From cfe40e5371c78530fa3c6362fafe670b92dfb32d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 7 Dec 2021 14:17:46 -0500 Subject: [PATCH] import nftables-0.9.8-9.el9 --- ...ault-when-restoring-a-huge-interval-.patch | 61 +++++++++++++++++ ...d1cf2685-segtree-Fix-segfault-when-r.patch | 66 +++++++++++++++++++ ...-Extend-monitor-description-by-trace.patch | 63 ++++++++++++++++++ SPECS/nftables.spec | 12 +++- 4 files changed, 201 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch create mode 100644 SOURCES/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch create mode 100644 SOURCES/0018-doc-nft.8-Extend-monitor-description-by-trace.patch diff --git a/SOURCES/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch b/SOURCES/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch new file mode 100644 index 0000000..5051a9e --- /dev/null +++ b/SOURCES/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch @@ -0,0 +1,61 @@ +From 24d7383ca9e7f056153cc305ee16fa9fd8580909 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 9 Jun 2021 15:49:52 +0200 +Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set + +Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as +set_to_segtree() exhausts the stack. Prevent this by allocating the +pointer array on heap and make sure it is freed before returning to +caller. + +With this patch in place, restoring said set succeeds with allocation of +about 3GB of memory, according to valgrind. + +Signed-off-by: Phil Sutter +(cherry picked from commit baecd1cf26851a4c5b7d469206a488f14fe5b147) +--- + src/segtree.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index 9aa39e52d8a09..163a7bb755f9c 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -429,10 +429,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, + struct expr *init, struct seg_tree *tree, + bool add, bool merge) + { +- struct elementary_interval *intervals[init->size]; ++ struct elementary_interval **intervals; + struct expr *i, *next; + unsigned int n; +- int err; ++ int err = 0; + + /* We are updating an existing set with new elements, check if the new + * interval overlaps with any of the existing ones. +@@ -443,6 +443,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, + return err; + } + ++ intervals = xmalloc_array(init->size, sizeof(intervals[0])); + n = expr_to_intervals(init, tree->keylen, intervals); + + list_for_each_entry_safe(i, next, &init->expressions, list) { +@@ -461,10 +462,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, + for (n = 0; n < init->size; n++) { + err = ei_insert(msgs, tree, intervals[n], merge); + if (err < 0) +- return err; ++ break; + } + +- return 0; ++ xfree(intervals); ++ return err; + } + + static bool segtree_needs_first_segment(const struct set *set, +-- +2.33.0 + diff --git a/SOURCES/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch b/SOURCES/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch new file mode 100644 index 0000000..a0d7945 --- /dev/null +++ b/SOURCES/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch @@ -0,0 +1,66 @@ +From 2c4a6a4f1d51358a196a7039c41b7d50df656985 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= +Date: Wed, 20 Oct 2021 14:42:20 +0200 +Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when + restoring a huge interval set") +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Test inspired by [1] with both the set and stack size reduced by the +same power of 2, to preserve the (pre-baecd1cf2685) segfault on one +hand, and make the test successfully complete (post-baecd1cf2685) in a +few seconds even on weaker hardware on the other. + +(The reason I stopped at 128kB stack size is that with 64kB I was +getting segfaults even with baecd1cf2685 applied.) + +[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127 + +Signed-off-by: Štěpán Němec +Helped-by: Phil Sutter +Signed-off-by: Phil Sutter +(cherry picked from commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043) +--- + .../sets/0068interval_stack_overflow_0 | 29 +++++++++++++++++++ + 1 file changed, 29 insertions(+) + create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0 + +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +new file mode 100755 +index 0000000000000..134282de28268 +--- /dev/null ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -0,0 +1,29 @@ ++#!/bin/bash ++ ++set -e ++ ++ruleset_file=$(mktemp) ++ ++trap 'rm -f "$ruleset_file"' EXIT ++ ++{ ++ echo 'define big_set = {' ++ for ((i = 1; i < 255; i++)); do ++ for ((j = 1; j < 80; j++)); do ++ echo "10.0.$i.$j," ++ done ++ done ++ echo '10.1.0.0/24 }' ++} >"$ruleset_file" ++ ++cat >>"$ruleset_file" <<\EOF ++table inet test68_table { ++ set test68_set { ++ type ipv4_addr ++ flags interval ++ elements = { $big_set } ++ } ++} ++EOF ++ ++( ulimit -s 128 && "$NFT" -f "$ruleset_file" ) +-- +2.33.0 + diff --git a/SOURCES/0018-doc-nft.8-Extend-monitor-description-by-trace.patch b/SOURCES/0018-doc-nft.8-Extend-monitor-description-by-trace.patch new file mode 100644 index 0000000..b58ed8a --- /dev/null +++ b/SOURCES/0018-doc-nft.8-Extend-monitor-description-by-trace.patch @@ -0,0 +1,63 @@ +From 7f5707d93a62cf7474d94e038188a0a8ae2924e7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 19 May 2021 13:12:48 +0200 +Subject: [PATCH] doc: nft.8: Extend monitor description by trace + +Briefly describe 'nft monitor trace' command functionality. + +Signed-off-by: Phil Sutter +(cherry picked from commit 2acf8b2caea19d8abd46d475a908f8d6afb33aa0) +--- + doc/nft.txt | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/doc/nft.txt b/doc/nft.txt +index 2642d8903787f..7b3c70d82a127 100644 +--- a/doc/nft.txt ++++ b/doc/nft.txt +@@ -805,13 +805,26 @@ These are some additional commands included in nft. + MONITOR + ~~~~~~~~ + The monitor command allows you to listen to Netlink events produced by the +-nf_tables subsystem, related to creation and deletion of objects. When they ++nf_tables subsystem. These are either related to creation and deletion of ++objects or to packets for which *meta nftrace* was enabled. When they + occur, nft will print to stdout the monitored events in either JSON or + native nft format. + + +-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. + ++[verse] ++____ ++*monitor* [*new* | *destroy*] 'MONITOR_OBJECT' ++*monitor* *trace* ++ ++'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset* ++____ + +-To filter events related to a concrete action, use keyword 'new' or 'destroy'. ++To filter events related to a concrete object, use one of the keywords in ++'MONITOR_OBJECT'. ++ ++To filter events related to a concrete action, use keyword *new* or *destroy*. ++ ++The second form of invocation takes no further options and exclusively prints ++events generated for packets with *nftrace* enabled. + + Hit ^C to finish the monitor operation. + +@@ -835,6 +848,12 @@ Hit ^C to finish the monitor operation. + % nft monitor ruleset + --------------------- + ++.Trace incoming packets from host 10.0.0.1 ++------------------------------------------ ++% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1 ++% nft monitor trace ++------------------------------------------ ++ + ERROR REPORTING + --------------- + When an error is detected, nft shows the line(s) containing the error, the +-- +2.33.0 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 2726245..be66a87 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 0.9.8 -Release: 7%{?dist} +Release: 9%{?dist} # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. Epoch: 1 Summary: Netfilter Tables userspace utillites @@ -29,6 +29,9 @@ Patch12: 0012-netlink_delinearize-Fix-suspicious-calloc-call.patch Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch +Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch +Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch +Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch #BuildRequires: autogen #BuildRequires: autoconf @@ -138,6 +141,13 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ %{python3_sitelib}/nftables/ %changelog +* Thu Nov 11 2021 Phil Sutter - 1:0.9.8-9 +- doc: nft.8: Extend monitor description by trace + +* Fri Nov 05 2021 Phil Sutter - 1:0.9.8-8 +- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") +- segtree: Fix segfault when restoring a huge interval set + * Mon Aug 09 2021 Mohan Boddu - 1:0.9.8-7 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688