Bug 1360789

Summary: Make sure concat_subtype_id() does not invoke undefined behaviour
Product: Red Hat Enterprise Linux 7 Reporter: Phil Sutter <psutter>
Component: nftablesAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Karel Volný <kvolny>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: atragler, kvolny, mleitner, rkhan, sukulkar, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nftables-0.6-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 18:56:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Phil Sutter 2016-07-27 13:34:52 UTC 
As reported by covscan:

expr_evaluate_concat() calls concat_subtype_lookup(type, --off), the signed 'off' might become negative as far as I can tell. The latter function in turn calls concat_subtype_id(type, n) where 'n' is '--off' converted to unsigned. In concat_subtype_id(), 'n' is used in the following expression:

return (type >> TYPE_BITS * n) & TYPE_MASK;

So 'TYPE_BITS * n' might exceed the number of bits in 'type' and therefore lead to undefined behaviour.
Comment 1 Phil Sutter 2016-09-08 13:33:35 UTC 
This is the upstream fix to backport:

commit 83e52f7a7f5eaa893e146d23ff2e9292179f9485
Author: Phil Sutter <phil>
Date:   Tue Aug 30 19:39:52 2016 +0200

    evaluate: Avoid undefined behaviour in concat_subtype_id()
    
    For the left side of a concat expression, dtype is NULL and therefore
    off is 0. In that case the code expects to get a datatype of
    TYPE_INVALID, but this is fragile as the output of concat_subtype_id()
    is undefined for n > 32 / TYPE_BITS.
    
    To fix this, call datatype_lookup() directly passing the expected
    TYPE_INVALID as argument if off is 0.
    
    Signed-off-by: Phil Sutter <phil>
    Signed-off-by: Pablo Neira Ayuso <pablo>
Comment 7 errata-xmlrpc 2017-08-01 18:56:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2047