Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, I'd like to get an update to iproute2 into stretch to fix a 'tc' segfault. libxtables now makes it mandatory to initialize a structure member, and leads to a segfault when that isn't done. I've used codesearch to find other packages possibly affected by this but found no obvious issues, see details/report in [1]. 1. https://bugs.debian.org/868059#20 Unfortunately, the bugfix isn't sufficient, since there's also an embedded copy of the xtables.h header, and a structure got updated with a new member (right in the middle) during the latest ABI bump; as a result, the outdated header leads tc to compute the wrong addresses inside the struct. The proposed patch fixes this issue as well. Changelog entry: | iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium | | * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6; | the xtables_globals structure needs to have its new member compat_rev | initialized. (Closes: #868059) | * Sync include/xtables.h from iptables to make sure the right offset is | used when accessing structure members defined in libxtables. One could | get “Extension does not know id …” otherwise. (See also: #868059) | | -- Cyril Brulebois <cy...@debamax.com> Fri, 24 Nov 2017 09:22:10 +0000 The fix is in unstable, has been tested in stretch for a customer on both amd64 and i386, and can be found attached. Thanks for considering. -- Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru iproute2-4.9.0/debian/changelog iproute2-4.9.0/debian/changelog --- iproute2-4.9.0/debian/changelog 2016-12-13 15:57:50.000000000 +0000 +++ iproute2-4.9.0/debian/changelog 2017-11-24 09:22:10.000000000 +0000 @@ -1,3 +1,14 @@ +iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium + + * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6; + the xtables_globals structure needs to have its new member compat_rev + initialized. (Closes: #868059) + * Sync include/xtables.h from iptables to make sure the right offset is + used when accessing structure members defined in libxtables. One could + get “Extension does not know id …” otherwise. (See also: #868059) + + -- Cyril Brulebois <cy...@debamax.com> Fri, 24 Nov 2017 09:22:10 +0000 + iproute2 (4.9.0-1) unstable; urgency=medium * New upstream release, tested by Julian Wollrath. diff -Nru iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch --- iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch 1970-01-01 01:00:00.000000000 +0100 +++ iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch 2017-11-24 09:20:48.000000000 +0000 @@ -0,0 +1,36 @@ +From 97a02cabefb2e2dcfe27f89943709afa84be5525 Mon Sep 17 00:00:00 2001 +From: Phil Sutter <p...@nwl.cc> +Date: Thu, 12 Jan 2017 15:22:49 +0100 +Subject: [PATCH] tc: m_xt: Fix segfault with iptables-1.6.0 + +Said iptables version introduced struct xtables_globals field +'compat_rev', a function pointer. Initializing it is mandatory as +libxtables calls it without existence check. + +Without this, tc segfaults when using the xt action like so: + +| tc filter add dev d0 parent ffff: u32 match u32 0 0 \ +| action xt -j MARK --set-mark 20 + +Signed-off-by: Phil Sutter <p...@nwl.cc> +--- + tc/m_xt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tc/m_xt.c b/tc/m_xt.c +index dbb54981..57ed40d7 100644 +--- a/tc/m_xt.c ++++ b/tc/m_xt.c +@@ -77,6 +77,9 @@ static struct xtables_globals tcipt_globals = { + .orig_opts = original_opts, + .opts = original_opts, + .exit_err = NULL, ++#if (XTABLES_VERSION_CODE >= 11) ++ .compat_rev = xtables_compatible_revision, ++#endif + }; + + /* +-- +2.11.0 + diff -Nru iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch --- iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch 1970-01-01 01:00:00.000000000 +0100 +++ iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch 2017-11-24 09:21:11.000000000 +0000 @@ -0,0 +1,102 @@ +Description: Sync header from iptables + The current versions in several suites have the same content: + - 1.6.0+snapshot20161117-6 (stretch) + - 1.6.1-2 (unstable) +Bug: https://bugs.debian.og/868059 +Forwarded: not-needed +Author: Cyril Brulebois <cy...@debamax.com> +Last-Update: 2017-11-22 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -205,9 +205,24 @@ enum xtables_ext_flags { + XTABLES_EXT_ALIAS = 1 << 0, + }; + ++struct xt_xlate; ++ ++struct xt_xlate_mt_params { ++ const void *ip; ++ const struct xt_entry_match *match; ++ int numeric; ++ bool escape_quotes; ++}; ++ ++struct xt_xlate_tg_params { ++ const void *ip; ++ const struct xt_entry_target *target; ++ int numeric; ++ bool escape_quotes; ++}; ++ + /* Include file for additions: new matches and targets. */ +-struct xtables_match +-{ ++struct xtables_match { + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. +@@ -269,6 +284,10 @@ struct xtables_match + void (*x6_fcheck)(struct xt_fcheck_call *); + const struct xt_option_entry *x6_options; + ++ /* Translate iptables to nft */ ++ int (*xlate)(struct xt_xlate *xl, ++ const struct xt_xlate_mt_params *params); ++ + /* Size of per-extension instance extra "global" scratch space */ + size_t udata_size; + +@@ -280,8 +299,7 @@ struct xtables_match + unsigned int loaded; /* simulate loading so options are merged properly */ + }; + +-struct xtables_target +-{ ++struct xtables_target { + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. +@@ -346,6 +364,10 @@ struct xtables_target + void (*x6_fcheck)(struct xt_fcheck_call *); + const struct xt_option_entry *x6_options; + ++ /* Translate iptables to nft */ ++ int (*xlate)(struct xt_xlate *xl, ++ const struct xt_xlate_tg_params *params); ++ + size_t udata_size; + + /* Ignore these men behind the curtain: */ +@@ -406,6 +428,17 @@ struct xtables_globals + + #define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} + ++/* ++ * enum op- ++ * ++ * For writing clean nftables translations code ++ */ ++enum xt_op { ++ XT_OP_EQ, ++ XT_OP_NEQ, ++ XT_OP_MAX, ++}; ++ + #ifdef __cplusplus + extern "C" { + #endif +@@ -548,6 +581,14 @@ extern void xtables_lmap_free(struct xta + extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *); + extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int); + ++/* xlate infrastructure */ ++struct xt_xlate *xt_xlate_alloc(int size); ++void xt_xlate_free(struct xt_xlate *xl); ++void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...); ++void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment); ++const char *xt_xlate_get_comment(struct xt_xlate *xl); ++const char *xt_xlate_get(struct xt_xlate *xl); ++ + #ifdef XTABLES_INTERNAL + + /* Shipped modules rely on this... */ diff -Nru iproute2-4.9.0/debian/patches/series iproute2-4.9.0/debian/patches/series --- iproute2-4.9.0/debian/patches/series 2016-03-24 10:13:06.000000000 +0000 +++ iproute2-4.9.0/debian/patches/series 2017-11-24 09:21:11.000000000 +0000 @@ -1,2 +1,4 @@ 0001-Add-moo-feature.patch 0002-txtdocs.patch +0003-fix-segfault-with-iptables-1.6.patch +0004-sync-iptables-header.patch