Accepting request 678241 from home:mrostecki:branches:security:netfilter

- Add upstream patches which improve handling stale locks.
  (boo#1126094)
  * 0001-Use-flock-for-concurrent-option.patch
  * 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch

OBS-URL: https://build.opensuse.org/request/show/678241
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=57

0001-Use-flock-for-concurrent-option.patch

@@ -0,0 +1,125 @@
+From f401e3ec8358069f2407ae39ecb8b7ba1a6fbcc6 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 6 Oct 2017 12:48:50 +0200
+Subject: [PATCH 1/2] Use flock() for --concurrent option
+
+The previous locking mechanism was not atomic, hence it was possible
+that a killed ebtables process would leave the lock file in place which
+in turn made future ebtables processes wait indefinitely for the lock to
+become free.
+
+Fix this by using flock(). This also simplifies code quite a bit because
+there is no need for a custom signal handler or an __exit routine
+anymore.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ ebtables.c |  8 --------
+ libebtc.c  | 49 +++++--------------------------------------------
+ 2 files changed, 5 insertions(+), 52 deletions(-)
+
+diff --git a/ebtables.c b/ebtables.c
+index 62f1ba8..f7dfccf 100644
+--- a/ebtables.c
++++ b/ebtables.c
+@@ -528,12 +528,6 @@ void ebt_early_init_once()
+ 	ebt_iterate_targets(merge_target);
+ }
+ 
+-/* signal handler, installed when the option --concurrent is specified. */
+-static void sighandler(int signum)
+-{
+-	exit(-1);
+-}
+-
+ /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
+ int do_command(int argc, char *argv[], int exec_style,
+                struct ebt_u_replace *replace_)
+@@ -1047,8 +1041,6 @@ big_iface_length:
+ 			strcpy(replace->filename, optarg);
+ 			break;
+ 		case 13 : /* concurrent */
+-			signal(SIGINT, sighandler);
+-			signal(SIGTERM, sighandler);
+ 			use_lockfd = 1;
+ 			break;
+ 		case 1 :
+diff --git a/libebtc.c b/libebtc.c
+index 17ba8f2..76dd9d7 100644
+--- a/libebtc.c
++++ b/libebtc.c
+@@ -31,6 +31,7 @@
+ #include "include/ethernetdb.h"
+ #include <unistd.h>
+ #include <fcntl.h>
++#include <sys/file.h>
+ #include <sys/wait.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+@@ -137,58 +138,18 @@ void ebt_list_extensions()
+ #define LOCKDIR "/var/lib/ebtables"
+ #define LOCKFILE LOCKDIR"/lock"
+ #endif
+-static int lockfd = -1, locked;
+ int use_lockfd;
+ /* Returns 0 on success, -1 when the file is locked by another process
+  * or -2 on any other error. */
+ static int lock_file()
+ {
+-	int try = 0;
+-	int ret = 0;
+-	sigset_t sigset;
+-
+-tryagain:
+-	/* the SIGINT handler will call unlock_file. To make sure the state
+-	 * of the variable locked is correct, we need to temporarily mask the
+-	 * SIGINT interrupt. */
+-	sigemptyset(&sigset);
+-	sigaddset(&sigset, SIGINT);
+-	sigprocmask(SIG_BLOCK, &sigset, NULL);
+-	lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
+-	if (lockfd < 0) {
+-		if (errno == EEXIST)
+-			ret = -1;
+-		else if (try == 1)
+-			ret = -2;
+-		else {
+-			if (mkdir(LOCKDIR, 00700))
+-				ret = -2;
+-			else {
+-				try = 1;
+-				goto tryagain;
+-			}
+-		}
+-	} else {
+-		close(lockfd);
+-		locked = 1;
+-	}
+-	sigprocmask(SIG_UNBLOCK, &sigset, NULL);
+-	return ret;
+-}
++	int fd = open(LOCKFILE, O_CREAT, 00600);
+ 
+-void unlock_file()
+-{
+-	if (locked) {
+-		remove(LOCKFILE);
+-		locked = 0;
+-	}
++	if (fd < 0)
++		return -2;
++	return flock(fd, LOCK_EX);
+ }
+ 
+-void __attribute__ ((destructor)) onexit()
+-{
+-	if (use_lockfd)
+-		unlock_file();
+-}
+ /* Get the table from the kernel or from a binary file
+  * init: 1 = ask the kernel for the initial contents of a table, i.e. the
+  *           way it looks when the table is insmod'ed
+-- 
+2.20.1
+

0002-Fix-locking-if-LOCKDIR-does-not-exist.patch

@@ -0,0 +1,45 @@
+From 8d9665967e3ea039d720cbf80c26240f1ec1a795 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 15 Jan 2018 16:27:31 +0100
+Subject: [PATCH 2/2] Fix locking if LOCKDIR does not exist
+
+The previous conversion to using flock() missed a crucial bit of code
+which tries to create LOCKDIR once in case opening the lock failed -
+This patch reestablishes the old behaviour.
+
+Reported-by: Tangchen (UVP) <tang.chen@huawei.com>
+Fixes: 6a826591878db ("Use flock() for --concurrent option")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ libebtc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libebtc.c b/libebtc.c
+index 76dd9d7..7349b27 100644
+--- a/libebtc.c
++++ b/libebtc.c
+@@ -143,10 +143,16 @@ int use_lockfd;
+  * or -2 on any other error. */
+ static int lock_file()
+ {
+-	int fd = open(LOCKFILE, O_CREAT, 00600);
+-
+-	if (fd < 0)
+-		return -2;
++	int fd, try = 0;
++
++retry:
++	fd = open(LOCKFILE, O_CREAT, 00600);
++	if (fd < 0) {
++		if (try == 1 || mkdir(LOCKDIR, 00700))
++			return -2;
++		try = 1;
++		goto retry;
++	}
+ 	return flock(fd, LOCK_EX);
+ }
+ 
+-- 
+2.20.1
+

ebtables.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Feb 22 14:04:30 UTC 2019 - Michał Rostecki <mrostecki@opensuse.org>
+
+- Add upstream patches which improve handling stale locks.
+  (boo#1126094)
+  * 0001-Use-flock-for-concurrent-option.patch
+  * 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
+
 -------------------------------------------------------------------
 Fri Aug 24 10:20:05 UTC 2018 - jengelh@inai.de
 

ebtables.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ebtables
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -40,6 +40,9 @@ Patch2:         ebtables-v2.0.10-4-audit.patch
 Patch3:         0001-fix-compilation-warning.patch
 # PATCH-FIX-SUSE-ONLY
 Patch4:         include-linux-if.patch
+# PATCH-FIX-UPSTREAM boo#1126094
+Patch5:         0001-Use-flock-for-concurrent-option.patch
+Patch6:         0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
 BuildRequires:  linux-glibc-devel >= 2.6.20
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
@@ -64,6 +67,8 @@ iptables. There are no incompatibility issues.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 # delete all kernel headers, but keep ebt_ip6.h and ebt_nflog.h
 mv include/linux/netfilter_bridge/ebt_ip6.{h,h.save}
 mv include/linux/netfilter_bridge/ebt_nflog.{h,h.save}