> > > Interestingly this can't happen as the relevant goto leading to that
> > > (in line 260) sits in code checking conflicts between new intervals and
> > > since those are sorted upon insertion, only the lower boundary may
> > > conflict (or both, but that's covered before).
> > > 
> > > Given the needed investigation to proof covscan wrong and the actually
> > > wrong (but impossible) code, better fix this as if element ordering was
> > > arbitrary to avoid surprises if at some point it really becomes that.
> > > 
> > > Fixes: 4d6ad0f310d6c ("segtree: check for overlapping elements at insertion")
> > 
> > Not fixing anything. Tell them to fix covscan :-)
> 
> Well, I guess covscan is simply not intelligent enough to detect the
> impact of previous element sorting. :)

Or maybe I am not intelligent enough to read and comprehend the sorting
function. ;)

Meanwhile I managed to find a reproducer for covscan's complaint:

With a ruleset of:

| table ip t {
| 	set s {
| 		type inet_service
| 		flags interval
| 	}
| }

The following command segfaults:

| # nft add element t s '{ 10-40, 5-15 }'

According to gdb it happens the line above
'return expr_binary_error(...)' in ei_insert(), namely segtree.c:279. No
idea why it's in the wrong line, but it seems to be just the reported
issue as 'lei' is NULL.

Interestingly, adding a rule with an anonymous set and the same elements
works fine, no idea why.

What do you think, should I continue investigating or can we just go
with my original fix (for now at least)?

Cheers, Phil