Bug 1476664 - ss filter parsing bug causes crash
ss filter parsing bug causes crash
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: iproute (Show other bugs)
6.9
All Linux
high Severity high
: rc
: ---
Assigned To: Phil Sutter
Jaroslav Aster
Ioanna Gkioka
:
Depends On:
Blocks: 1506394
  Show dependency treegraph
 
Reported: 2017-07-31 02:43 EDT by Martin Schwenke
Modified: 2018-06-19 01:11 EDT (History)
10 users (show)

See Also:
Fixed In Version: iproute-2.6.32-57.el6
Doc Type: Bug Fix
Doc Text:
The `ss` program no longer stops when providing a long list of filters Previously, providing a long list of filters to the "ss" command caused an integer value overflow. As a consequence, the 'ss' tool could stop the program execution. With this update, faulty bits in the source code are corrected, and the described problem no longer occurs.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-06-19 01:10:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 511720 None None None 2017-07-31 02:43 EDT
Red Hat Product Errata RHBA-2018:1867 None None None 2018-06-19 01:11 EDT

  None (edit)
Description Martin Schwenke 2017-07-31 02:43:27 EDT
Description of problem:

ss crashes when the filter is too long/complex

Version-Release number of selected component (if applicable):

iproute-2.6.32-54.el6.x86_64

How reproducible:

Very reliable

Steps to Reproduce:

1. valgrind -q ss -tn state established 'src 10.0.0.31:22 || src 10.0.0.32:22 || src 10.0.0.33:22 || src 10.0.0.34:22 || src 10.0.0.35:22 || src 10.0.0.36:22 || src 10.0.0.37:22 || src 10.0.0.38:22'  

Actual results:

  Recv-Q Send-Q    Local Address:Port      Peer Address:Port 
  ==4372== Warning: silly arg (-100) to malloc()
  Aborted (core dumped)

Expected results:

  A possibly empty list of connections.  valgrind still complains but it is at least non-fatal.

Additional info:

This can obviously be recreated without valgrind.  However, valgrind points out the nature of the problem.

The problem is that the following upstream commit is missing:

commit 2a4fa1c305742e4bfbc2960c40e0d1ee55b30694
Author: Andreas Henriksson <andreas@fatal.se>
Date:   Wed Nov 13 09:46:42 2013 +0100

    ss: avoid passing negative numbers to malloc
    
    Example:
    
    $ ss state established \( sport = :4060  or sport = :4061 or sport = :4062  or sport = :4063 or sport = :4064  or sport = :4065 or sport = :4066  or sport = :4067 \)  > /dev/null
    Aborted
    
    In the example above ssfilter_bytecompile(...) will return (int)136.
    char l1 = 136; means -120 which will result in a negative number
    being passed to malloc at misc/ss.c:913.
    
    Simply declare l1 and l2 as integers to avoid the char overflow.
    
    This is one of the issues originally reported in http://bugs.debian.org/511720
    
    Fix the same problem in other code paths as well (thanks to Eric Dumazet).
    
    Reported-by: Andreas Schuldei <andreas@debian.org>
    Signed-off-by: Andreas Henriksson <andreas@fatal.se>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
Comment 15 errata-xmlrpc 2018-06-19 01:10:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1867

Note You need to log in before you can comment on or make changes to this bug.