Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1994141

Summary:	assertion on python3-nftables after it pass nft.json_validate
Product:	Red Hat Enterprise Linux 8	Reporter:	Paulo Andrade <pandrade>
Component:	nftables	Assignee:	Phil Sutter <psutter>
Status:	CLOSED ERRATA	QA Contact:	qe-baseos-daemons
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.4	CC:	egarver, psutter, todoleza
Target Milestone:	beta	Keywords:	Triaged, Upstream
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	nftables-0.9.3-22.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 15:17:29 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2006093

Description Paulo Andrade 2021-08-16 20:45:51 UTC

User experienced example at

https://github.com/aborrero/python-nftables-tutorial/blob/main/nft-load-example-ruleset.py

but call abort with the output:

INFO: running json cmd: {'nftables': [{'flush': {'ruleset': None}}, {'add': {'table': {'family': 'inet', 'name': 'mytable'}}}, {'add': {'chain': {'family': 'inet', 'table': 'mytable', 'chain': 'mychain'}}}, {'add': {'rule': {'family': 'inet', 'table': 'mytable', 'chain': 'mychain', 'expr': [{'match': {'left': {'payload': {'protocol': 'tcp', 'field': 'dport'}}, 'right': 22}}, {'accept': None}]}}}]}
BUG: invalid input descriptor type 1435367392
python3: erec.c:117: erec_print: Assertion `0' failed.

  From gdb we see:

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	  return ret;
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff665bb25 in __GI_abort () at abort.c:79
#2  0x00007ffff665b9f9 in __assert_fail_base (fmt=0x7ffff67c1c28 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff565d1c5 "0", file=0x7ffff565d1ee "erec.c", line=117, function=<optimized out>) at assert.c:92
#3  0x00007ffff6669cc6 in __GI___assert_fail (assertion=assertion@entry=0x7ffff565d1c5 "0", file=file@entry=0x7ffff565d1ee "erec.c", line=line@entry=117, function=function@entry=0x7ffff565d2d8 <__PRETTY_FUNCTION__.12288> "erec_print")
    at assert.c:101
#4  0x00007ffff562e91b in erec_print (octx=octx@entry=0x5555557b0ac0, erec=erec@entry=0x5555558df7e0, debug_mask=debug_mask@entry=0) at erec.c:117
#5  0x00007ffff562e989 in erec_print_list (octx=octx@entry=0x5555557b0ac0, list=list@entry=0x7fffffffd0a0, debug_mask=0) at erec.c:190
#6  0x00007ffff56343cc in nft_run_cmd_from_buffer (nft=0x5555557b0aa0, buf=<optimized out>) at libnftables.c:461
...
(gdb) f 4
#4  0x00007ffff562e91b in erec_print (octx=octx@entry=0x5555557b0ac0, erec=erec@entry=0x5555558df7e0, debug_mask=debug_mask@entry=0) at erec.c:117
117			BUG("invalid input descriptor type %u\n", indesc->type);
(gdb) set print pretty on
(gdb) p *erec
$1 = {
  list = {
    next = 0x12345678, 
    prev = 0x87654321
  }, 
  type = EREC_ERROR, 
  num_locations = 1, 
  locations = {{
      indesc = 0x7fffffffcff0, 
      {
        {
          token_offset = 0, 
          line_offset = 0, 
          first_line = 1, 
          last_line = 1, 
          first_column = 4, 
          last_column = 4
        }, 
        {
          nle = 0x0
        }
      }
    }, {
      indesc = 0x7ffff7e2d150, 
      {
        {
          token_offset = -162492999864514345, 
          line_offset = 140737352233328, 
          first_line = 4158837136, 
          last_line = 32767, 
          first_column = 2661444742, 
          last_column = 315850313
        }, 
        {
          nle = 0xfdbeb57a409688d7
        }
      }
    }, {
      indesc = 0x7ffff7e2f1b0, 
      {
        {
          token_offset = 140737346724160, 
          line_offset = -3365638462354366012, 
          first_line = 4158870848, 
          last_line = 32767, 
          first_column = 4079197856, 
          last_column = 32767
        }, 
        {
          nle = 0x7ffff78ee140
        }
      }
    }}, 
  msg = 0x555555898810 "Object item not found: name"
}

  So, it looks like it should first check if 'erec' is of type 'EREC_ERROR', and if
that is the case, likely not check 'indesc', but print the error and exit. That is,
instead of the above output, likely, should have printed:

"""
INFO: running json cmd: {'nftables': [{'flush': {'ruleset': None}}, {'add': {'table': {'family': 'inet', 'name': 'mytable'}}}, {'add': {'chain': {'family': 'inet', 'table': 'mytable', 'chain': 'mychain'}}}, {'add': {'rule': {'family': 'inet', 'table': 'mytable', 'chain': 'mychain', 'expr': [{'match': {'left': {'payload': {'protocol': 'tcp', 'field': 'dport'}}, 'right': 22}}, {'accept': None}]}}}]}
Error: Object item not found: name
"""

and exited, instead of the misleading type error message and the abort.

Comment 1 Eric Garver 2021-08-16 21:02:03 UTC

Quite probably fixed by this upstream commit:

commit 2f89bc258e6e06ec4eeccc9efa52f01b4118e359
Refs: v0.9.8-25-g2f89bc258e6e
Author:     Phil Sutter <phil>
AuthorDate: Tue Jan 26 18:52:15 2021 +0100
Commit:     Phil Sutter <phil>
CommitDate: Tue Feb 9 17:00:09 2021 +0100

    erec: Sanitize erec location indesc

    erec_print() unconditionally dereferences erec->locations->indesc, so
    make sure it is valid when either creating an erec or adding a location.

    Signed-off-by: Phil Sutter <phil>

Comment 2 Paulo Andrade 2021-08-17 12:42:02 UTC

(In reply to Eric Garver from comment #1)
> Quite probably fixed by this upstream commit:
> 
> commit 2f89bc258e6e06ec4eeccc9efa52f01b4118e359
> Refs: v0.9.8-25-g2f89bc258e6e
> Author:     Phil Sutter <phil>
> AuthorDate: Tue Jan 26 18:52:15 2021 +0100
> Commit:     Phil Sutter <phil>
> CommitDate: Tue Feb 9 17:00:09 2021 +0100
> 
>     erec: Sanitize erec location indesc
> 
>     erec_print() unconditionally dereferences erec->locations->indesc, so
>     make sure it is valid when either creating an erec or adding a location.
> 
>     Signed-off-by: Phil Sutter <phil>

  Does not work. Might need extra intermediate patches.

Comment 3 Phil Sutter 2021-09-01 15:20:25 UTC

Fix sent upstream: https://lore.kernel.org/netfilter-devel/20210901145819.22567-1-phil@nwl.cc/
It applies to RHEL8 and fixes the issue.

Thanks for the nice report, Paulo!

Comment 4 Phil Sutter 2021-09-01 15:23:38 UTC

Upstream commit to backport:

commit 9fe5d1bc18cfaed2ecf717e3dd9a97ff5b0e183c
Author: Phil Sutter <phil>
Date:   Wed Sep 1 16:41:44 2021 +0200

    parser_json: Fix error reporting for invalid syntax
    
    Errors emitted by the JSON parser caused BUG() in erec_print() due to
    input descriptor values being bogus.
    
    Due to lack of 'include' support, JSON parser uses a single input
    descriptor only and it lived inside the json_ctx object on stack of
    nft_parse_json_*() functions.
    
    By the time errors are printed though, that scope is not valid anymore.
    Move the static input descriptor object to avoid this.
    
    Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
    Signed-off-by: Phil Sutter <phil>

Comment 8 Phil Sutter 2021-10-07 16:18:56 UTC

https://src.osci.redhat.com/rpms/nftables/pull-request/6

Comment 17 errata-xmlrpc 2022-05-10 15:17:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nftables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2004