Bug#929527: [pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
On 5/28/19 11:26 AM, Arturo Borrero Gonzalez wrote: > On 5/27/19 12:29 PM, Arturo Borrero Gonzalez wrote: >> On 5/25/19 6:49 PM, Thomas Lamprecht wrote: >>> Package: iptables >>> Version: 1.8.2-4 >>> Severity: grave >>> File: /usr/sbin/xtables-nft-multi >>> Justification: renders package unusable by segfaulting on usage >>> >>> Reproducer: >>> # cat simple-segv-table >>> *filter >>> :NEW-OUTPUT - [0:0] >>> -A OUTPUT -j NEW-OUTPUT >>> -F NEW-OUTPUT >>> -A NEW-OUTPUT -j ACCEPT >>> COMMIT >>> >>> # iptables ./simple-segv-table >>> Segmentation fault >>> >>> # dmesg | tail -1 >>> [12860.813350] traps: iptables-restor[19173] general protection >>> ip:7f4894682793 sp:7ffcedc177d0 error:0 in >>> libnftnl.so.11.0.0[7f4894677000+17000] >>> >>> # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf >>> "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) >>> nftnl_batch_is_supported >>> ??:? >>> >> >> I can reproduce this. >> >> I'm already looking for a fix. >> > > This should be fixed in iptables 1.8.3, which just got released. > Yes, I can confirm, it works again with iptables 1.8.3-1~exp1 and libnftnl 1.1.3-1~exp1. Much thanks for the quick response!
Bug#929527: [pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
On 5/27/19 12:29 PM, Arturo Borrero Gonzalez wrote: > On 5/25/19 6:49 PM, Thomas Lamprecht wrote: >> Package: iptables >> Version: 1.8.2-4 >> Severity: grave >> File: /usr/sbin/xtables-nft-multi >> Justification: renders package unusable by segfaulting on usage >> >> Reproducer: >> # cat simple-segv-table >> *filter >> :NEW-OUTPUT - [0:0] >> -A OUTPUT -j NEW-OUTPUT >> -F NEW-OUTPUT >> -A NEW-OUTPUT -j ACCEPT >> COMMIT >> >> # iptables ./simple-segv-table >> Segmentation fault >> >> # dmesg | tail -1 >> [12860.813350] traps: iptables-restor[19173] general protection >> ip:7f4894682793 sp:7ffcedc177d0 error:0 in >> libnftnl.so.11.0.0[7f4894677000+17000] >> >> # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf >> "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) >> nftnl_batch_is_supported >> ??:? >> > > I can reproduce this. > > I'm already looking for a fix. > This should be fixed in iptables 1.8.3, which just got released.
Bug#929527: [pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
On 5/25/19 6:49 PM, Thomas Lamprecht wrote: > Package: iptables > Version: 1.8.2-4 > Severity: grave > File: /usr/sbin/xtables-nft-multi > Justification: renders package unusable by segfaulting on usage > > Reproducer: > # cat simple-segv-table > *filter > :NEW-OUTPUT - [0:0] > -A OUTPUT -j NEW-OUTPUT > -F NEW-OUTPUT > -A NEW-OUTPUT -j ACCEPT > COMMIT > > # iptables ./simple-segv-table > Segmentation fault > > # dmesg | tail -1 > [12860.813350] traps: iptables-restor[19173] general protection > ip:7f4894682793 sp:7ffcedc177d0 error:0 in > libnftnl.so.11.0.0[7f4894677000+17000] > > # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf > "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) > nftnl_batch_is_supported > ??:? > I can reproduce this. I'm already looking for a fix.
Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
Changing the iptables alternative to use the legacy binaries causes the segfault not to occur.
Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
> [snip] > Anyway, on a Debian Stretch system installed from latest weekly ISO > restoring a relative simple IP Table with a single "intermediate" chain > causes a segfaul and no restoration of said table. sorry, above I meant: s/Stretch/Buster/
Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
Package: iptables Version: 1.8.2-4 Severity: grave File: /usr/sbin/xtables-nft-multi Justification: renders package unusable by segfaulting on usage Dear Maintainer, First, it may be that this should be actually filed against nftables, so I'd like to say sorry in advance if made noise to the wrong people. Anyway, on a Debian Stretch system installed from latest weekly ISO restoring a relative simple IP Table with a single "intermediate" chain causes a segfaul and no restoration of said table. Reproducer: # cat simple-segv-table *filter :NEW-OUTPUT - [0:0] -A OUTPUT -j NEW-OUTPUT -F NEW-OUTPUT -A NEW-OUTPUT -j ACCEPT COMMIT # iptables ./simple-segv-table Segmentation fault # dmesg | tail -1 [12860.813350] traps: iptables-restor[19173] general protection ip:7f4894682793 sp:7ffcedc177d0 error:0 in libnftnl.so.11.0.0[7f4894677000+17000] # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) nftnl_batch_is_supported ??:? (hope that my addr2line foo isn't to much off) Above example works just fine on a Debian Stretch 9.9 based machine. As intially I produced this on a, let's say, far from minimal and a bit Frankenstein'ed Buster, I installed the netinst weekly ISO again in a QEMU/KVM backed VM, same outcome. As said, this may well be an issue in the linked libnftnl shared library, but could also be an issue from how iptables uses it, as I produced the error by calling into a iptables provided binary I choose to report it here (not sure if one can report against multiple packages). -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables depends on: ii libc62.28-10 ii libip4tc01.8.2-4 ii libip6tc01.8.2-4 ii libiptc0 1.8.2-4 ii libmnl0 1.0.4-2 ii libnetfilter-conntrack3 1.0.7-1 ii libnfnetlink01.0.1-3+b1 ii libnftnl11 1.1.2-2 ii libxtables12 1.8.2-4 Versions of packages iptables recommends: ii nftables 0.9.0-2 Versions of packages iptables suggests: ii kmod 26-1 -- no debconf information