iptables: segfault when renaming a chain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables (Ubuntu) |
Fix Released
|
Undecided
|
Louis Bouchard | ||
Bionic |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Focal |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Kinetic |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[ Impact ]
* An explanation of the effects of the bug on users
This is the description for the upstream fix of this bug[1] :
This is an odd bug: If the number of chains is right and one renames the
last one in the list, libiptc dereferences a NULL pointer.
* justification for backporting the fix to the stable release.
Without this patch, users may experience segmentation fault when using
the following versions of iptables :
- Bionic : iptables
- Focal : iptables
- Jammy : iptables-legacy
- Kinetic: iptables-legacy
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
The upstream fix adjust the size of the chain_index if the element is the
last chain in the list.
[1] http://
[ Test Plan ]
* detailed instructions how to reproduce the bug
The following code (adapted from the upstream commit to work on Kinetic) may be used to reproduce the issue :
-------
#!/bin/bash
#
# Cover for a bug in libiptc:
# - the chain 'node-98-tmp' is the last in the list sorted by name
# - there are 81 chains in total, so three chain index buckets
# - the last index bucket contains only the 'node-98-tmp' chain
# => rename temporarily removes it from the bucket, leaving a NULL bucket
# behind which is dereferenced later when inserting the chain again with new
# name again
(
echo "*filter"
for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do
echo ":$chain - [0:0]"
done
echo "COMMIT"
) | $XT_MULTI iptables-
$XT_MULTI iptables-legacy -E node-98-tmp node-98
exit $?
-------
Alternatively, this test has been added to the DEP8 list of tests, and will be executed automatically once the package is accepted into proposed. The DEP8 logs can be inspected for its run. Look for a test named "0006rename-
[ Where problems could occur ]
For Jammy and onward, only users of the -legacy commands may be affected.
Since Jammy, iptables uses the new nft libraries which are not affected
by the bug.
For Bionic and Focal users, the regular iptables command is affected by
the change.
As stated in the manpage :
E, --rename-chain old-chain new-chain
In case of a problem, only the modification of the name would be affected
as this is clearly outlined as a cosmetic only change.
[ Other Info ]
The patch is also applied to lunar and mantic, but is fixed in upstream's 1.8.9 release which so far is only in debian testing/unstable.
This is being uploaded together with test fixes from bug #1992454 (bionic-specific) and bug #2019023 (focal-specific), which were found and fixed while trying out the DEP8 runs for this package.
Changed in iptables (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in iptables (Ubuntu Focal): | |
status: | New → In Progress |
Changed in iptables (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in iptables (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in iptables (Ubuntu Bionic): | |
assignee: | nobody → Louis Bouchard (louis) |
Changed in iptables (Ubuntu Focal): | |
assignee: | nobody → Louis Bouchard (louis) |
Changed in iptables (Ubuntu Jammy): | |
assignee: | nobody → Louis Bouchard (louis) |
Changed in iptables (Ubuntu Kinetic): | |
assignee: | nobody → Louis Bouchard (louis) |
description: | updated |
tags: | added: patch |
description: | updated |
Changed in iptables (Ubuntu Kinetic): | |
assignee: | Louis Bouchard (louis) → Andreas Hasenack (ahasenack) |
Changed in iptables (Ubuntu Jammy): | |
assignee: | Louis Bouchard (louis) → Andreas Hasenack (ahasenack) |
Changed in iptables (Ubuntu Focal): | |
assignee: | Louis Bouchard (louis) → Andreas Hasenack (ahasenack) |
Changed in iptables (Ubuntu Bionic): | |
assignee: | Louis Bouchard (louis) → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Thank you for contributing this fix!
This looks fine; just one comment. Upstream adds a test. But it looks to me like it won't run because the quilt patch can't handle the executable bit. Looks like there's a workaround in debian/ tests/control for another case of the same issue. Please could you ensure that dep8 tests are passing (in "isolation- machine" ) and running this new test?