Hi Florian, Pablo,
After the recent netfilter pull syzkaller in compat mode started failing with:
getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22)
I think this is caused by:
commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd
Author: Florian Westphal <fw@xxxxxxxxx>
Date: Tue Feb 27 19:42:35 2018 +0100
netfilter: compat: reject huge allocation requests
But I don't know if it's a problem with kernel or with our code (it
used to work before that commit, but this was the first netfilter code
that I ever wrote). Out code is here:
https://github.com/google/syzkaller/blob/676bd07e7e80f8a270af7f0276443c68f4a99e25/executor/common_linux.h#L1666
The idea behind checkpoint_ebtables() and reset_ebtables() is to reset
ebtables to initial state after each test (unfortunately, creating new
net namespaces is too damn expensive).
It does EBT_SO_GET_INIT_INFO and then EBT_SO_GET_INIT_ENTRIES to
memorize initial state. And EBT_SO_GET_INIT_ENTRIES started failing.
It fails on the first filter table, here is debug output:
checkpoint ebtable filter: entries=0 hooks=e size=144
getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22)
I've added some debug output to kernel and I see that it's
xt_compat_init_offsets() that fails with EINVAL. What looks strange to
me is that EBT_SO_GET_INIT_INFO returns nentries==0 (while size==144).
Any insight will be appreciated. Is it something to fix in our code?
Also, what's the difference between EBT_SO_GET_INFO/ENTRIES and
EBT_SO_GET_INIT_INFO/ENTRIES? I guessed from the name that INIT is
what we want to use if we want to memorize initial state. Is it
correct?
Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
