netfilter buglog - Jun 2024 - [Bug 1754] New: __list_add SIGSEGV fault

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

            Bug ID: 1754
           Summary: __list_add SIGSEGV fault
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: s.egbert at sbcglobal.net

Created attachment 744
  --> https://bugzilla.netfilter.org/attachment.cgi?id=744&action=edit
Customed user-supplied NFT file to exercise NFT syntaxes to its near fullest

Really running an exerciser of nearly fully permutated but valid NFT
configuration file (see enclosed passing-syntaxes.nft file).  (Disclaimer: I am
a budding but old author of github.com/egberts/vim-nftables VIM syntax file for
NFT).

Perform `nft -c` against my file.

Now blows up with:

    Program received signal SIGSEGV, Segmentation fault.

== How I did It =Prepare Coredump on Debian 12:

    # apt install debuginfod
    # export DEBUGINFOD_URLS="https://debuginfod.debian.net"
    # gdb /usr/sbin/nft
    (gdb) set args -c -f ./passing-syntaxes.nft
    (gdb) debuginfod enable on
    (gdb) r

output of SIGENV is:

(gdb) run
Starting program: /usr/sbin/nft -c -f
/home/wolfe/work/github/vim-nftables/test/passing-syntaxes.nft 
Downloading separate debug info for system-supplied DSO at 0x7ffff7fc9000...
Downloading separate debug info for /lib/x86_64-linux-gnu/libnftables.so.1...
Downloading separate debug info for /lib/x86_64-linux-gnu/libedit.so.2...
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
Downloading separate debug info for /lib/x86_64-linux-gnu/libmnl.so.0...
Downloading separate debug info for /lib/x86_64-linux-gnu/libnftnl.so.11...
Downloading separate debug info for /lib/x86_64-linux-gnu/libxtables.so.12...
Downloading separate debug info for /lib/x86_64-linux-gnu/libjansson.so.4...
Downloading separate debug info for /lib/x86_64-linux-gnu/libgmp.so.10...
Downloading separate debug info for /lib/x86_64-linux-gnu/libtinfo.so.6...
Downloading separate debug info for
/home/wolfe/.cache/debuginfod_client/1d6c928a5e4f222cf4479cbb1fd4f63965b10a03/debuginfo...
Downloading separate debug info for /lib/x86_64-linux-gnu/libbsd.so.0...
Downloading separate debug info for /lib/x86_64-linux-gnu/libmd.so.0...

Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------------
0x00007ffff7ede2dd in __list_add (next=0x55555557e488, prev=0x0,
new=0x55555557ea00) at ../include/list.h:60
Download failed: Invalid argument.  Continuing without source file
./src/../include/list.h.
60      ../include/list.h: No such file or directory.
(gdb) bt
0x00007ffff7ede2dd in __list_add (next=0x55555557e488, prev=0x0,
new=0x55555557ea00) at ../include/list.h:60
Download failed: Invalid argument.  Continuing without source file
./src/../include/list.h.
60      ../include/list.h: No such file or directory.
(gdb) bt
#0  0x00007ffff7ede2dd in __list_add (next=0x55555557e488, prev=0x0,
new=0x55555557ea00) at ../include/list.h:60
#1  list_add_tail (head=0x55555557e488, new=0x55555557ea00) at
../include/list.h:87
#2  list_move_tail (head=0x55555557e488, list=0x55555557ea00) at
../include/list.h:169
#3  nft_cmd_collapse (cmds=cmds at entry=0x7fffffffc950) at ./src/rule.c:1469
#4  0x00007ffff7f1885d in nft_evaluate (nft=nft at entry=0x55555555c2a0,
msgs=msgs at entry=0x7fffffffc940, cmds=cmds at entry=0x7fffffffc950) at
./src/libnftables.c:520
#5  0x00007ffff7f18d4e in __nft_run_cmd_from_filename
(nft=nft at entry=0x55555555c2a0, filename=filename at entry=0x7fffffffd02c
"/home/wolfe/work/github/vim-nftables/test/passing-syntaxes.nft") at
./src/libnftables.c:680
#6  0x00007ffff7f19a99 in nft_run_cmd_from_filename (nft=0x55555555c2a0,
filename=0x7fffffffd02c
"github/vim-nftables/test/passing-syntaxes.nft") at
./src/libnftables.c:766
#7  0x0000555555556ac9 in ?? ()
#8  0x00007ffff7cca24a in __libc_start_call_main
(main=main at entry=0x5555555562d0, argc=argc at entry=0x4,
argv=argv at entry=0x7fffffffcb78) at ../sysdeps/nptl/libc_start_call_main.h:58
#9  0x00007ffff7cca305 in __libc_start_main_impl (main=0x5555555562d0,
argc=0x4, argv=0x7fffffffcb78, init=<optimized out>, fini=<optimized
out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffcb68) at
../csu/libc-start.c:360
#10 0x0000555555556b91 in ?? ()
(gdb)


So I managed to reinstall NFT package but with source code listings,
backtrace+list for each stack call is given below:

(gdb) down
#6  0x00007ffff7f19a99 in nft_run_cmd_from_filename (nft=0x55555555c2a0,
filename=0x7fffffffd02c
"/home/wolfe/work/github/vim-nftables/test/passing-syntaxes.nft") at
./src/libnftables.c:766
766             ret = __nft_run_cmd_from_filename(nft, filename);
(gdb) l
761                     ret = nft_run_optimized_file(nft, filename);
762                     xfree(nft->stdin_buf);
763                     return ret;
764             }
765
766             ret = __nft_run_cmd_from_filename(nft, filename);
767             xfree(nft->stdin_buf);
768
769             return ret;
770     }
(gdb) down
#5  0x00007ffff7f18d4e in __nft_run_cmd_from_filename
(nft=nft at entry=0x55555555c2a0, filename=filename at entry=0x7fffffffd02c
"/home/wolfe/work/github/vim-nftables/test/passing-syntaxes.nft") at
./src/libnftables.c:680
680             rc = nft_evaluate(nft, &msgs, &cmds);
(gdb) l
675             parser_rc = rc;
676
677             if (nft->optimize_flags)
678                     nft_optimize(nft, &cmds);
679
680             rc = nft_evaluate(nft, &msgs, &cmds);
681             if (rc < 0)
682                     goto err;
683
684             if (parser_rc) {
(gdb) down
#4  0x00007ffff7f1885d in nft_evaluate (nft=nft at entry=0x55555555c2a0,
msgs=msgs at entry=0x7fffffffc940, cmds=cmds at entry=0x7fffffffc950) at
./src/libnftables.c:520
520             if (nft_cmd_collapse(cmds))
(gdb) l
515                     return -1;
516             }
517
518             nft_cache_filter_fini(filter);
519
520             if (nft_cmd_collapse(cmds))
521                     collapsed = true;
522
523             list_for_each_entry(cmd, cmds, list) {
524                     if (cmd->op != CMD_ADD)
(gdb) down
#3  nft_cmd_collapse (cmds=cmds at entry=0x7fffffffc950) at ./src/rule.c:1469
1469                            list_move_tail(&expr->list,
&elems->expr->expressions);
(gdb) l
1464                    }
1465
1466                    collapse = true;
1467                    list_for_each_entry_safe(expr, enext,
&cmd->expr->expressions, list) {
1468                            expr->cmd = cmd;
1469                            list_move_tail(&expr->list,
&elems->expr->expressions);
1470                    }
1471                    elems->expr->size += cmd->expr->size;
1472                    list_move_tail(&cmd->list,
&elems->collapse_list);
1473            }
(gdb) down
#2  list_move_tail (head=0x55555557e488, list=0x55555557ea00) at
../include/list.h:169
169             list_add_tail(list, head);
(gdb) l
164      */
165     static inline void list_move_tail(struct list_head *list,
166                                       struct list_head *head)
167     {
168             __list_del(list->prev, list->next);
169             list_add_tail(list, head);
170     }
171
172     /**
173      * list_is_last - tests whether @list is the last entry in list @head
(gdb) down
#1  list_add_tail (head=0x55555557e488, new=0x55555557ea00) at
../include/list.h:87
87              __list_add(new, head->prev, head);
(gdb) l
82       * Insert a new entry before the specified head.
83       * This is useful for implementing queues.
84       */
85      static inline void list_add_tail(struct list_head *new, struct
list_head *head)
86      {
87              __list_add(new, head->prev, head);
88      }
89
90      /*
91       * Delete a list entry by making the prev/next entries
(gdb) down
#0  0x00007ffff7ede2dd in __list_add (next=0x55555557e488, prev=0x0,
new=0x55555557ea00) at ../include/list.h:60
60              prev->next = new;
(gdb) l
55                                    struct list_head *next)
56      {
57              next->prev = new;
58              new->next = next;
59              new->prev = prev;
60              prev->next = new;
61      }
62
63      /**
64       * list_add - add a new entry
(gdb) down
Bottom (innermost) frame selected; you cannot go down.


Debian 12.1
Linux 6.1.0-21-amd
nftables v1.0.6 (Lester Gooch #5)
  cli:          editline
  json:         yes
  minigmp:      no
  libxtables:   yes

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/6837f3c4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

Egbert S <s.egbert at sbcglobal.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |s.egbert at sbcglobal.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/2d0454f0/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #1 from Egbert S <s.egbert at sbcglobal.net> ---
Seems slightly related to #877

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/d95ca993/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #2 from Egbert S <s.egbert at sbcglobal.net> ---
53      static inline void __list_add(struct list_head *new,
54                                    struct list_head *prev,
55                                    struct list_head *next)
56      {
57              next->prev = new;
58              new->next = next;
59              new->prev = prev;
60              prev->next = new;
61      }
62

Signal SIGSEGV at line 59:

   'prev' variable is 0 (zero, NULL pointer, owwie)

Did a dump on '*expr' and 'blackhole' was the identifier.  I
have 12
'blackhole' in the test file.  I renumbered all blackhole into suffix
numerical
sequences (i.e., 'blackhole1', 'blackhole2', ...), and got a
different
ASSERT!!!

nft: payload.c:117: payload_expr_pctx_update: Assertion `base->length >
0'
failed.


# gdb -q /usr/sbin/nft
GNU gdb (Debian 13.1-3) 13.1
Reading symbols from /usr/sbin/nft...
(No debugging symbols found in /usr/sbin/nft)
(gdb) set args -c -f ../../github/vim-nftables/test/passing-syntaxes.nft 
(gdb) set debuginfod enabled on
(gdb) run
Starting program: /usr/sbin/nft -c -f
../../github/vim-nftables/test/passing-syntaxes.nft 
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
nft: payload.c:117: payload_expr_pctx_update: Assertion `base->length >
0'
failed.

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo at
entry=6,
    no_tid=no_tid at entry=0) at ./nptl/pthread_kill.c:44
44      ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>,
signo=signo at entry=6, 
    no_tid=no_tid at entry=0) at ./nptl/pthread_kill.c:44
#1  0x00007ffff7d2de8f in __pthread_kill_internal (signo=6,
threadid=<optimized
out>)
    at ./nptl/pthread_kill.c:78
#2  0x00007ffff7cdefb2 in __GI_raise (sig=sig at entry=6) at
../sysdeps/posix/raise.c:26
#3  0x00007ffff7cc9472 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007ffff7cc9395 in __assert_fail_base (
    fmt=0x7ffff7e3da90 "%s%s%s:%u: %s%sAssertion `%s'
failed.\n%n",
    assertion=assertion at entry=0x7ffff7f4ad8d "base->length >
0",
    file=file at entry=0x7ffff7f4ad53 "payload.c", line=line at
entry=117,
    function=function at entry=0x7ffff7f4b0e0
"payload_expr_pctx_update") at
./assert/assert.c:92
#5  0x00007ffff7cd7eb2 in __GI___assert_fail (assertion=0x7ffff7f4ad8d
"base->length > 0", 
    file=0x7ffff7f4ad53 "payload.c", line=117, 
    function=0x7ffff7f4b0e0 "payload_expr_pctx_update") at
./assert/assert.c:101
#6  0x00007ffff7ef5147 in ?? () from /lib/x86_64-linux-gnu/libnftables.so.1
#7  0x00007ffff7ee910d in ?? () from /lib/x86_64-linux-gnu/libnftables.so.1
#8  0x00007ffff7eef49a in ?? () from /lib/x86_64-linux-gnu/libnftables.so.1
#9  0x00007ffff7eed4ef in ?? () from /lib/x86_64-linux-gnu/libnftables.so.1
#10 0x00007ffff7f188d3 in ?? () from /lib/x86_64-linux-gnu/libnftables.so.1
#11 0x00007ffff7f18d4e in ?? () from /lib/x86_64-linux-gnu/libnftables.so.1
#12 0x00007ffff7f19a99 in nft_run_cmd_from_filename ()
   from /lib/x86_64-linux-gnu/libnftables.so.1
--Type <RET> for more, q to quit, c to continue without paging--
#13 0x0000555555556ac9 in ?? ()
#14 0x00007ffff7cca24a in __libc_start_call_main
(main=main at entry=0x5555555562d0, 
    argc=argc at entry=4, argv=argv at entry=0x7fffffffd2e8)
    at ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x00007ffff7cca305 in __libc_start_main_impl (main=0x5555555562d0, argc=4, 
    argv=0x7fffffffd2e8, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffd2d8) at
../csu/libc-start.c:360
#16 0x0000555555556b91 in ?? ()


Make a new new bug report for this kernel ASSERT?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/8b7c471a/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #3 from Egbert S <s.egbert at sbcglobal.net> ---
Back to the original 12 identical 'blackhole' variant of
passing-syntaxes.nft:

Further variable dump up the stack at the nft_cmd_collapse() shows
'*expr' had
the 'prev = 0'

(gdb) p *expr
$20 = {list = {next = 0x55555557e488, prev = 0x0}, location = {indesc
0x55555555cd70, {{token_offset = 0x2540, line_offset = 0x251a, first_line 0xce,
last_line = 0xce, first_column = 0x1c, last_column = 0x26}, {nle 0x2540}}},
refcnt = 0x1, flags = 0x0, dtype = 0x7ffff7f846e0 <invalid_type>,
byteorder = BYTEORDER_INVALID, etype = EXPR_SET_ELEM, op = OP_INVALID, len 0x0,
cmd = 0x55555557eca0, {{scope = 0x55555557e940, identifier = 0x0, symtype
= SYMBOL_VALUE}, {sym = 0x55555557e940}, {verdict = 0x5557e940, chain = 0x0,
chain_id = 0x0}, {value = {{_mp_alloc = 0x5557e940, _mp_size = 0x5555, _mp_d
0x0}}}, {prefix = 0x55555557e940, prefix_len = 0x0}, {expressions = {next
0x55555557e940, prev = 0x0}, size = 0x0, set_flags = 0x0, field_len
"\000\000\000\000\000\000\000\000x\352WUUU\000", field_count = 0x78},
{set 0x55555557e940}, {key = 0x55555557e940, timeout = 0x0, expiration = 0x0,
comment = 0x0, stmt_list = {next = 0x55555557ea78, prev = 0x55555557ea78},
elem_flags = 0x0}, {arg = 0x55555557e940}, {left = 0x55555557e940, right 0x0},
{map = 0x55555557e940, mappings = 0x0}, payload = {desc = 0x55555557e940,
tmpl = 0x0, base = PROTO_BASE_INVALID, offset = 0x0, is_raw = 0x0, evaluated
0x0}, exthdr = {desc = 0x55555557e940, tmpl = 0x0, offset = 0x0, raw_type 0x0,
op = NFT_EXTHDR_OP_IPV6, flags = 0x0}, meta = {key = 1431824704, base 21845},
socket = {key = 1431824704, level = 0x5555}, rt = {key = 1431824704},
ct = {key = 1431824704, base = 21845, direction = 0x0, nfproto = 0x0}, numgen
{type = (unknown: 0x5557e940), mod = 0x5555, offset = 0x0}, hash = {expr
0x55555557e940, mod = 0x0, seed_set = 0x0, seed = 0x0, offset = 0x0, type
NFT_HASH_JENKINS}, fib = {flags = 0x5557e940, result = 0x5555}, xfrm = {key
1431824704, direction = 0x55, spnum = 0x55}, osf = {ttl = 0x40, flags 0x5555},
flagcmp = {expr = 0x55555557e940, mask = 0x0, value = 0x0}}}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/e69ed5eb/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #4 from Egbert S <s.egbert at sbcglobal.net> ---
In nft_cmd_collapse, using the same original all-same-'blackhole',
'*cmd'
variable shows:

(gdb) p *cmd
$28 = {list = {next = 0x55555557f470, prev = 0x55555557e4d0}, location {indesc =
0x55555555cd70, {{token_offset = 0x2521, line_offset = 0x251a,
first_line = 0xce, last_line = 0xce, first_column = 0x1, last_column = 0x37},
{nle = 0x2521}}}, op = CMD_ADD, obj = CMD_OBJ_ELEMENTS, handle = {family = 0x2,
table = {location = {indesc = 0x55555555cd70, {{token_offset = 0x2528,
line_offset = 0x251a, first_line = 0xce, last_line = 0xce, first_column = 0x9,
last_column = 0xe}, {nle = 0x2528}}}, name = 0x55555557e410 "filter"},
chain {location = {indesc = 0x0, {{token_offset = 0x0, line_offset = 0x0,
first_line
= 0x0, last_line = 0x0, first_column = 0x0, last_column = 0x0}, {nle = 0x0}}},
name = 0x0}, set = {location = {indesc = 0x55555555cd70, {{token_offset 0x2532,
line_offset = 0x251a, first_line = 0xce, last_line = 0xce, first_column
= 0x10, last_column = 0x18}, {nle = 0x2532}}}, name = 0x55555557e900
"blackhole"}, obj = {location = {indesc = 0x0, {{token_offset = 0x0,
line_offset = 0x0, first_line = 0x0, last_line = 0x0, first_column = 0x0,
last_column = 0x0}, {nle = 0x0}}}, name = 0x0}, flowtable = {location = {indesc
= 0x0, {{token_offset = 0x0, line_offset = 0x0, first_line = 0x0, last_line 0x0,
first_column = 0x0, last_column = 0x0}, {nle = 0x0}}}, name = 0x0}, handle
= {location = {indesc = 0x0, {{token_offset = 0x0, line_offset = 0x0,
first_line = 0x0, last_line = 0x0, first_column = 0x0, last_column = 0x0}, {nle
= 0x0}}}, id = 0x0}, position = {location = {indesc = 0x0, {{token_offset 0x0,
line_offset = 0x0, first_line = 0x0, last_line = 0x0, first_column = 0x0,
last_column = 0x0}, {nle = 0x0}}}, id = 0x0}, index = {location = {indesc 0x0,
{{token_offset = 0x0, line_offset = 0x0, first_line = 0x0, last_line 0x0,
first_column = 0x0, last_column = 0x0}, {nle = 0x0}}}, id = 0x0}, set_id 0x0,
chain_id = 0x0, rule_id = 0x0, position_id = 0x0}, seqnum = 0x0,
collapse_list = {next = 0x55555557ee80, prev = 0x55555557ee80}, {data
0x55555557eaa0, expr = 0x55555557eaa0, set = 0x55555557eaa0, elem = {expr
0x55555557eaa0, set = 0x0}, rule = 0x55555557eaa0, chain = 0x55555557eaa0,
table = 0x55555557eaa0, flowtable = 0x55555557eaa0, monitor = 0x55555557eaa0,
markup = 0x55555557eaa0, object = 0x55555557eaa0}, attr = 0x55555557eec0,
attr_array_len = 0x20, num_attrs = 0x0, arg = 0x0}

first_line points to:

    element filter blackhole { 192.168.0.1, 192.168.0.10 }


-------
Made a standalone 'blackhole.nft' file containing just that one
offending line
and reran 'nft':

# nft -c -f blackhole.nft 
blackhole.nft:2:16-24: Error: No such file or directory
element filter blackhole { 192.168.0.1, 192.168.0.10 }
               ^^^^^^^^^


Mmmmmmmmm.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/1c9d727a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Egbert S from comment #4)
> Mmmmmmmmm.
Could you please narrow down the problem?

Dumping a large ruleset with backtracing here and there does not really help,
this reproducer is simply too large.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/d0a1490b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I found the needle in the stack:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240611161711.20247-1-pablo
at netfilter.org/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/140c661b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #7 from Egbert S <s.egbert at sbcglobal.net> ---
Also whittled down and found the barest offending NFT snippet:

    #!/usr/sbin/nft -f
    # File: passing-syntaxes-bug.nft
    # Description: A test NFT file that exercises a SEIGSEGV fault
    # in nftables 1.0.6 Debian 12


    define M = "doesnt_matter"
    element filter blackhole $M ;
    element filter blackhole { 192.168.0.1 }
    flush ruleset


Cannot avoid SIGSEGV this without any of the 4 lines above.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/afcda63d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #8 from Pablo Neira Ayuso <pablo at netfilter.org> ---
# nft -f test.nft
test.nft:8:9-14: Error: No such file or directory
element filter blackhole $M ;
        ^^^^^^
test.nft:9:9-14: Error: No such file or directory
element filter blackhole { 192.168.0.1 }
        ^^^^^^

No crash anymore with my proposed patch.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/389587f3/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #9 from Egbert S <s.egbert at sbcglobal.net> ---
Ummm, this is nftables_1.0.6-2+deb12u2.debian.tar.xz

A partial of your supplied snippet's backtrace:

    #3 0x7ffb77cf86ad in nft_cmd_collapse src/cmd.c:478

That is actually inside your src/cmd.c instead of src/rule.c for my
1.0.6-2+deb12u2.

re-checking...  patched.  Recompile/relink.

Reran, same SIGSEGV.

Nope, this fix isn't it (at least for 1.0.6-2+deb12u2).

Will continue with slow-debug watch session on 'prev' pointer being
NULL.



Details:

$ apt show nftables
Package: nftables
Version: 1.0.6-2+deb12u2
Priority: important
Section: net
Maintainer: Debian Netfilter Packaging Team
<pkg-netfilter-team at lists.alioth.debian.org>
Installed-Size: 180 kB
Depends: libnftables1 (= 1.0.6-2+deb12u2), libc6 (>= 2.34), libedit2
(>3.1-20130611-0)
Recommends: netbase
Suggests: firewalld
Homepage: https://www.netfilter.org/
Download-Size: 70.3 kB
APT-Manual-Installed: yes
APT-Sources: http://deb.debian.org/debian bookworm/main amd64 Packages
Description: Program to control packet filtering rules by Netfilter project
 This software provides an in-kernel packet classification framework that is
 based on a network-specific Virtual Machine (VM) and the nft userspace
 command line tool. The nftables framework reuses the existing Netfilter
 subsystems such as the existing hook infrastructure, the connection tracking
 system, NAT, userspace queueing and logging subsystem.
 .
 nftables replaces the old popular iptables, ip6tables, arptables and ebtables.
 .
 Netfilter software and nftables in particular are used in applications such
 as Internet connection sharing, firewalls, IP accounting, transparent
 proxying, advanced routing and traffic control.
 .
 A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/2d336896/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #10 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Egbert S from comment #9)
> Ummm, this is nftables_1.0.6-2+deb12u2.debian.tar.xz
> 
> A partial of your supplied snippet's backtrace:
> 
>     #3 0x7ffb77cf86ad in nft_cmd_collapse src/cmd.c:478
> 
> That is actually inside your src/cmd.c instead of src/rule.c for my
> 1.0.6-2+deb12u2.
> 
> re-checking...  patched.  Recompile/relink.
> 
> Reran, same SIGSEGV.
> 
> Nope, this fix isn't it (at least for 1.0.6-2+deb12u2).
I am testing with current git HEAD.

I can look back and provide a backport for 1.0.6 to address this later because
it seems to me it is lacking more fixes.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/9c87a18d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #11 from Egbert S <s.egbert at sbcglobal.net> ---
Errored in NOT using LD_PRELOAD with new libnftables built.

Your needle fixes this issue.  Closing this bug as "fixed in 1.0.9",
but as for
the older backports?

Could I ask what your opinion as to whether Debian maintainer needs to backport
this to 1.0.6.

Also, please close this appropriately.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/76054f94/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #12 from Pablo Neira Ayuso <pablo at netfilter.org> ---
commit be055af5c58d9a4751990684d8f83b85082ca443
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Tue Jun 11 17:40:23 2024 +0200

    cmd: skip variable set elements when collapsing commands

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/75298523/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1754

--- Comment #13 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Egbert S from comment #11)
> Errored in NOT using LD_PRELOAD with new libnftables built.
> 
> Your needle fixes this issue.  Closing this bug as "fixed in
1.0.9", but as
> for the older backports?
> 
> Could I ask what your opinion as to whether Debian maintainer needs to
> backport this to 1.0.6.
There is a good number of backported fixes for 1.0.6 here:

https://git.netfilter.org/nftables/log/?h=1.0.6.y

last 6 month of fixes still need to be backported there.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/502c1954/attachment.html>