Hi there, I am currently trying to port iptables to ARM's new Morello architecture; featuring hardware capabilities for memory protection. One of the ways Morello affords protection is by enforcing bounds on memory accesses at the hardware level. On Morello a segfault/bounds fault will occur at runtime when an illegal memory access is made... When running some of the iptables tests I am encountering some of these faults. I have not investigated if they all occur in the same spot yet, but at least 3 such occurrences in the same place are in tests: chain/0005base-delete_0 ebtables/0007-chain-policies_0 iptables/0002-verbose-output_0 Let us use ././testcases/iptables/0002-verbose-output_0 as an example here, since I see different behaviour in two different versions of iptables and libnftnl. (I had to update the package versions due to another unrelated issue that I may ask about separately). Bounds faults occur: iptables (1.8.10), libnftnl (master), libmnl (1.0.5), kernel (6.4) Bounds faults do not occur: iptables (1.8.7), libnftnl (1.2.1), libmnl (1.0.5), kernel (6.4) The segfault happens in compare_targets, when the memcmp checks the data of the two xt_entry_target structs, when the rules are parsed and checked using nft_rule_cmp: https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?h=v1.8.10#n414 The reason I see a fault in the updated iptables 1.8.10 and not 1.8.7 stems from the way the xt_entry_target structs are allocated in the different versions, in both instances inside h->ops->rule_to_cs() which calls nft_rule_to_iptables_command_state: https://git.netfilter.org/iptables/tree/iptables/nft.c?h=v1.8.10#n2390 In 1.8.7, I see that 40B is allocated correctly, with enough space to hold the data at the end of the xt_entry_target struct. The allocation for this happens in the body of nft_rule_to_iptables_command_state itself: https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?h=v1.8.7#n690 However, in 1.8.10, the allocation is performed while the expression parsing happens, earlier within the nft_rule_to_iptables_command_state function. In this instance nft_parse_immediate calls nft_create_target. The wrapped __nft_create_target is then passed a hard-coded 0B to the tgsize parameter. So in this instance no space is ever allocated for the data at the end of xt_entry_target (hence the segfault when trying to access this unallocated memory): https://git.netfilter.org/iptables/tree/iptables/nft-ruleparse.c?h=v1.8.10#n99 If someone could give me some insight on how best to patch this and pass an actual value to tgsize I would greatly appreciate it. Particularly since nft_create_target is called in numerous places, and I cannot find an obvious place where I might access the appropriate data length to pass. Many thanks, Josh
