[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#882587: marked as done (stretch-pu: package iproute2/4.9.0-1+deb9u1)

Your message dated Fri, 08 Jun 2018 21:48:51 +0100
with message-id <1528490931.2075.62.camel@adam-barratt.org.uk>
and subject line Re: Bug#882587: stretch-pu: package iproute2/4.9.0-1+deb9u1
has caused the Debian Bug report #882587,
regarding stretch-pu: package iproute2/4.9.0-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882587: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882587
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to get an update to iproute2 into stretch to fix a 'tc' segfault.
libxtables now makes it mandatory to initialize a structure member, and
leads to a segfault when that isn't done. I've used codesearch to find
other packages possibly affected by this but found no obvious issues, see
details/report in [1].

 1. https://bugs.debian.org/868059#20

Unfortunately, the bugfix isn't sufficient, since there's also an embedded
copy of the xtables.h header, and a structure got updated with a new
member (right in the middle) during the latest ABI bump; as a result, the
outdated header leads tc to compute the wrong addresses inside the struct.
The proposed patch fixes this issue as well.

Changelog entry:
| iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium
| 
|   * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6;
|     the xtables_globals structure needs to have its new member compat_rev
|     initialized. (Closes: #868059)
|   * Sync include/xtables.h from iptables to make sure the right offset is
|     used when accessing structure members defined in libxtables. One could
|     get “Extension does not know id …” otherwise. (See also: #868059)
| 
|  -- Cyril Brulebois <cyril@debamax.com>  Fri, 24 Nov 2017 09:22:10 +0000

The fix is in unstable, has been tested in stretch for a customer on both
amd64 and i386, and can be found attached.


Thanks for considering.
-- 
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/

diff -Nru iproute2-4.9.0/debian/changelog iproute2-4.9.0/debian/changelog
--- iproute2-4.9.0/debian/changelog	2016-12-13 15:57:50.000000000 +0000
+++ iproute2-4.9.0/debian/changelog	2017-11-24 09:22:10.000000000 +0000
@@ -1,3 +1,14 @@
+iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium
+
+  * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6;
+    the xtables_globals structure needs to have its new member compat_rev
+    initialized. (Closes: #868059)
+  * Sync include/xtables.h from iptables to make sure the right offset is
+    used when accessing structure members defined in libxtables. One could
+    get “Extension does not know id …” otherwise. (See also: #868059)
+
+ -- Cyril Brulebois <cyril@debamax.com>  Fri, 24 Nov 2017 09:22:10 +0000
+
 iproute2 (4.9.0-1) unstable; urgency=medium
 
   * New upstream release, tested by Julian Wollrath.
diff -Nru iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch
--- iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch	1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.9.0/debian/patches/0003-fix-segfault-with-iptables-1.6.patch	2017-11-24 09:20:48.000000000 +0000
@@ -0,0 +1,36 @@
+From 97a02cabefb2e2dcfe27f89943709afa84be5525 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Jan 2017 15:22:49 +0100
+Subject: [PATCH] tc: m_xt: Fix segfault with iptables-1.6.0
+
+Said iptables version introduced struct xtables_globals field
+'compat_rev', a function pointer. Initializing it is mandatory as
+libxtables calls it without existence check.
+
+Without this, tc segfaults when using the xt action like so:
+
+| tc filter add dev d0 parent ffff: u32 match u32 0 0 \
+|	action xt -j MARK --set-mark 20
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ tc/m_xt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tc/m_xt.c b/tc/m_xt.c
+index dbb54981..57ed40d7 100644
+--- a/tc/m_xt.c
++++ b/tc/m_xt.c
+@@ -77,6 +77,9 @@ static struct xtables_globals tcipt_globals = {
+ 	.orig_opts = original_opts,
+ 	.opts = original_opts,
+ 	.exit_err = NULL,
++#if (XTABLES_VERSION_CODE >= 11)
++	.compat_rev = xtables_compatible_revision,
++#endif
+ };
+ 
+ /*
+-- 
+2.11.0
+
diff -Nru iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch
--- iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch	1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.9.0/debian/patches/0004-sync-iptables-header.patch	2017-11-24 09:21:11.000000000 +0000
@@ -0,0 +1,102 @@
+Description: Sync header from iptables
+ The current versions in several suites have the same content:
+  - 1.6.0+snapshot20161117-6 (stretch)
+  - 1.6.1-2 (unstable)
+Bug: https://bugs.debian.og/868059
+Forwarded: not-needed
+Author: Cyril Brulebois <cyril@debamax.com>
+Last-Update: 2017-11-22
+--- a/include/xtables.h
++++ b/include/xtables.h
+@@ -205,9 +205,24 @@ enum xtables_ext_flags {
+ 	XTABLES_EXT_ALIAS = 1 << 0,
+ };
+ 
++struct xt_xlate;
++
++struct xt_xlate_mt_params {
++	const void			*ip;
++	const struct xt_entry_match	*match;
++	int				numeric;
++	bool				escape_quotes;
++};
++
++struct xt_xlate_tg_params {
++	const void			*ip;
++	const struct xt_entry_target	*target;
++	int				numeric;
++	bool				escape_quotes;
++};
++
+ /* Include file for additions: new matches and targets. */
+-struct xtables_match
+-{
++struct xtables_match {
+ 	/*
+ 	 * ABI/API version this module requires. Must be first member,
+ 	 * as the rest of this struct may be subject to ABI changes.
+@@ -269,6 +284,10 @@ struct xtables_match
+ 	void (*x6_fcheck)(struct xt_fcheck_call *);
+ 	const struct xt_option_entry *x6_options;
+ 
++	/* Translate iptables to nft */
++	int (*xlate)(struct xt_xlate *xl,
++		     const struct xt_xlate_mt_params *params);
++
+ 	/* Size of per-extension instance extra "global" scratch space */
+ 	size_t udata_size;
+ 
+@@ -280,8 +299,7 @@ struct xtables_match
+ 	unsigned int loaded; /* simulate loading so options are merged properly */
+ };
+ 
+-struct xtables_target
+-{
++struct xtables_target {
+ 	/*
+ 	 * ABI/API version this module requires. Must be first member,
+ 	 * as the rest of this struct may be subject to ABI changes.
+@@ -346,6 +364,10 @@ struct xtables_target
+ 	void (*x6_fcheck)(struct xt_fcheck_call *);
+ 	const struct xt_option_entry *x6_options;
+ 
++	/* Translate iptables to nft */
++	int (*xlate)(struct xt_xlate *xl,
++		     const struct xt_xlate_tg_params *params);
++
+ 	size_t udata_size;
+ 
+ 	/* Ignore these men behind the curtain: */
+@@ -406,6 +428,17 @@ struct xtables_globals
+ 
+ #define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false}
+ 
++/*
++ * enum op-
++ *
++ * For writing clean nftables translations code
++ */
++enum xt_op {
++	XT_OP_EQ,
++	XT_OP_NEQ,
++	XT_OP_MAX,
++};
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -548,6 +581,14 @@ extern void xtables_lmap_free(struct xta
+ extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *);
+ extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int);
+ 
++/* xlate infrastructure */
++struct xt_xlate *xt_xlate_alloc(int size);
++void xt_xlate_free(struct xt_xlate *xl);
++void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...);
++void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
++const char *xt_xlate_get_comment(struct xt_xlate *xl);
++const char *xt_xlate_get(struct xt_xlate *xl);
++
+ #ifdef XTABLES_INTERNAL
+ 
+ /* Shipped modules rely on this... */
diff -Nru iproute2-4.9.0/debian/patches/series iproute2-4.9.0/debian/patches/series
--- iproute2-4.9.0/debian/patches/series	2016-03-24 10:13:06.000000000 +0000
+++ iproute2-4.9.0/debian/patches/series	2017-11-24 09:21:11.000000000 +0000
@@ -1,2 +1,4 @@
 0001-Add-moo-feature.patch
 0002-txtdocs.patch
+0003-fix-segfault-with-iptables-1.6.patch
+0004-sync-iptables-header.patch

--- End Message ---
--- Begin Message --- 
On Fri, 2017-11-24 at 16:25 +0000, Jonathan Wiltshire wrote:
> On Fri, Nov 24, 2017 at 10:39:07AM +0000, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Fri, 2017-11-24 at 09:39 +0000, Cyril Brulebois wrote:
> > > I'd like to get an update to iproute2 into stretch to fix a 'tc'
> > > segfault.
> > > libxtables now makes it mandatory to initialize a structure
> > > member,
> > > and
> > > leads to a segfault when that isn't done. I've used codesearch to
> > > find
> > > other packages possibly affected by this but found no obvious
> > > issues,
> > > see
> > > details/report in [1].
> > > 
> > >  1. https://bugs.debian.org/868059#20
> > 
> > Please go ahead.
> 
> Uploaded; flagged for acceptance.
> 

This bug was apparently missed when cleaning up released packages.

Regards,

Adam

--- End Message ---
Reply to: