[Bug 2049318] Re: [SRU] free(): double free detected in tcache 2
Sudip Mukherjee
2049318 at bugs.launchpad.net
Tue Jan 16 21:27:13 UTC 2024
Modified debdiff attached which is now cherry-picked from upstream and
dep3 headers added.
Also added a simple test plan based on the upstream testcase.
** Description changed:
[ Impact ]
iptables is unable to list the iptables rules or save the iptables rules
if a nftables ruleset is defined which iptables does not recognize.
[ Test Plan ]
+ 1. Simple test plan based on upstream test case:
+
+ sudo nft -f - <<EOF
+ table ip filter {
+ chain INPUT {
+ type filter hook input priority filter
+ counter packets 218 bytes 91375 accept
+ }
+
+ chain x {
+ type filter hook input priority filter
+ }
+ }
+ EOF
+
+ sudo iptables -L
+
+
+ 2. A more complicated test plan
+
* Add an iptables rule.
- - sudo iptables -A OUTPUT -p tcp --dport 9999 -j REJECT
+ - sudo iptables -A OUTPUT -p tcp --dport 9999 -j REJECT
* save the rules in a file
- - sudo iptables-save > rules.txt
+ - sudo iptables-save > rules.txt
* Convert the rule to nftables ruleset
- - sudo iptables-nft-restore < rules.txt
+ - sudo iptables-nft-restore < rules.txt
* List the nftables ruleset
- - sudo nft list ruleset
+ - sudo nft list ruleset
* Also confirm that iptables can list the old rule
- - sudo iptables -L
+ - sudo iptables -L
* Now add another nftables rule (this rule is taken from upstream test
case)
sudo nft -f - <<EOF
table ip filter {
- chain INPUT {
- type filter hook input priority filter
- counter packets 218 bytes 91375 accept
- }
+ chain INPUT {
+ type filter hook input priority filter
+ counter packets 218 bytes 91375 accept
+ }
- chain x {
- type filter hook input priority filter
- }
+ chain x {
+ type filter hook input priority filter
+ }
}
EOF
* List the nftables ruleset, which will print the old rule and the new rule
- - sudo nft list ruleset
+ - sudo nft list ruleset
* Try printing the old iptables rule
- - sudo iptables -L
+ - sudo iptables -L
- Without the fixed packages it will now abort with a double free.
+ Without the fixed packages both the tests will now abort with a double free.
$ sudo iptables -L
free(): double free detected in tcache 2
Aborted
[ Where problems could occur ]
- * This is an upstream patch which is only removing an error path when
+ * This is an upstream patch which is only removing an error path when
nft_cache_add_chain() errors. nft_cache_add_chain() will free the chain
on error, and it was then again freed in the error path. By removing the
error path its now fixing the double free. Since the only change is in
the error path, the chances of regression are very less.
[ Other Info ]
* The regression was introduced in v1.8.7 and has been fixed via v1.8.8
so only Jammy is affected.
[ Original Bug Description ]
nftables is being used successfully with no difficulty.
Running iptables on my node receives a crash:
$ sudo iptables -nL
free(): double free detected in tcache 2
Aborted (core dumped)
without sudo
# iptables -nL
free(): double free detected in tcache 2
Aborted (core dumped)
This bug is known and was fixed in version 1.8.8 of iptables
https://git.netfilter.org/iptables/commit/?id=4318961230bce82958df82b57f1796143bf2f421
1) The release of Ubuntu
$ lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
2) The version of the package
$ apt info iptables
Package: iptables
Version: 1.8.7-1ubuntu5.1
3) What you expected to happen
not to crash with valid, working nftables rules
4) What happened instead
crash
A plausible workaround could be a backport of iptables 1.8.9 from mantic
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: iptables 1.8.7-1ubuntu5.1
ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131
Uname: Linux 5.15.0-91-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Sun Jan 14 20:36:59 2024
InstallationDate: Installed on 2021-11-23 (782 days ago)
InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: iptables
UpgradeStatus: Upgraded to jammy on 2023-04-30 (259 days ago)
** Patch added: "iptables_20240116.debdiff"
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/2049318/+attachment/5740007/+files/iptables_20240116.debdiff
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2049318
Title:
[SRU] free(): double free detected in tcache 2
Status in iptables package in Ubuntu:
Fix Released
Status in iptables source package in Jammy:
Confirmed
Bug description:
[ Impact ]
iptables is unable to list the iptables rules or save the iptables
rules if a nftables ruleset is defined which iptables does not
recognize.
[ Test Plan ]
1. Simple test plan based on upstream test case:
sudo nft -f - <<EOF
table ip filter {
chain INPUT {
type filter hook input priority filter
counter packets 218 bytes 91375 accept
}
chain x {
type filter hook input priority filter
}
}
EOF
sudo iptables -L
2. A more complicated test plan
* Add an iptables rule.
- sudo iptables -A OUTPUT -p tcp --dport 9999 -j REJECT
* save the rules in a file
- sudo iptables-save > rules.txt
* Convert the rule to nftables ruleset
- sudo iptables-nft-restore < rules.txt
* List the nftables ruleset
- sudo nft list ruleset
* Also confirm that iptables can list the old rule
- sudo iptables -L
* Now add another nftables rule (this rule is taken from upstream test
case)
sudo nft -f - <<EOF
table ip filter {
chain INPUT {
type filter hook input priority filter
counter packets 218 bytes 91375 accept
}
chain x {
type filter hook input priority filter
}
}
EOF
* List the nftables ruleset, which will print the old rule and the new rule
- sudo nft list ruleset
* Try printing the old iptables rule
- sudo iptables -L
Without the fixed packages both the tests will now abort with a double free.
$ sudo iptables -L
free(): double free detected in tcache 2
Aborted
[ Where problems could occur ]
* This is an upstream patch which is only removing an error path when
nft_cache_add_chain() errors. nft_cache_add_chain() will free the
chain on error, and it was then again freed in the error path. By
removing the error path its now fixing the double free. Since the only
change is in the error path, the chances of regression are very less.
[ Other Info ]
* The regression was introduced in v1.8.7 and has been fixed via
v1.8.8 so only Jammy is affected.
[ Original Bug Description ]
nftables is being used successfully with no difficulty.
Running iptables on my node receives a crash:
$ sudo iptables -nL
free(): double free detected in tcache 2
Aborted (core dumped)
without sudo
# iptables -nL
free(): double free detected in tcache 2
Aborted (core dumped)
This bug is known and was fixed in version 1.8.8 of iptables
https://git.netfilter.org/iptables/commit/?id=4318961230bce82958df82b57f1796143bf2f421
1) The release of Ubuntu
$ lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
2) The version of the package
$ apt info iptables
Package: iptables
Version: 1.8.7-1ubuntu5.1
3) What you expected to happen
not to crash with valid, working nftables rules
4) What happened instead
crash
A plausible workaround could be a backport of iptables 1.8.9 from
mantic
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: iptables 1.8.7-1ubuntu5.1
ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131
Uname: Linux 5.15.0-91-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Sun Jan 14 20:36:59 2024
InstallationDate: Installed on 2021-11-23 (782 days ago)
InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: iptables
UpgradeStatus: Upgraded to jammy on 2023-04-30 (259 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/2049318/+subscriptions
More information about the Ubuntu-sponsors
mailing list