RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1758673 - Fix covscan-detected issues
Summary: Fix covscan-detected issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libnftnl
Version: 8.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.2
Assignee: Phil Sutter
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-04 19:58 UTC by Phil Sutter
Modified: 2023-02-12 23:07 UTC (History)
1 user (show)

Fixed In Version: libnftnl-1.1.5-4.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:06:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
scan-results (7.36 KB, text/plain)
2019-10-04 19:58 UTC, Phil Sutter 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-28434 0 None None None 2023-02-12 23:07:53 UTC
Red Hat Product Errata RHEA-2020:1763 0 None None None 2020-04-28 16:08:22 UTC

Description Phil Sutter 2019-10-04 19:58:37 UTC 
Created attachment 1622615 [details]
scan-results

Among quite a few false-positives, covscan identified some real problems in libnftnl rebase. Fix them upstream, then backport the series.
Comment 1 Phil Sutter 2019-10-16 23:11:21 UTC 
Series accepted upstream, an important follow-up is still under review.

Accepted:

807ccaa5ffa4772f4d81fff6fb105ab6bbcb8b10
b82e1bf4ba811273341ad4fde272271782a8ada1
14156fa831e5652ec43552d0dd5c16a7de412261
0d5bb960b2f953c71fff15f88c8f0c331a1fa965
00b144bc9d093dbdd1a3690dc8e8fb90b5447f2d
ede1781101f669312ae513a83932f0c727738df9

Under review:

commit 6c317b4166b2e19df3560e30bf36fd59a0d88a68
Author: Phil Sutter <phil>
Date:   Wed Oct 16 23:22:53 2019 +0200

    obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser
    
    This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout:
    Avoid array overrun in timeout_parse_attr_data()") which fixed array out
    of bounds access but missed the logic behind it:
    
    The nested attribute type values are incremented by one when being
    transferred between kernel and userspace, the zero type value is
    reserved for "unspecified".
    
    Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the
    type values in nftnl_obj_ct_timeout_build().
    
    Return path was broken as it overstepped its nlattr array but apart from
    that worked: Type values were decremented by one in
    timeout_parse_attr_data().
    
    This patch moves the type value mangling into
    parse_timeout_attr_policy_cb() (which still overstepped nlattr array).
    Consequently, when copying values from nlattr array into ct timeout
    object in timeout_parse_attr_data(), loop is adjusted to start at index
    0 and the type value decrement is dropped there.
    
    Fixes: 0adceeab1597a ("src: add ct timeout support")
Comment 4 Phil Sutter 2020-02-14 17:04:52 UTC 
Recent covscan run turned up a new problem:

If nftnl_chain_get_data() is called for NFTNL_CHAIN_DEVICES, *data_len is not assigned to. This causes garbage comparison in nftnl_chain_get_u*() getters. It should be fixed by assigning 0, so these getters consistently fail.
Comment 5 Phil Sutter 2020-02-14 17:27:18 UTC 
Fix sent upstream: https://lore.kernel.org/netfilter-devel/20200214172417.11217-1-phil@nwl.cc/
Comment 6 Phil Sutter 2020-02-19 10:48:34 UTC 
Upstream commit to backport:

commit 629ee38dca48651bc8c0eedf2f3a0066a6c0aa5b
Author: Phil Sutter <phil>
Date:   Fri Feb 14 18:20:29 2020 +0100

    src: Fix for reading garbage in nftnl_chain getters
    
    In {s,u}{32,64} type getters nftnl_assert() is called to make sure
    returned data length matches expectations. Therefore all attributes must
    set data_len, which NFTNL_CHAIN_DEVICES didn't.
    
    While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as
    well to make code a bit more consistent although the problem was fixed
    for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading
    garbage") already (but in the other direction).
    
    Fixes: e3ac19b5ec162 ("chain: multi-device support")
    Signed-off-by: Phil Sutter <phil>
Comment 9 errata-xmlrpc 2020-04-28 16:06:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1763
Note You need to log in before you can comment on or make changes to this bug.