[pkg-netfilter-team] Bug#1023844: nftables: firewalld segfaults in libnftables.so rule.c cache_init_objects()

Tjeu Kayim tjeu.kayim at prodrive-technologies.com
Fri Nov 11 09:55:30 GMT 2022 

Package: nftables
Version: 0.9.8-3.1
Severity: important
Tags: upstream

Dear Maintainer,

We have 4 computers running Debian 11 that use firewalld.
Every 30 minutes, these run a configuration management tool as scheduled job
that applies the firewall configuration (and overwrites any manual changes).
In the past 13 weeks, this job experienced 8 segmentation faults at random moments.
The desired firewall configuration did not change on the days of the crashes, the job only
recreates certain nftables rules.
After the crash, the firewall remains in a state that rejects almost all incoming and outgoing traffic.
Subsequent scheduled jobs fail to contact the configuration management server, and the computer no
longer accepts SSH connections. I recall one time manually logging in via a non-SSH console and
repairing it with firewall-cmd, though in the other cases I just rebooted the computer as
a quicker solution (when the persistent firewalld configuration is applied at boot, it solves
the problem).

Debian unstable already contains a newer version of the nftables package, I have not yet tried
upgrading to that one. It might take another few weeks before the bug manifests again on the one computer
that has core dumps enabled, so I can't quickly check if other package versions still have the bug.

Today was the first time I captured a core dump. The backtrace looks a bit similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1983116, though I'm not sure how to interpret
that Fedora backtrace because it lacks debug symbols.

    Core was generated by `/usr/bin/python3 /usr/sbin/firewalld --nofork --nopid'.
    --Type <RET> for more, q to quit, c to continue without paging--
    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  list_add_tail (head=0x2c0, new=0x2440b70) at ../include/list.h:87
    Download failed: Invalid argument.  Continuing without source file ./src/../include/list.h.
    87      ../include/list.h: No such file or directory.
    [Current thread is 1 (Thread 0x7fddc6704740 (LWP 488))]
    (gdb)
    (gdb) bt
    #0  list_add_tail (head=0x2c0, new=0x2440b70) at ../include/list.h:87
    #1  list_move_tail (head=0x2c0, list=0x2440b70) at ../include/list.h:169
    #2  cache_init_objects (flags=127, ctx=0x7ffc9dd74f20) at rule.c:208
    #3  cache_init (flags=127, ctx=0x7ffc9dd74f20) at rule.c:235
    #4  cache_update (nft=nft at entry=0x1ffcbe0, flags=127, msgs=msgs at entry=0x7ffc9dd75ee0) at rule.c:291
    #5  0x00007fddc41ae0a2 in nft_evaluate (nft=nft at entry=0x1ffcbe0, msgs=msgs at entry=0x7ffc9dd75ee0, cmds=cmds at entry=0x7ffc9dd75ef0) at libnftables.c:420
    #6  0x00007fddc41aead8 in nft_run_cmd_from_buffer (nft=0x1ffcbe0,
        buf=0x2343330 "{\"nftables\": [{\"metainfo...) at libnftables.c:465

Here is the whole argument to nft_run_cmd_from_buffer() pretty printed:
    {"nftables": [
        {"metainfo": {"json_schema_version": 1}},
        {"add": {"set": {"family": "inet", "table": "firewalld", "name": "ata", "type": "ipv4_addr", "flags": ["interval"]}}},
        {"flush": {"set": {"family": "inet", "table": "firewalld", "name": "ata"}}},
        {"add": {"element": {"family": "inet", "table": "firewalld", "name": "ata", "elem": ["10.1.2.42"]}}},
        {"add": {"element": {"family": "inet", "table": "firewalld", "name": "ata", "elem": ["10.1.2.64"]}}},
        {"add": {"element": {"family": "inet", "table": "firewalld", "name": "ata", "elem": ["10.1.2.67"]}}}
    ]}

The line that causes the segfault is here:
https://sources.debian.org/src/nftables/0.9.8-3.1/src/rule.c/#L208
    list_move_tail(&rule->list, &chain->rules);



-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (800, 'stable-updates'), (800, 'stable-security'), (800, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-0.bpo.1-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg          1.20.12
ii  libc6         2.31-13+deb11u4
ii  libedit2      3.1-20191231-2+b1
ii  libnftables1  0.9.8-3.1

nftables recommends no packages.

Versions of packages nftables suggests:
ii  firewalld  1.2.0-1~bpo11+1

-- no debconf information

More information about the pkg-netfilter-team mailing list