[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1017723: marked as done (bullseye-pu: package nftables/0.9.8-3.2)

Your message dated Sat, 17 Dec 2022 10:57:10 +0000
with message-id <03e9b90cf2f149b9e2835590c9ec0ccb048b744d.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.6
has caused the Debian Bug report #1017723,
regarding bullseye-pu: package nftables/0.9.8-3.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1017723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017723
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

The related nftables bug is:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359

[ Reason ]
nftables uses a fixed-size array containing the locations of the
expressions within each rule that it sends to the kernel to provide more
informative error-reporting.  If the rule is rejected by the kernel, the
kernel will provide an ID for the expression which was responsible, and
nftables will use this to highlight it when outputting the rule in the
error message:

 # nft add rule t c iif lo reject with icmp 255
 Error: Could not process rule: Invalid argument
 add rule t c iif lo reject with icmp 255
                     ^^^^^^

There is an off-by-one error in the bounds-checking used before adding
the details of an expression to this array.  The result of this is that
if a rule contains enough expressions, nftables will write past the end
of the array leading to memory-corruption and possibly crashes.

This bug has been present throughout the lifetime of Bullseye.

[ Impact ]
nftables will continue to crash if given sufficiently long rules.

[ Tests ]
I have manually tested that the fixed version does not exhibit the
memory corruption in a Bullseye chroot.

[ Risks ]
The fix is a one-line code-change.  The patch is taken directly from
upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream fix corrects the bounds-check to ensure that if the number
of locations stored in the array equals the size of the array, no new
location is added.  The upstream patch has been added to the package to
apply the same change to the packaged source.

diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
--- nftables-0.9.8/debian/changelog	2021-07-20 09:01:47.000000000 +0100
+++ nftables-0.9.8/debian/changelog	2022-07-16 10:29:27.000000000 +0100
@@ -1,3 +1,13 @@
+nftables (0.9.8-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
+    It fixes a one off for the check for NFT_NLATTR_LOC_MAX
+    which leads to double free or corruption (out) error
+    (closes: #1017359).
+
+ -- Sven Auhagen <sven.auhagen@voleatech.de>  Sat, 16 Jul 2022 11:29:27 +0200
+
 nftables (0.9.8-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
--- nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch	1970-01-01 01:00:00.000000000 +0100
+++ nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch	2022-07-16 10:29:27.000000000 +0100
@@ -0,0 +1,32 @@
+From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 17:08:34 +0200
+Subject: rule: Fix for potential off-by-one in cmd_add_loc()
+
+Using num_attrs as index means it must be at max one less than the
+array's size at function start.
+
+Fixes: 27362a5bfa433 ("rule: larger number of error locations")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ src/rule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'src/rule.c')
+
+diff --git a/src/rule.c b/src/rule.c
+index dbbe744e..92daf2f3 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
+ 
+ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
+ {
+-	if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
++	if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
+ 		return;
+ 
+ 	cmd->attr[cmd->num_attrs].offset = offset;
+-- 
+cgit v1.2.3
+
diff -Nru nftables-0.9.8/debian/patches/series nftables-0.9.8/debian/patches/series
--- nftables-0.9.8/debian/patches/series	2021-07-20 09:01:47.000000000 +0100
+++ nftables-0.9.8/debian/patches/series	2022-07-16 10:29:27.000000000 +0100
@@ -1 +1,2 @@
 payload-check-icmp-dependency-before-removing-previo.patch
+rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.6

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.6 point release.

Regards,

Adam

--- End Message ---
Reply to: