Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The related nftables bug is:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
[ Reason ]
nftables uses a fixed-size array containing the locations of the
expressions within each rule that it sends to the kernel to provide more
informative error-reporting. If the rule is rejected by the kernel, the
kernel will provide an ID for the expression which was responsible, and
nftables will use this to highlight it when outputting the rule in the
error message:
# nft add rule t c iif lo reject with icmp 255
Error: Could not process rule: Invalid argument
add rule t c iif lo reject with icmp 255
^^^^^^
There is an off-by-one error in the bounds-checking used before adding
the details of an expression to this array. The result of this is that
if a rule contains enough expressions, nftables will write past the end
of the array leading to memory-corruption and possibly crashes.
This bug has been present throughout the lifetime of Bullseye.
[ Impact ]
nftables will continue to crash if given sufficiently long rules.
[ Tests ]
I have manually tested that the fixed version does not exhibit the
memory corruption in a Bullseye chroot.
[ Risks ]
The fix is a one-line code-change. The patch is taken directly from
upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The upstream fix corrects the bounds-check to ensure that if the number
of locations stored in the array equals the size of the array, no new
location is added. The upstream patch has been added to the package to
apply the same change to the packaged source.
diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
--- nftables-0.9.8/debian/changelog 2021-07-20 09:01:47.000000000 +0100
+++ nftables-0.9.8/debian/changelog 2022-07-16 10:29:27.000000000 +0100
@@ -1,3 +1,13 @@
+nftables (0.9.8-3.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
+ It fixes a one off for the check for NFT_NLATTR_LOC_MAX
+ which leads to double free or corruption (out) error
+ (closes: #1017359).
+
+ -- Sven Auhagen <sven.auha...@voleatech.de> Sat, 16 Jul 2022 11:29:27 +0200
+
nftables (0.9.8-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
---
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
1970-01-01 01:00:00.000000000 +0100
+++
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
2022-07-16 10:29:27.000000000 +0100
@@ -0,0 +1,32 @@
+From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
+From: Phil Sutter <p...@nwl.cc>
+Date: Fri, 11 Jun 2021 17:08:34 +0200
+Subject: rule: Fix for potential off-by-one in cmd_add_loc()
+
+Using num_attrs as index means it must be at max one less than the
+array's size at function start.
+
+Fixes: 27362a5bfa433 ("rule: larger number of error locations")
+Signed-off-by: Phil Sutter <p...@nwl.cc>
+---
+ src/rule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'src/rule.c')
+
+diff --git a/src/rule.c b/src/rule.c
+index dbbe744e..92daf2f3 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
+
+ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
+ {
+- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
++ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
+ return;
+
+ cmd->attr[cmd->num_attrs].offset = offset;
+--
+cgit v1.2.3
+
diff -Nru nftables-0.9.8/debian/patches/series
nftables-0.9.8/debian/patches/series
--- nftables-0.9.8/debian/patches/series 2021-07-20 09:01:47.000000000
+0100
+++ nftables-0.9.8/debian/patches/series 2022-07-16 10:29:27.000000000
+0100
@@ -1 +1,2 @@
payload-check-icmp-dependency-before-removing-previo.patch
+rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
