Bug#1014705: bullseye-pu: package xtables-addons/3.13-1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The related xtables-addons bug is: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014680 [ Reason ] xtables-addons-dkms and xtables-addons-source contain sources for building kernel modules with DKMS and module-assistant, respectively. The 5.10.0-16 kernel introduced in the 11.4 point release included a patch back-ported from 5.11 to 5.10.121: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/include/net/route.h?h=linux-5.10.y&id=6950ee32c1879818de03f13a9a5de1be41ad2782 This changes the parameters of the `security_skb_classify_flow` function, which is called by one of the xtables-addons kernel modules, xt_ECHO.c. The calling code has been updated to pass the correct argument in a later upstream release. However, the version in Bullseye now fails to build: /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c: In function 'echo_tg6': /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:100:55: error: passing argument 2 of 'security_skb_classify_flow' from incompatible pointer type [-Werror=incompatible-pointer-types] 100 | security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl)); | ^~~~ | | | struct flowi * In file included from /usr/src/linux-headers-5.10.0-16-common/include/net/scm.h:8, from /usr/src/linux-headers-5.10.0-16-common/include/linux/netlink.h:9, from /usr/src/linux-headers-5.10.0-16-common/include/uapi/linux/neighbour.h:6, from /usr/src/linux-headers-5.10.0-16-common/include/linux/netdevice.h:46, from /usr/src/linux-headers-5.10.0-16-common/include/net/inet_sock.h:19, from /usr/src/linux-headers-5.10.0-16-common/include/linux/udp.h:16, from /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:15: /usr/src/linux-headers-5.10.0-16-common/include/linux/security.h:1660:75: note: expected 'struct flowi_common *' but argument is of type 'struct flowi *' 1660 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic); | ~^~~~ [ Impact ] Building the modules fails. This also means that installing the -dkms package may fail: Loading new xtables-addons-3.13 DKMS files... It is likely that 5.19.0-rc3-nf-next-ulthar-20220707+ belongs to a chroot's host Building for 5.10.0-16-amd64 Building initial module for 5.10.0-16-amd64 Error! Build of xt_ACCOUNT.ko failed for: 5.10.0-16-amd64 (x86_64) Make sure the name of the generated module is correct and at the root of the build directory, or consult make.log in the build directory /var/lib/dkms/xtables-addons/3.13/build/ for more information. dpkg: error processing package xtables-addons-dkms (--configure): installed xtables-addons-dkms package post-installation script subprocess returned error exit status 7 [ Tests ] I've used piuparts and manual installation into a Bullseye chroot to verify that the build fails with the version currently in Bullseye, but succeeds with the proposed update. [ Risks ] The changes are minimal and reuse the upstream fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Upstream introduced a C preprocessor conditional to check the kernel version and ensure that the function is called with the correct arguments. I have added a patch to the package to make the same change to the packaged source. diff -Nru xtables-addons-3.13/debian/changelog xtables-addons-3.13/debian/changelog --- xtables-addons-3.13/debian/changelog2020-11-26 08:57:43.0 + +++ xtables-addons-3.13/debian/changelog2022-07-10 13:55:40.0 +0100 @@ -1,3 +1,10 @@ +xtables-addons (3.13-1+deb11u1) bullseye; urgency=medium + + * d/patches: add patch to correct `security_skb_classify_flow` argument +(closes: #1014680) + + -- Jeremy Sowden Sun, 10 Jul 2022 13:55:40 +0100 + xtables-addons (3.13-1) unstable; urgency=medium * New upstream version 3.13. diff -Nru xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch --- xtables-addons-3.13/debian/patches/correct-security_skb_classify_flow-argument.patch 1970-01-01 01:00:00.0 +0100 +++ xtables-addons-3.13/debian/patches/correct-security
Bug#1014705: bullseye-pu: package xtables-addons/3.13-1
On 2022-07-10, at 17:19:16 +0100, Jeremy Sowden wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > > The related xtables-addons bug is: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014680 > > [ Reason ] > xtables-addons-dkms and xtables-addons-source contain sources for building > kernel modules with DKMS and module-assistant, respectively. The 5.10.0-16 > kernel introduced in the 11.4 point release included a patch back-ported from > 5.11 to 5.10.121: > > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/include/net/route.h?h=linux-5.10.y&id=6950ee32c1879818de03f13a9a5de1be41ad2782 > > This changes the parameters of the `security_skb_classify_flow` function, > which > is called by one of the xtables-addons kernel modules, xt_ECHO.c. The calling > code has been updated to pass the correct argument in a later upstream > release. > However, the version in Bullseye now fails to build: > > /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c: In function > 'echo_tg6': > /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:100:55: error: > passing argument 2 of 'security_skb_classify_flow' from incompatible pointer > type [-Werror=incompatible-pointer-types] > 100 | security_skb_classify_flow((struct sk_buff *)oldskb, > flowi6_to_flowi(&fl)); > | > ^~~~ > | | > | struct flowi * > In file included from > /usr/src/linux-headers-5.10.0-16-common/include/net/scm.h:8, >from > /usr/src/linux-headers-5.10.0-16-common/include/linux/netlink.h:9, >from > /usr/src/linux-headers-5.10.0-16-common/include/uapi/linux/neighbour.h:6, >from > /usr/src/linux-headers-5.10.0-16-common/include/linux/netdevice.h:46, >from > /usr/src/linux-headers-5.10.0-16-common/include/net/inet_sock.h:19, >from > /usr/src/linux-headers-5.10.0-16-common/include/linux/udp.h:16, >from > /var/lib/dkms/xtables-addons/3.13/build/extensions/xt_ECHO.c:15: > /usr/src/linux-headers-5.10.0-16-common/include/linux/security.h:1660:75: > note: expected 'struct flowi_common *' but argument is of type 'struct flowi > *' >1660 | void security_skb_classify_flow(struct sk_buff *skb, struct > flowi_common *flic); > | > ~^~~~ I've uploaded the package. J. signature.asc Description: PGP signature
Bug#1014705: bullseye-pu: package xtables-addons/3.13-1
On 2022-08-06, at 19:24:52 +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sun, 2022-07-10 at 17:19 +0100, Jeremy Sowden wrote: > > The related xtables-addons bug is: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014680 > > > > [ Reason ] > > xtables-addons-dkms and xtables-addons-source contain sources for > > building > > kernel modules with DKMS and module-assistant, respectively. The > > 5.10.0-16 > > kernel introduced in the 11.4 point release included a patch back- > > ported from > > 5.11 to 5.10.121: > > > > The metadata of #1014680 implies that it affects the package in > unstable and is not yet fixed there - is that correct? If so, then the > fix needs to happen in unstable first; if not, please add an > appropriate fixed version to make the situation clearer. The problem arose because an API-changing patch was back-ported from 5.11 to 5.10 and this was picked up by the kernel released in 11.4. The version of xtables-addons in unstable at the time 11.4 was released (3.19-1) supported the new API for kernel versions >= 5.11, and so was unaffected wrt. the kernel in unstable. I have since uploaded the latest upstream release to unstable (3.21-1), and that includes support for the problematic 5.10 kernels. The patch I have added in 3.13-1+deb11u1 is the one from upstream. I have added a fixed version to #1014680. If you are happy to accept this change, is it a suitable candidate for stable-updates given that the package has been broken since 11.4 came out? J. signature.asc Description: PGP signature
Bug#1017723: bullseye-pu: package nftables/0.9.8-3.2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The related nftables bug is:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
[ Reason ]
nftables uses a fixed-size array containing the locations of the
expressions within each rule that it sends to the kernel to provide more
informative error-reporting. If the rule is rejected by the kernel, the
kernel will provide an ID for the expression which was responsible, and
nftables will use this to highlight it when outputting the rule in the
error message:
# nft add rule t c iif lo reject with icmp 255
Error: Could not process rule: Invalid argument
add rule t c iif lo reject with icmp 255
^^
There is an off-by-one error in the bounds-checking used before adding
the details of an expression to this array. The result of this is that
if a rule contains enough expressions, nftables will write past the end
of the array leading to memory-corruption and possibly crashes.
This bug has been present throughout the lifetime of Bullseye.
[ Impact ]
nftables will continue to crash if given sufficiently long rules.
[ Tests ]
I have manually tested that the fixed version does not exhibit the
memory corruption in a Bullseye chroot.
[ Risks ]
The fix is a one-line code-change. The patch is taken directly from
upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The upstream fix corrects the bounds-check to ensure that if the number
of locations stored in the array equals the size of the array, no new
location is added. The upstream patch has been added to the package to
apply the same change to the packaged source.
diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
--- nftables-0.9.8/debian/changelog 2021-07-20 09:01:47.0 +0100
+++ nftables-0.9.8/debian/changelog 2022-07-16 10:29:27.0 +0100
@@ -1,3 +1,13 @@
+nftables (0.9.8-3.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
+It fixes a one off for the check for NFT_NLATTR_LOC_MAX
+which leads to double free or corruption (out) error
+(closes: #1017359).
+
+ -- Sven Auhagen Sat, 16 Jul 2022 11:29:27 +0200
+
nftables (0.9.8-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
---
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
1970-01-01 01:00:00.0 +0100
+++
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
2022-07-16 10:29:27.0 +0100
@@ -0,0 +1,32 @@
+From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
+From: Phil Sutter
+Date: Fri, 11 Jun 2021 17:08:34 +0200
+Subject: rule: Fix for potential off-by-one in cmd_add_loc()
+
+Using num_attrs as index means it must be at max one less than the
+array's size at function start.
+
+Fixes: 27362a5bfa433 ("rule: larger number of error locations")
+Signed-off-by: Phil Sutter
+---
+ src/rule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'src/rule.c')
+
+diff --git a/src/rule.c b/src/rule.c
+index dbbe744e..92daf2f3 100644
+--- a/src/rule.c
b/src/rule.c
+@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
+
+ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
+ {
+- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
++ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
+ return;
+
+ cmd->attr[cmd->num_attrs].offset = offset;
+--
+cgit v1.2.3
+
diff -Nru nftables-0.9.8/debian/patches/series
nftables-0.9.8/debian/patches/series
--- nftables-0.9.8/debian/patches/series2021-07-20 09:01:47.0
+0100
+++ nftables-0.9.8/debian/patches/series2022-07-16 10:29:27.0
+0100
@@ -1 +1,2 @@
payload-check-icmp-dependency-before-removing-previo.patch
+rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
Bug#1017723: bullseye-pu: package nftables/0.9.8-3.2
On 2022-09-03, at 14:53:45 +0100, Adam D. Barratt wrote:
> On Fri, 2022-08-19 at 16:05 +0100, Jeremy Sowden wrote:
> > The related nftables bug is:
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
> >
> > [ Reason ]
> > nftables uses a fixed-size array containing the locations of the
> > expressions within each rule that it sends to the kernel to provide
> > more informative error-reporting. If the rule is rejected by the
> > kernel, the kernel will provide an ID for the expression which was
> > responsible, and nftables will use this to highlight it when
> > outputting the rule in the error message:
> >
> > # nft add rule t c iif lo reject with icmp 255
> > Error: Could not process rule: Invalid argument
> > add rule t c iif lo reject with icmp 255
> > ^^
> >
> > There is an off-by-one error in the bounds-checking used before
> > adding the details of an expression to this array. The result of
> > this is that if a rule contains enough expressions, nftables will
> > write past the end of the array leading to memory-corruption and
> > possibly crashes.
>
> The debdiff is somewhat confusing.
>
> +nftables (0.9.8-3.2) unstable; urgency=medium
>
> This is an upload to bullseye, not unstable. Additionally, the version
> should be 0.9.8-3.1+deb11u1.
>
> + -- Sven Auhagen Sat, 16 Jul 2022 11:29:27 +0200
>
> Who is this? It's obviously not you, but also doesn't appear to be
> related to the nftables bug report you mentioned.
Whoops. Silly mistakes. Still learning the ropes. I've amended the
change-log entry.
I've also added myself to `Uploaders` (I am already listed as one in
testing and unstable).
New debdiff attached.
Thanks for the pointers,
J.
diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
--- nftables-0.9.8/debian/changelog 2021-07-20 09:01:47.0 +0100
+++ nftables-0.9.8/debian/changelog 2022-09-04 09:34:11.0 +0100
@@ -1,3 +1,14 @@
+nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium
+
+ * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
+It fixes a one off for the check for NFT_NLATTR_LOC_MAX
+which leads to double free or corruption (out) error.
+Thanks to Sven Auhagen for
+suggesting the fix (closes: #1017359).
+ * d/control: add myself to uploaders.
+
+ -- Jeremy Sowden Sun, 04 Sep 2022 09:34:11 +0100
+
nftables (0.9.8-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control
--- nftables-0.9.8/debian/control 2021-07-20 09:01:47.0 +0100
+++ nftables-0.9.8/debian/control 2022-09-04 09:34:11.0 +0100
@@ -2,7 +2,8 @@
Section: net
Priority: important
Maintainer: Debian Netfilter Packaging Team
-Uploaders: Arturo Borrero Gonzalez
+Uploaders: Arturo Borrero Gonzalez ,
+ Jeremy Sowden
Build-Depends: asciidoc-base,
automake,
bison,
diff -Nru
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
---
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
1970-01-01 01:00:00.0 +0100
+++
nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
2022-09-04 09:26:53.0 +0100
@@ -0,0 +1,32 @@
+From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
+From: Phil Sutter
+Date: Fri, 11 Jun 2021 17:08:34 +0200
+Subject: rule: Fix for potential off-by-one in cmd_add_loc()
+
+Using num_attrs as index means it must be at max one less than the
+array's size at function start.
+
+Fixes: 27362a5bfa433 ("rule: larger number of error locations")
+Signed-off-by: Phil Sutter
+---
+ src/rule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'src/rule.c')
+
+diff --git a/src/rule.c b/src/rule.c
+index dbbe744e..92daf2f3 100644
+--- a/src/rule.c
b/src/rule.c
+@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
+
+ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
+ {
+- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
++ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
+ return;
+
+ cmd->attr[cmd->num_attrs].offset = offset;
+--
+cgit v1.2.3
+
diff -Nru nftables-0.9.8/debian/patches/series
nftables-0.9.8/debian/patches/series
--- nftables-0.9.8/debian/patches/series2021-07-20 09:01:47.0
+0100
+++ nftables-0.9.8/debian/patches/series2022-09-04 09:26:53.0
+0100
@@ -1 +1,2 @@
payload-check-icmp-dependency-before-removing-previo.patch
+rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
signature.asc
Description: PGP signature
Bug#1017723: bullseye-pu: package nftables/0.9.8-3.2
On 2022-09-04, at 15:09:10 +0100, Jeremy Sowden wrote:
> On 2022-09-03, at 14:53:45 +0100, Adam D. Barratt wrote:
> > On Fri, 2022-08-19 at 16:05 +0100, Jeremy Sowden wrote:
> > > The related nftables bug is:
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
> > >
> > > [ Reason ]
> > > nftables uses a fixed-size array containing the locations of the
> > > expressions within each rule that it sends to the kernel to provide
> > > more informative error-reporting. If the rule is rejected by the
> > > kernel, the kernel will provide an ID for the expression which was
> > > responsible, and nftables will use this to highlight it when
> > > outputting the rule in the error message:
> > >
> > > # nft add rule t c iif lo reject with icmp 255
> > > Error: Could not process rule: Invalid argument
> > > add rule t c iif lo reject with icmp 255
> > > ^^
> > >
> > > There is an off-by-one error in the bounds-checking used before
> > > adding the details of an expression to this array. The result of
> > > this is that if a rule contains enough expressions, nftables will
> > > write past the end of the array leading to memory-corruption and
> > > possibly crashes.
> >
> > The debdiff is somewhat confusing.
> >
> > +nftables (0.9.8-3.2) unstable; urgency=medium
> >
> > This is an upload to bullseye, not unstable. Additionally, the version
> > should be 0.9.8-3.1+deb11u1.
> >
> > + -- Sven Auhagen Sat, 16 Jul 2022 11:29:27
> > +0200
> >
> > Who is this? It's obviously not you, but also doesn't appear to be
> > related to the nftables bug report you mentioned.
>
> Whoops. Silly mistakes. Still learning the ropes. I've amended the
> change-log entry.
>
> I've also added myself to `Uploaders` (I am already listed as one in
> testing and unstable).
>
> New debdiff attached.
Is there anything more I can to do to get a decision on this bug? Or do
I just need to be more patient? :)
J.
> diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
> --- nftables-0.9.8/debian/changelog 2021-07-20 09:01:47.0 +0100
> +++ nftables-0.9.8/debian/changelog 2022-09-04 09:34:11.0 +0100
> @@ -1,3 +1,14 @@
> +nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium
> +
> + * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
> +It fixes a one off for the check for NFT_NLATTR_LOC_MAX
> +which leads to double free or corruption (out) error.
> +Thanks to Sven Auhagen for
> +suggesting the fix (closes: #1017359).
> + * d/control: add myself to uploaders.
> +
> + -- Jeremy Sowden Sun, 04 Sep 2022 09:34:11 +0100
> +
> nftables (0.9.8-3.1) unstable; urgency=medium
>
>* Non-maintainer upload.
> diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control
> --- nftables-0.9.8/debian/control 2021-07-20 09:01:47.0 +0100
> +++ nftables-0.9.8/debian/control 2022-09-04 09:34:11.0 +0100
> @@ -2,7 +2,8 @@
> Section: net
> Priority: important
> Maintainer: Debian Netfilter Packaging Team
>
> -Uploaders: Arturo Borrero Gonzalez
> +Uploaders: Arturo Borrero Gonzalez ,
> + Jeremy Sowden
> Build-Depends: asciidoc-base,
> automake,
> bison,
> diff -Nru
> nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
>
> nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
> ---
> nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
> 1970-01-01 01:00:00.0 +0100
> +++
> nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
> 2022-09-04 09:26:53.0 +0100
> @@ -0,0 +1,32 @@
> +From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
> +From: Phil Sutter
> +Date: Fri, 11 Jun 2021 17:08:34 +0200
> +Subject: rule: Fix for potential off-by-one in cmd_add_loc()
> +
> +Using num_attrs as index means it must be at max one less than the
> +array's size at function start.
> +
> +Fixes: 27362a5bfa433 ("rule: larger number of error locations")
> +Signed-off-by: Phil Sutter
> +---
> + src/rule.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +(limited to 'src/rule.c')
> +
> +diff --git a/src/rule.c b/src/rule.c
> +index dbbe744e..92daf2f3 100644
> +--- a/src/rule.c
> b/src/rule.c
> +@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops
Bug#1053816: bullseye-pu: package nftables/0.9.8-3.1+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: nftab...@packages.debian.org,
Control: affects -1 + src:nftables
A version of this pu has already been accepted for Bookworm. I have cribbed
liberally from the bookworm-pu bug report.
nftables bug: https://bugs.debian.org/1051592
bookworm-pu bug: https://bugs.debian.org/1052021
[ Reason ]
Timo Sigurdsson reported after the release of DSA 5492-1 for linux that
in his case nftables rules were not loaded anymore.
This was tracked down to a Linux change, 0ebc1064e487 ("netfilter:
nf_tables: disallow rule addition to bound chain via
NFTA_RULE_CHAIN_ID"), which is to address CVE-2023-4147, but uncovered
an issue with nftables releases before v1.0.7 upstream. nftables
generates incorrect bytecode, which is affected by this new kernel check
that rejects adding rules to bound chains.
Following https://lore.kernel.org/stable/ZP+bUpxJiFcmTWhy@calendula/ and
further discussion on the Linux kernel mailing-lists it seemed that this
had to be addressed in nftables itself.
[ Impact ]
Users which have such rules, running unpatched nftables but updated
the linux kernel due to address security fixes (and later to be
included in the point release as well) are left without loaded
nftables rules.
[ Tests ]
Explicit tests with the rules provided by Timo to verify they
correctly get loaded with updated nftables userland and the updated
kernel.
[ Risks ]
Pablo Neira Ayuso provided the series of commits required to address
the issue. They apply cleanly for the bullseye version.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
* New patches to fix the problem described above.
* I updated an existing patch to remove some fuzz (happy to drop this
if you prefer).
[ Other info ]
diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
--- nftables-0.9.8/debian/changelog 2022-09-04 09:34:11.0 +0100
+++ nftables-0.9.8/debian/changelog 2023-10-10 21:28:38.0 +0100
@@ -1,3 +1,18 @@
+nftables (0.9.8-3.1+deb11u2) bullseye; urgency=medium
+
+ * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch: fix fuzz
+ * Fix incorrect bytecode generation hit with new kernel check that
+rejects adding rules to bound chains
+
+- cache: rename chain_htable to cache_chain_ht
+- src: split chain list in table
+- evaluate: init cmd pointer for new on-stack context
+- rule: add helper function to expand chain rules into commands
+- rule: expand standalone chain that contains rules
+- src: expand table command before evaluation
+
+ -- Jeremy Sowden Tue, 10 Oct 2023 21:28:38 +0100
+
nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium
* d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
diff -Nru
nftables-0.9.8/debian/patches/cache-rename-chain_htable-to-cache_chain_ht.patch
nftables-0.9.8/debian/patches/cache-rename-chain_htable-to-cache_chain_ht.patch
---
nftables-0.9.8/debian/patches/cache-rename-chain_htable-to-cache_chain_ht.patch
1970-01-01 01:00:00.0 +0100
+++
nftables-0.9.8/debian/patches/cache-rename-chain_htable-to-cache_chain_ht.patch
2023-10-10 21:28:38.0 +0100
@@ -0,0 +1,98 @@
+From 0a39091a75b6255422832126df4cbf73c86845cd Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso
+Date: Thu, 1 Apr 2021 22:18:29 +0200
+Subject: [PATCH nft 0.9.8] cache: rename chain_htable to cache_chain_ht
+
+upstream 3542e49cf539ecfcef6ef7c2d4befb7896ade2cd commit.
+
+Rename the hashtable chain that is used for fast cache lookups.
+
+Signed-off-by: Pablo Neira Ayuso
+---
+ include/rule.h | 4 ++--
+ src/cache.c| 6 +++---
+ src/rule.c | 6 +++---
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/include/rule.h b/include/rule.h
+index 330a09aa77fa..43872db8947a 100644
+--- a/include/rule.h
b/include/rule.h
+@@ -154,7 +154,7 @@ struct table {
+ struct handle handle;
+ struct location location;
+ struct scopescope;
+- struct list_head*chain_htable;
++ struct list_head*cache_chain_ht;
+ struct list_headchains;
+ struct list_headsets;
+ struct list_headobjs;
+@@ -220,7 +220,7 @@ struct hook_spec {
+ */
+ struct chain {
+ struct list_headlist;
+- struct list_headhlist;
++ struct list_headcache_hlist;
+ struct handle handle;
+ struct location location;
+ unsigned intrefcnt;
+diff --git a/src/cache.c b/src/cache.c
+index ed2609008e22..7101b74160be 100644
+--- a/src/cache.c
b/src/cache.c
+@@ -194,7 +194,7 @@ static int chain_cache_cb(struct nftnl_chain *nlc, void
*arg)
+ if (ch
