Bug#882587: stretch-pu: package iproute2/4.9.0-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I'd like to get an update to iproute2 into stretch to fix a 'tc' segfault.
libxtables now makes it mandatory to initialize a structure member, and
leads to a segfault when that isn't done. I've used codesearch to find
other packages possibly affected by this but found no obvious issues, see
details/report in [1].
1. https://bugs.debian.org/868059#20
Unfortunately, the bugfix isn't sufficient, since there's also an embedded
copy of the xtables.h header, and a structure got updated with a new
member (right in the middle) during the latest ABI bump; as a result, the
outdated header leads tc to compute the wrong addresses inside the struct.
The proposed patch fixes this issue as well.
Changelog entry:
| iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium
|
| * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6;
| the xtables_globals structure needs to have its new member compat_rev
| initialized. (Closes: #868059)
| * Sync include/xtables.h from iptables to make sure the right offset is
| used when accessing structure members defined in libxtables. One could
| get “Extension does not know id …” otherwise. (See also: #868059)
|
| -- Cyril Brulebois <cyril@debamax.com> Fri, 24 Nov 2017 09:22:10 +0000
The fix is in unstable, has been tested in stretch for a customer on both
amd64 and i386, and can be found attached.
Thanks for considering.
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru iproute2-4.9.0/debian/changelog iproute2-4.9.0/debian/changelog
--- iproute2-4.9.0/debian/changelog 2016-12-13 15:57:50.000000000 +0000
+++ iproute2-4.9.0/debian/changelog 2017-11-24 09:22:10.000000000 +0000
@@ -1,3 +1,14 @@
+iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium
+
+ * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6;
+ the xtables_globals structure needs to have its new member compat_rev
+ initialized. (Closes: #868059)
+ * Sync include/xtables.h from iptables to make sure the right offset is
+ used when accessing structure members defined in libxtables. One could
+ get “Extension does not know id …” otherwise. (See also: #868059)
+
+ -- Cyril Brulebois <cyril@debamax.com> Fri, 24 Nov 2017 09:22:10 +0000
+
iproute2 (4.9.0-1) unstable; urgency=medium
* New upstream release, tested by Julian Wollrath.
diff -Nru iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch
--- iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch 1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch 2017-11-24 09:20:48.000000000 +0000
@@ -0,0 +1,36 @@
+From 97a02cabefb2e2dcfe27f89943709afa84be5525 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Jan 2017 15:22:49 +0100
+Subject: [PATCH] tc: m_xt: Fix segfault with iptables-1.6.0
+
+Said iptables version introduced struct xtables_globals field
+'compat_rev', a function pointer. Initializing it is mandatory as
+libxtables calls it without existence check.
+
+Without this, tc segfaults when using the xt action like so:
+
+| tc filter add dev d0 parent ffff: u32 match u32 0 0 \
+| action xt -j MARK --set-mark 20
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ tc/m_xt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tc/m_xt.c b/tc/m_xt.c
+index dbb54981..57ed40d7 100644
+--- a/tc/m_xt.c
++++ b/tc/m_xt.c
+@@ -77,6 +77,9 @@ static struct xtables_globals tcipt_globals = {
+ .orig_opts = original_opts,
+ .opts = original_opts,
+ .exit_err = NULL,
++#if (XTABLES_VERSION_CODE >= 11)
++ .compat_rev = xtables_compatible_revision,
++#endif
+ };
+
+ /*
+--
+2.11.0
+
diff -Nru iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch
--- iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch 1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch 2017-11-24 09:21:11.000000000 +0000
@@ -0,0 +1,102 @@
+Description: Sync header from iptables
+ The current versions in several suites have the same content:
+ - 1.6.0+snapshot20161117-6 (stretch)
+ - 1.6.1-2 (unstable)
+Bug: https://bugs.debian.og/868059
+Forwarded: not-needed
+Author: Cyril Brulebois <cyril@debamax.com>
+Last-Update: 2017-11-22
+--- a/include/xtables.h
++++ b/include/xtables.h
+@@ -205,9 +205,24 @@ enum xtables_ext_flags {
+ XTABLES_EXT_ALIAS = 1 << 0,
+ };
+
++struct xt_xlate;
++
++struct xt_xlate_mt_params {
++ const void *ip;
++ const struct xt_entry_match *match;
++ int numeric;
++ bool escape_quotes;
++};
++
++struct xt_xlate_tg_params {
++ const void *ip;
++ const struct xt_entry_target *target;
++ int numeric;
++ bool escape_quotes;
++};
++
+ /* Include file for additions: new matches and targets. */
+-struct xtables_match
+-{
++struct xtables_match {
+ /*
+ * ABI/API version this module requires. Must be first member,
+ * as the rest of this struct may be subject to ABI changes.
+@@ -269,6 +284,10 @@ struct xtables_match
+ void (*x6_fcheck)(struct xt_fcheck_call *);
+ const struct xt_option_entry *x6_options;
+
++ /* Translate iptables to nft */
++ int (*xlate)(struct xt_xlate *xl,
++ const struct xt_xlate_mt_params *params);
++
+ /* Size of per-extension instance extra "global" scratch space */
+ size_t udata_size;
+
+@@ -280,8 +299,7 @@ struct xtables_match
+ unsigned int loaded; /* simulate loading so options are merged properly */
+ };
+
+-struct xtables_target
+-{
++struct xtables_target {
+ /*
+ * ABI/API version this module requires. Must be first member,
+ * as the rest of this struct may be subject to ABI changes.
+@@ -346,6 +364,10 @@ struct xtables_target
+ void (*x6_fcheck)(struct xt_fcheck_call *);
+ const struct xt_option_entry *x6_options;
+
++ /* Translate iptables to nft */
++ int (*xlate)(struct xt_xlate *xl,
++ const struct xt_xlate_tg_params *params);
++
+ size_t udata_size;
+
+ /* Ignore these men behind the curtain: */
+@@ -406,6 +428,17 @@ struct xtables_globals
+
+ #define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false}
+
++/*
++ * enum op-
++ *
++ * For writing clean nftables translations code
++ */
++enum xt_op {
++ XT_OP_EQ,
++ XT_OP_NEQ,
++ XT_OP_MAX,
++};
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -548,6 +581,14 @@ extern void xtables_lmap_free(struct xta
+ extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *);
+ extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int);
+
++/* xlate infrastructure */
++struct xt_xlate *xt_xlate_alloc(int size);
++void xt_xlate_free(struct xt_xlate *xl);
++void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...);
++void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
++const char *xt_xlate_get_comment(struct xt_xlate *xl);
++const char *xt_xlate_get(struct xt_xlate *xl);
++
+ #ifdef XTABLES_INTERNAL
+
+ /* Shipped modules rely on this... */
diff -Nru iproute2-4.9.0/debian/patches/series iproute2-4.9.0/debian/patches/series
--- iproute2-4.9.0/debian/patches/series 2016-03-24 10:13:06.000000000 +0000
+++ iproute2-4.9.0/debian/patches/series 2017-11-24 09:21:11.000000000 +0000
@@ -1,2 +1,4 @@
0001-Add-moo-feature.patch
0002-txtdocs.patch
+0003-fix-segfault-with-iptables-1.6.patch
+0004-sync-iptables-header.patch
Reply to: