REGRESSION in nfnetlink on 3.18.x (bisected)

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* REGRESSION in nfnetlink on 3.18.x (bisected)
@ 2014-12-20 23:33 Andre Tomt
  2014-12-20 23:51 ` Andre Tomt
  2014-12-22 11:56 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 6+ messages in thread
From: Andre Tomt @ 2014-12-20 23:33 UTC (permalink / raw)
  To: netfilter-devel, netdev

On at least Ubuntu 14.04 LTS and Ubuntu 14.10 "conntrack -E" has started 
failing with Linux 3.18.x. conntrack -L still works.

14.04 and 14.10 ships conntrack-utils version 1.4.1, but 1.4.2 does not 
work either.

It fails with:
> # conntrack -E
> conntrack v1.4.2 (conntrack-tools): Can't open handler

strace shows:
> bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
> getsockname(3, {sa_family=AF_NETLINK, pid=14092, groups=00000000}, [12]) = 0
> bind(3, {sa_family=AF_NETLINK, pid=14092, groups=00000007}, 12) = -1 EINVAL (Invalid argument)

Reverting 97840cb67ff5ac8add836684f011fd838518d698 - netfilter: 
nfnetlink: fix insufficient validation in nfnetlink_bind

makes everything work again on my systems.

I'm testing with
> # modprobe nfnetlink
> # modprobe nf_conntrack_netlink
> # modprobe nf_conntrack_ipv4
> # conntrack -E

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: REGRESSION in nfnetlink on 3.18.x (bisected)
  2014-12-20 23:33 REGRESSION in nfnetlink on 3.18.x (bisected) Andre Tomt
@ 2014-12-20 23:51 ` Andre Tomt
  2014-12-22 11:56 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 6+ messages in thread
From: Andre Tomt @ 2014-12-20 23:51 UTC (permalink / raw)
  To: netfilter-devel, netdev, Pablo Neira Ayuso

Copying change author

On 21. des. 2014 00:33, Andre Tomt wrote:
> On at least Ubuntu 14.04 LTS and Ubuntu 14.10 "conntrack -E" has started
> failing with Linux 3.18.x. conntrack -L still works.
>
> 14.04 and 14.10 ships conntrack-utils version 1.4.1, but 1.4.2 does not
> work either.
>
> It fails with:
>> # conntrack -E
>> conntrack v1.4.2 (conntrack-tools): Can't open handler
>
> strace shows:
>> bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
>> getsockname(3, {sa_family=AF_NETLINK, pid=14092, groups=00000000},
>> [12]) = 0
>> bind(3, {sa_family=AF_NETLINK, pid=14092, groups=00000007}, 12) = -1
>> EINVAL (Invalid argument)
>
> Reverting 97840cb67ff5ac8add836684f011fd838518d698 - netfilter:
> nfnetlink: fix insufficient validation in nfnetlink_bind
>
> makes everything work again on my systems.
>
> I'm testing with
>> # modprobe nfnetlink
>> # modprobe nf_conntrack_netlink
>> # modprobe nf_conntrack_ipv4
>> # conntrack -E
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: REGRESSION in nfnetlink on 3.18.x (bisected)
  2014-12-20 23:33 REGRESSION in nfnetlink on 3.18.x (bisected) Andre Tomt
  2014-12-20 23:51 ` Andre Tomt
@ 2014-12-22 11:56 ` Pablo Neira Ayuso
  2014-12-22 23:23   ` Andre Tomt
  1 sibling, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-12-22 11:56 UTC (permalink / raw)
  To: Andre Tomt; +Cc: netfilter-devel, netdev

[-- Attachment #1: Type: text/plain, Size: 816 bytes --]

On Sun, Dec 21, 2014 at 12:33:51AM +0100, Andre Tomt wrote:
> On at least Ubuntu 14.04 LTS and Ubuntu 14.10 "conntrack -E" has
> started failing with Linux 3.18.x. conntrack -L still works.
> 
> 14.04 and 14.10 ships conntrack-utils version 1.4.1, but 1.4.2 does
> not work either.
> 
> It fails with:
> ># conntrack -E
> >conntrack v1.4.2 (conntrack-tools): Can't open handler
> 
> strace shows:
> >bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
> >getsockname(3, {sa_family=AF_NETLINK, pid=14092, groups=00000000}, [12]) = 0
> >bind(3, {sa_family=AF_NETLINK, pid=14092, groups=00000007}, 12) = -1 EINVAL (Invalid argument)
> 
> Reverting 97840cb67ff5ac8add836684f011fd838518d698 - netfilter:
> nfnetlink: fix insufficient validation in nfnetlink_bind

Could you give a test to this patch? Thanks.

[-- Attachment #2: 0001-netlink-fix-wrong-subscription-bitmask-to-group-mapp.patch --]
[-- Type: text/x-diff, Size: 1827 bytes --]

>From f4f65150fd2129607a7bd25f007c258045237c8c Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 21 Dec 2014 21:48:36 +0100
Subject: [PATCH nf] netlink: fix wrong subscription bitmask to group mapping in
 binding callbacks

The subscription bitmask passed via struct sockaddr_nl is converted to
the group number when calling the netlink_bind() and netlink_unbind()
callbacks.

The conversion is however incorrect since bitmask (1 << 0) needs to be
mapped to group number 1. Note that you cannot specify the group number 0
(usually known as _NONE) from setsockopt() using NETLINK_ADD_MEMBERSHIP
since this is rejected through -EINVAL.

This problem became noticeable since 97840cb ("netfilter: nfnetlink:
fix insufficient validation in nfnetlink_bind") when binding to bitmask
(1 << 0) in ctnetlink.

Reported-by: Andre Tomt <andre@tomt.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netlink/af_netlink.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 074cf3e..cbcf73b 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1420,7 +1420,7 @@ static void netlink_unbind(int group, long unsigned int groups,
 
 	for (undo = 0; undo < group; undo++)
 		if (test_bit(undo, &groups))
-			nlk->netlink_unbind(undo);
+			nlk->netlink_unbind(undo + 1);
 }
 
 static int netlink_bind(struct socket *sock, struct sockaddr *addr,
@@ -1458,7 +1458,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
 		for (group = 0; group < nlk->ngroups; group++) {
 			if (!test_bit(group, &groups))
 				continue;
-			err = nlk->netlink_bind(group);
+			err = nlk->netlink_bind(group + 1);
 			if (!err)
 				continue;
 			netlink_unbind(group, groups, nlk);
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: REGRESSION in nfnetlink on 3.18.x (bisected)
  2014-12-22 11:56 ` Pablo Neira Ayuso
@ 2014-12-22 23:23   ` Andre Tomt
  2015-01-07 22:03     ` Andre Tomt
  0 siblings, 1 reply; 6+ messages in thread
From: Andre Tomt @ 2014-12-22 23:23 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, netdev

On 22. des. 2014 12:56, Pablo Neira Ayuso wrote:
> On Sun, Dec 21, 2014 at 12:33:51AM +0100, Andre Tomt wrote:
>> On at least Ubuntu 14.04 LTS and Ubuntu 14.10 "conntrack -E" has
>> started failing with Linux 3.18.x. conntrack -L still works.
>>
>> 14.04 and 14.10 ships conntrack-utils version 1.4.1, but 1.4.2 does
>> not work either.
>>
>> It fails with:
>>> # conntrack -E
>>> conntrack v1.4.2 (conntrack-tools): Can't open handler
>>
>> strace shows:
>>> bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
>>> getsockname(3, {sa_family=AF_NETLINK, pid=14092, groups=00000000}, [12]) = 0
>>> bind(3, {sa_family=AF_NETLINK, pid=14092, groups=00000007}, 12) = -1 EINVAL (Invalid argument)
>>
>> Reverting 97840cb67ff5ac8add836684f011fd838518d698 - netfilter:
>> nfnetlink: fix insufficient validation in nfnetlink_bind
>
> Could you give a test to this patch? Thanks.
>

Initial testing looks good with this patch applied on top of 3.18.1
I will give it a spin on some more systems tomorrow.

Thanks

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: REGRESSION in nfnetlink on 3.18.x (bisected)
  2014-12-22 23:23   ` Andre Tomt
@ 2015-01-07 22:03     ` Andre Tomt
  2015-01-08 10:47       ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Andre Tomt @ 2015-01-07 22:03 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, netdev

On 23. des. 2014 00:23, Andre Tomt wrote:
> On 22. des. 2014 12:56, Pablo Neira Ayuso wrote:
>> Could you give a test to this patch? Thanks.
>>
>
> Initial testing looks good with this patch applied on top of 3.18.1
> I will give it a spin on some more systems tomorrow.

No news is good news :-)

~10 3.18.x systems in various roles have had this fix for two weeks with 
no issues.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: REGRESSION in nfnetlink on 3.18.x (bisected)
  2015-01-07 22:03     ` Andre Tomt
@ 2015-01-08 10:47       ` Pablo Neira Ayuso
  0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2015-01-08 10:47 UTC (permalink / raw)
  To: Andre Tomt; +Cc: netfilter-devel, netdev

On Wed, Jan 07, 2015 at 11:03:10PM +0100, Andre Tomt wrote:
> On 23. des. 2014 00:23, Andre Tomt wrote:
> >On 22. des. 2014 12:56, Pablo Neira Ayuso wrote:
> >>Could you give a test to this patch? Thanks.
> >>
> >
> >Initial testing looks good with this patch applied on top of 3.18.1
> >I will give it a spin on some more systems tomorrow.
> 
> No news is good news :-)
> 
> ~10 3.18.x systems in various roles have had this fix for two weeks
> with no issues.

Thanks a lot for testing. I already sent the patch to David:

http://patchwork.ozlabs.org/patch/426205/

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-01-08 10:44 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-20 23:33 REGRESSION in nfnetlink on 3.18.x (bisected) Andre Tomt
2014-12-20 23:51 ` Andre Tomt
2014-12-22 11:56 ` Pablo Neira Ayuso
2014-12-22 23:23   ` Andre Tomt
2015-01-07 22:03     ` Andre Tomt
2015-01-08 10:47       ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).