Bug#949101: marked as done (iptables-restore: segmentation fault)

Debian Bug Tracking System Fri, 17 Jan 2020 01:27:24 -0800

Your message dated Fri, 17 Jan 2020 10:24:58 +0100
with message-id <[email protected]>
and subject line Re: [pkg-netfilter-team] Bug#949101: iptables-restore: 
segmentation fault
has caused the Debian Bug report #949101,
regarding iptables-restore: segmentation fault
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
949101: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949101
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: iptables
Version: 1.8.2-4
Severity: normal

Dear maintainer,

This is a reproducible way to segfault iptables-restore (the nftables variant):

0. Start with a blank state.

1. Load the initial rules:

    iptables-restore < original_rules.iptables

2. Attempt to test new rules, to be applied incrementally:

    iptables-restore -n -t < new.iptables

The second command results in a segfault.

I don't care in this bug report if the rules are actually valid, the program 
should point out the error instead of segfaulting.

Here is what gdb says:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7da8787 in nftnl_expr_build_payload (nlh=nlh@entry=0x7ffff75b3220, 
expr=expr@entry=0x0) at expr.c:210
210     expr.c: No such file or directory.
(gdb) bt full
#0  0x00007ffff7da8787 in nftnl_expr_build_payload 
(nlh=nlh@entry=0x7ffff75b3220, expr=expr@entry=0x0) at expr.c:210
        nest = <optimized out>
#1  0x00007ffff7da3783 in nftnl_rule_nlmsg_build_payload (nlh=0x7ffff75b3220, 
r=0x5555555f89d0) at rule.c:320
        expr = 0x0
        nest = 0x7ffff75b324c
        nest2 = 0x7ffff75b35a4
#2  0x0000555555564c66 in nft_compat_rule_batch_add (h=h@entry=0x7fffffffe4e0, 
type=type@entry=6, flags=flags@entry=3072, 
    seq=<optimized out>, rule=<optimized out>) at nft.c:2579
        nlh = <optimized out>
#3  0x000055555556593e in nft_action (h=0x7fffffffe4e0, action=1) at nft.c:2673
        n = 0x5555555f8c30
        tmp = <optimized out>
        err = <optimized out>
        ne = <optimized out>
        buflen = <optimized out>
        i = <optimized out>
        len = <optimized out>
        show_errors = true
        errmsg = 
"\001\000\000\000\000\000\000\000\242\241i\367\377\177\000\000\340\344\377\377\377\177\000\000\t\000\000\000\000\000\000\000\240\305_UUU\000\000\060\253_UUU\000\000\260\272\377\377\377\177\000\000\373HVUUU\000\000\340\344\377\377\377\177\000\000\240\305_UUU\000\000\000\000\000\000\000\000\000\000\366xVUUU\000\000\340\242_UUU\000\000\000\000\000\000\000\000\000\000T{_UUU\000\000\260\272\377\377\377\177\000\000\064\217_UUU\000\000\000\000\000\000\000\000\000\000\340\242_UUU\000\000\352%VUUU\000\000\060\253_UUU\000\000\064\217_UUU\000\000\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000@\217_UUU\000\000"...
        seq = 10
        ret = 0
#4  0x0000555555561555 in xtables_restore_parse (h=h@entry=0x7fffffffe4e0, 
p=p@entry=0x7fffffffe4c0, 
    cb=cb@entry=0x555555589140 <restore_cb>, argc=argc@entry=4, 
argv=argv@entry=0x7fffffffe668) at xtables-restore.c:143
        ret = 0
        buffer = "COMMIT\n\000RD -j COMPLAIN\n\000rs -p tcp -m tcp --tcp-flags 
FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT\n", '\000' <repeats 
5979 times>...
        in_table = <optimized out>
        curtable = 0x555555589c20 <xtables_ipv4>
        ops = <optimized out>
        chain_list = 0x5555555f54b0
#5  0x0000555555561f90 in xtables_restore_main (family=2, progname=<optimized 
out>, argc=4, argv=0x7fffffffe668)
    at xtables-restore.c:474
        tables = <optimized out>
        h = {family = 2, nl = 0x5555555f5490, portid = 2389, seq = 0, obj_list 
= {next = 0x5555555f6df0, prev = 0x5555555fabf0}, 
          obj_list_num = 16, batch = 0x5555555fac20, err_list = {next = 
0x7fffffffe518, prev = 0x7fffffffe518}, 
          ops = 0x555555589ee0 <nft_family_ops_ipv4>, tables = 0x555555589c20 
<xtables_ipv4>, chain_cache = 0x5555555f54b0, 
          rule_cache = 0x5555555f7c30, restore = true, config_done = -1 '\377', 
error = {lineno = 23}}
        c = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        p = {in = 0x5555555f5260, testing = 1, tablename = 0x0, commit = true}
#6  0x00007ffff763909b in __libc_start_main (main=0x55555555cfb0 <main>, 
argc=4, argv=0x7fffffffe668, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) 
at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5955117646945397298, 
93824992268224, 140737488348768, 0, 0, 
                -572386658808703538, -572405319023536690}, mask_was_saved = 
0}}, priv = {pad = {0x0, 0x0, 0x7fffffffe690, 
              0x7ffff7ffe190}, data = {prev = 0x0, cleanup = 0x0, canceltype = 
-6512}}}
        not_first_call = <optimized out>
#7  0x000055555555cfea in _start ()
No symbol table info available.


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.28-10
ii  libip4tc0                1.8.2-4
ii  libip6tc0                1.8.2-4
ii  libiptc0                 1.8.2-4
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.2-2
ii  libxtables12             1.8.2-4

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
ii  kmod  26-1

-- no debconf information

# Generated by xtables-save v1.8.2 on Thu Jan 16 22:31:46 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jan 16 22:31:46 2020
# Generated by xtables-save v1.8.2 on Thu Jan 16 22:31:46 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [274683:92319015]
:OUTPUT ACCEPT [200201:62515593]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -i wg-customers -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg-customers -j DROP
-A FORWARD -o wg-customers -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m 
conntrack --ctstate NEW -j ACCEPT
-A f2b-sshd -s 222.186.30.145/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jan 16 22:31:46 2020

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:COMPLAIN - [0:0]

-F INPUT
-F COMPLAIN

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A COMPLAIN -j LOG --log-prefix "FIREWALL COMPLAIN: "

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Failsafe
-A INPUT -p tcp -m tcp -s 172.31.100.5 --dport 22 -j ACCEPT

-F FORWARD
-A FORWARD -i wg-customers -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o wg-customers -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m 
conntrack --ctstate NEW -j ACCEPT
-A FORWARD -j COMPLAIN

COMMIT

--- End Message ---

--- Begin Message ---

Control: fixed -1 1.8.3-2

On 1/16/20 11:10 PM, Alexander E. Patrakov wrote:
> Package: iptables
> Version: 1.8.2-4

Thanks for the bug report!

I couldn't reproduce this in a more recent version:

=== 8< ===
arturo@endurance:~ $ sudo iptables-nft-restore < original_rules.iptables
arturo@endurance:~ $ sudo iptables-nft-restore -n -t < new.iptables
arturo@endurance:~ $ sudo iptables-nft-save
# Generated by xtables-save v1.8.3 on Fri Jan 17 10:22:32 2020
*nat
:PREROUTING ACCEPT [10:3800]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [4:566]
:OUTPUT ACCEPT [4:566]
COMMIT
# Completed on Fri Jan 17 10:22:32 2020
# Generated by xtables-save v1.8.3 on Fri Jan 17 10:22:32 2020
*filter
:INPUT ACCEPT [62:8657]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [65:5404]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -i wg-customers -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg-customers -j DROP
-A FORWARD -o wg-customers -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m
conntrack --ctstate NEW -j ACCEPT
-A f2b-sshd -s 222.186.30.145/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jan 17 10:22:32 2020
=== 8< ===

Marking this as fixed in version 1.8.3-2 and closing bug.

regards.

--- End Message ---

Bug#949101: marked as done (iptables-restore: segmentation fault)

Reply via email to