nftables-0.9.8-8.el9

- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") - segtree: Fix segfault when restoring a huge interval set Resolves: rhbz#2020668
2021-11-05 19:08:32 +01:00 · 2021-11-05 19:08:32 +01:00 · ff72da09da
commit ff72da09da
parent 3c7e9c5df1
3 changed files with 134 additions and 1 deletions
--- a/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
+++ b/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
@ -0,0 +1,61 @@
+From 24d7383ca9e7f056153cc305ee16fa9fd8580909 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 9 Jun 2021 15:49:52 +0200
+Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set
+
+Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
+set_to_segtree() exhausts the stack. Prevent this by allocating the
+pointer array on heap and make sure it is freed before returning to
+caller.
+
+With this patch in place, restoring said set succeeds with allocation of
+about 3GB of memory, according to valgrind.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit baecd1cf26851a4c5b7d469206a488f14fe5b147)
+---
+ src/segtree.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/segtree.c b/src/segtree.c
+index 9aa39e52d8a09..163a7bb755f9c 100644
+--- a/src/segtree.c
+++ b/src/segtree.c
+@@ -429,10 +429,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
+ 			  struct expr *init, struct seg_tree *tree,
+ 			  bool add, bool merge)
+ {
+-	struct elementary_interval *intervals[init->size];
+	struct elementary_interval **intervals;
+ 	struct expr *i, *next;
+ 	unsigned int n;
+-	int err;
+	int err = 0;
+ 
+ 	/* We are updating an existing set with new elements, check if the new
+ 	 * interval overlaps with any of the existing ones.
+@@ -443,6 +443,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
+ 			return err;
+ 	}
+ 
+	intervals = xmalloc_array(init->size, sizeof(intervals[0]));
+ 	n = expr_to_intervals(init, tree->keylen, intervals);
+ 
+ 	list_for_each_entry_safe(i, next, &init->expressions, list) {
+@@ -461,10 +462,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
+ 	for (n = 0; n < init->size; n++) {
+ 		err = ei_insert(msgs, tree, intervals[n], merge);
+ 		if (err < 0)
+-			return err;
+			break;
+ 	}
+ 
+-	return 0;
+	xfree(intervals);
+	return err;
+ }
+ 
+ static bool segtree_needs_first_segment(const struct set *set,
+-- 
+2.33.0
+
--- a/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
+++ b/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
@ -0,0 +1,66 @@
+From 2c4a6a4f1d51358a196a7039c41b7d50df656985 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
+Date: Wed, 20 Oct 2021 14:42:20 +0200
+Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when
+ restoring a huge interval set")
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Test inspired by [1] with both the set and stack size reduced by the
+same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
+hand, and make the test successfully complete (post-baecd1cf2685) in a
+few seconds even on weaker hardware on the other.
+
+(The reason I stopped at 128kB stack size is that with 64kB I was
+getting segfaults even with baecd1cf2685 applied.)
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
+
+Signed-off-by: Štěpán Němec <snemec@redhat.com>
+Helped-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043)
+---
+ .../sets/0068interval_stack_overflow_0        | 29 +++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+ create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0
+
+diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+new file mode 100755
+index 0000000000000..134282de28268
+--- /dev/null
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+ruleset_file=$(mktemp)
+
+trap 'rm -f "$ruleset_file"' EXIT
+
+{
+	echo 'define big_set = {'
+	for ((i = 1; i < 255; i++)); do
+		for ((j = 1; j < 80; j++)); do
+			echo "10.0.$i.$j,"
+		done
+	done
+	echo '10.1.0.0/24 }'
+} >"$ruleset_file"
+
+cat >>"$ruleset_file" <<\EOF
+table inet test68_table {
+	set test68_set {
+		type ipv4_addr
+		flags interval
+		elements = { $big_set }
+	}
+}
+EOF
+
+( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
+-- 
+2.33.0
+
--- a/nftables.spec
+++ b/nftables.spec
@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.8
-Release:        7%{?dist}
+Release:        8%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utillites
@ -29,6 +29,8 @@ Patch12: 0012-netlink_delinearize-Fix-suspicious-calloc-call.patch
 Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
 Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
 Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
+Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
+Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch

 #BuildRequires: autogen
 #BuildRequires: autoconf
@ -138,6 +140,10 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/

 %changelog
+* Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-8
+- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
+- segtree: Fix segfault when restoring a huge interval set
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.9.8-7
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688