[SRU] free(): double free detected in tcache 2

I can reproduce the segfault in Jammy using the testcase that the upstream as added. Also tested on other releases to confirm they are not affected.

debdiff for Jammy attached.

According to the versions listed for the package, Lunar would have the same bug. I don't run Lunar so have no personal investment, just FYI.

Yes, but Standard Support for Lunar is going to end in 9 days and I don't think there is enough time to fix it in Lunar now as it has to go via sponsors queue and then to SRU queue and then it need to be in lunar-proposed for atleast 7 days before it can reach lunar-updates.

Hi and thanks for working at this SRU. I have some comments on the debdiff:

- Please specify the patch Author in the DEP-3 headers. See [1] for more info on the header format.

- The patch description should not be "apply upstream patch", because the patch is just the patch, it contains no information on where/how it's applied. It is fine (actually: good) to use the original commit message as the patch description. A multi-line description is OK, again see [1].

- I see you dropped a tests which was present in the original patch. If the test works fine on Jammy, let's keep it. If the test doesn't work on Jammy, please explain why in the patch Description header.

- Please call the patch file something like 0002-nft-cache-avoid-double-free-of-unrecognized-base-chains.patch to follow the naming style used by other patches.

If the added upstream test (0004extra-base_0) allows the easy verification that this fix works, it would be nice to have that in the SRU test plan.

[1] https://dep-team.pages.debian.net/deps/dep3/

Modified debdiff attached which is now cherry-picked from upstream and dep3 headers added.

Also added a simple test plan based on the upstream testcase.

I sponsored the upload of iptables 1.8.7-1ubuntu5.2, now waiting for approval in the Jammy queue.

Hello Jo, or anyone else affected,

Accepted iptables into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables/1.8.7-1ubuntu5.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted iptables (1.8.7-1ubuntu5.2) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-1ubuntu1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#iptables

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I have triggered autopkgtest for ganeti/3.0.2-1ubuntu1 on armhf and amd64 with trigger as "migration-reference/0" and that also fails. So, the failure reported by ubuntu-sru-bot should not be considered as a regression.

https://autopkgtest.ubuntu.com/packages/ganeti/jammy/amd64
https://autopkgtest.ubuntu.com/packages/ganeti/jammy/armhf

Logs are at: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/g/ganeti/20240124_103826_df4ea@/log.gz and https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/armhf/g/ganeti/20240124_111352_9fe6d@/log.gz

I can confirm iptables from jammy-proposed have fixed the bug for me.

Tests done as mentioned in testplan:
1. create nft rule:
sudo nft -f - <<EOF
table ip filter {
        chain INPUT {
                type filter hook input priority filter
                counter packets 218 bytes 91375 accept
        }

        chain x {
                type filter hook input priority filter
        }
}
EOF

2. and then "sudo iptables -L" resulted in an abort.
3. Add jammy-proposed to apt sources.
4. Upgrade iptables from jammy-proposed.
5. Again do "sudo iptables -L" and this time it gives the output:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Test result:
The bug is now fixed and iptables can display iptables rules even if there is a nftables ruleset defined.

Package tested:
$ dpkg -l | grep iptables
ii iptables 1.8.7-1ubuntu5.2 amd64 administration tools for packet filtering and NAT

Thank you for preparing the SRU and for testing!

The Test Plan agreed in the bug description included two cases but it looks like you only did the first one? Given that a different SRU team member did the review and agreed the fully stated plan, I don't feel that I'm in a position to then release based on only half of it. Please could you complete the other part?

I have now tested the second more complicated test as mentioned in the test plan and can confirm that the test has passed. The previous error is not seen any more.

For reference, I am attaching my terminal log.
Package tested:

$ apt-cache policy iptables
iptables:
  Installed: 1.8.7-1ubuntu5.2
  Candidate: 1.8.7-1ubuntu5.2
  Version table:
 *** 1.8.7-1ubuntu5.2 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.8.7-1ubuntu5.1 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     1.8.7-1ubuntu5 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

This bug was fixed in the package iptables - 1.8.7-1ubuntu5.2

---------------
iptables (1.8.7-1ubuntu5.2) jammy; urgency=medium

  * Apply upstream patch to fix a double free of
    unrecognized base-chains. (LP: #2049318)

 -- Sudip Mukherjee <email address hidden> Tue, 16 Jan 2024 21:14:30 +0000

The verification of the Stable Release Update for iptables has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.