Hi Josh,
On Fri, Jul 05, 2024 at 02:47:19PM +0100, josh lant wrote:
> I am currently trying to port iptables to ARM's new Morello
> architecture; featuring hardware capabilities for memory protection.
>
> One of the ways Morello affords protection is by enforcing bounds on
> memory accesses at the hardware level. On Morello a segfault/bounds
> fault will occur at runtime when an illegal memory access is made...
>
> When running some of the iptables tests I am encountering some of
> these faults. I have not investigated if they all occur in the same
> spot yet, but at least 3 such occurrences in the same place are in
> tests:
> chain/0005base-delete_0
> ebtables/0007-chain-policies_0
> iptables/0002-verbose-output_0
>
> Let us use ././testcases/iptables/0002-verbose-output_0 as an example
> here, since I see different behaviour in two different versions of
> iptables and libnftnl. (I had to update the package versions due to
> another unrelated issue that I may ask about separately).
>
> Bounds faults occur: iptables (1.8.10), libnftnl (master), libmnl
> (1.0.5), kernel (6.4)
> Bounds faults do not occur: iptables (1.8.7), libnftnl (1.2.1), libmnl
> (1.0.5), kernel (6.4)
Could you please try with current HEAD of iptables? I think the bug you
see was fixed by commit 2026b08bce7fe ("nft: ruleparse: Add missing
braces around ternary"). At least I don't see a problem in
testcases/iptables/0002-verbose-output_0 when testing with either
valgrind or ASAN.
Cheers, Phil
