The verification of the Stable Release Update for iptables has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/2049318 Title: [SRU] free(): double free detected in tcache 2 Status in iptables package in Ubuntu: Fix Released Status in iptables source package in Jammy: Fix Released Bug description: [ Impact ] iptables is unable to list the iptables rules or save the iptables rules if a nftables ruleset is defined which iptables does not recognize. [ Test Plan ] 1. Simple test plan based on upstream test case: sudo nft -f - <<EOF table ip filter { chain INPUT { type filter hook input priority filter counter packets 218 bytes 91375 accept } chain x { type filter hook input priority filter } } EOF sudo iptables -L 2. A more complicated test plan * Add an iptables rule. - sudo iptables -A OUTPUT -p tcp --dport 9999 -j REJECT * save the rules in a file - sudo iptables-save > rules.txt * Convert the rule to nftables ruleset - sudo iptables-nft-restore < rules.txt * List the nftables ruleset - sudo nft list ruleset * Also confirm that iptables can list the old rule - sudo iptables -L * Now add another nftables rule (this rule is taken from upstream test case) sudo nft -f - <<EOF table ip filter { chain INPUT { type filter hook input priority filter counter packets 218 bytes 91375 accept } chain x { type filter hook input priority filter } } EOF * List the nftables ruleset, which will print the old rule and the new rule - sudo nft list ruleset * Try printing the old iptables rule - sudo iptables -L Without the fixed packages both the tests will now abort with a double free. $ sudo iptables -L free(): double free detected in tcache 2 Aborted [ Where problems could occur ] * This is an upstream patch which is only removing an error path when nft_cache_add_chain() errors. nft_cache_add_chain() will free the chain on error, and it was then again freed in the error path. By removing the error path its now fixing the double free. Since the only change is in the error path, the chances of regression are very less. [ Other Info ] * The regression was introduced in v1.8.7 and has been fixed via v1.8.8 so only Jammy is affected. [ Original Bug Description ] nftables is being used successfully with no difficulty. Running iptables on my node receives a crash: $ sudo iptables -nL free(): double free detected in tcache 2 Aborted (core dumped) without sudo # iptables -nL free(): double free detected in tcache 2 Aborted (core dumped) This bug is known and was fixed in version 1.8.8 of iptables https://git.netfilter.org/iptables/commit/?id=4318961230bce82958df82b57f1796143bf2f421 1) The release of Ubuntu $ lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 2) The version of the package $ apt info iptables Package: iptables Version: 1.8.7-1ubuntu5.1 3) What you expected to happen not to crash with valid, working nftables rules 4) What happened instead crash A plausible workaround could be a backport of iptables 1.8.9 from mantic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: iptables 1.8.7-1ubuntu5.1 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Sun Jan 14 20:36:59 2024 InstallationDate: Installed on 2021-11-23 (782 days ago) InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: iptables UpgradeStatus: Upgraded to jammy on 2023-04-30 (259 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/2049318/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
