Debian Bug report logs - #332231
CAN-2005-2873: ipt_recent bug: stops working after a 250 days uptime

version graph

Package: kernel-source-2.6.8; Maintainer for kernel-source-2.6.8 is (unknown);

Reported by: Ludovic Drolez <ldrolez@debian.org>

Date: Wed, 5 Oct 2005 08:48:02 UTC

Severity: important

Tags: security, upstream

Found in version kernel-source-2.6.8/2.6.8-16

Done: Martin Michlmayr <tbm@cyrius.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
New Bug report received and forwarded. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-source-2.6.8: ipt_recent bug: stops working after a 25 days uptime
Date: Wed, 05 Oct 2005 10:36:20 +0200
Package: kernel-source-2.6.8
Version: 2.6.8-16
Severity: important
Tags: patch


After 25 days, the jiffies overflow and ipt_recent do not work anymore.        
                                                                                
If ipt_recent is used with a '-j DROP' rule then backlisted IPs are blacklisted      
forever, ignoring the --seconds option, so that you could be kicked out of      
your server.                                                                    
                                                                                
The only way to fix the problem is to reboot the server :-(                     
                                                                                
For more info on this problem please see this 2.6.x report (and patch):                     
            
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2587

Cheers,

  Ludovic.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-6     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-7    high-quality block-sorting file co
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to Horms <horms@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 332231@bugs.debian.org (full text, mbox):

From: Horms <horms@debian.org>
To: Ludovic Drolez <ldrolez@debian.org>, 332228@bugs.debian.org, 332231@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: Bug#332228: kernel-source-2.4.27: ipt_recent bug: stops working after a 250 days uptime
Date: Thu, 6 Oct 2005 10:39:50 +0900
Hi,

This is CAN-2005-2873

I have talked with upstream, and Juergen Kreidleder who originally
discovered this bug about this problem. Unfortunately there is no patch
that fixes this problem that upstream is comfortable, so I would rather
leave the problem. Actually, upstream's position is that the module
should be rewritten. On examination of the code I agree. I did start on
that, but I don't have anything useful yet.

-- 
Horms



Tags added: security Request was from Horms <horms@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: upstream Request was from Horms <horms@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Horms <horms@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to Horms <horms@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #21 received at 332231@bugs.debian.org (full text, mbox):

From: Horms <horms@debian.org>
To: control@bugs.debian.org
Cc: 332231@bugs.debian.org
Subject: CAN-2005-2873
Date: Fri, 7 Oct 2005 18:25:52 +0900
tag 332231 -patch
thanks

This patch has been rejected by upstream



Tags removed: patch Request was from Horms <horms@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to Horms <horms@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #28 received at 332231@bugs.debian.org (full text, mbox):

From: Horms <horms@debian.org>
To: Rainer Schöpf <ftpmaint@dante.de>, 333350-done@bugs.debian.org
Cc: 332231@bugs.debian.org
Subject: Re: Bug#333350: ipt_recent kernel module suffers from jiffies rollover
Date: Wed, 12 Oct 2005 11:12:58 +0900
On Tue, Oct 11, 2005 at 03:46:03PM +0200, Rainer Schöpf wrote:
> Package: kernel-image-2.6.8-2-686-smp
> Version: 2.6.8-16
> Severity: serious
> 
> The ipt_recnet kernel module suffers from a wraparound of the jiffies
> counter. The problem is described by the module author on
> 
>   http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
> 
> Since the correrction didn't make it into the official kernel sources,
> I would be very grateful if the debian kernels could pick up the change.

Unfortunately the patch didn't make it upstream because it is not correct.

This bug (333350) is actually a duplicate of 332231. I am forwarding your
informtion to that bug and closing this one.

Thanks

> For reference:
> 
> I use the ipt_recent kernel module to protect against ssh attacks,
> with the following rules:
> 
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j ULOG --ulog-prefix "DROP SSH_brute_force:" --ulog-cprange 64
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
> 
> After several weeks, ssh logins fail if they come from an IP address not
> yet known to the ipt_recent module.  Reboot helps.
> 
>  Rainer Schoepf

-- 
Horms



Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to Philipp Kolmann <philipp@kolmann.at>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #33 received at 332231@bugs.debian.org (full text, mbox):

From: Philipp Kolmann <philipp@kolmann.at>
To: 332231@bugs.debian.org, 332228@bugs.debian.org
Subject: New ipt_recent module released; please backport
Date: Thu, 6 Jul 2006 20:20:15 +0200
[Message part 1 (text/plain, inline)]
Hi,

Patrick McHardy rewrote the ipt_recent module and the new module code got
accepted for 2.6.18-rc1.

Would it be possible to backport it for 2.6.8?

attached is the new module code.

thanks
Philipp


-- 
A byte walks into a bar and orders a pint. Bartender asks him "What's wrong?"
Byte says "Parity error." Bartender nods and says "Yeah, I thought you looked
a bit off."
[ipt_recent.c (text/x-csrc, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to maximilian attems <maks@sternwelten.at>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #38 received at 332231@bugs.debian.org (full text, mbox):

From: maximilian attems <maks@sternwelten.at>
To: Philipp Kolmann <philipp@kolmann.at>, 332228@bugs.debian.org
Cc: 332231@bugs.debian.org
Subject: Re: Bug#332228: New ipt_recent module released; please backport
Date: Tue, 11 Jul 2006 18:59:21 +0200
On Thu, 06 Jul 2006, Philipp Kolmann wrote:

> Hi,
> 
> Patrick McHardy rewrote the ipt_recent module and the new module code got
> accepted for 2.6.18-rc1.

we know.
 
> Would it be possible to backport it for 2.6.8?

feel free to do,
we will backport it for 2.6.17 etch.
 
> attached is the new module code.
> 
> thanks
> Philipp
> 

regards

-- 
maks



Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#332231; Package kernel-source-2.6.8. Full text and rfc822 format available.

Acknowledgement sent to Martin Wilck <mwilck@arcor.de>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #43 received at 332231@bugs.debian.org (full text, mbox):

From: Martin Wilck <mwilck@arcor.de>
To: 332231@bugs.debian.org
Subject: Backport of ipt_recent.c
Date: Thu, 22 Feb 2007 23:07:45 +0100
[Message part 1 (text/plain, inline)]
Hi,

I ran into the same problem and made a backport of ipt_recent.c for
Sarge's 2.6.8. It was actually pretty simple to backport.  Attached is
the diff against the ipt_recent.c source file from Philipp's comment of
6 Jul 2006.

The backported module is already running in one of my systems. Works as
expected so far.

I'll be grateful for any feedback.

Martin


[ipt_recent_mw.diff (text/plain, inline)]
--- ipt_recent.c	2007-02-20 21:57:51.000000000 +0100
+++ kernel-source-2.6.8/net/ipv4/netfilter/ipt_recent.c	2007-02-22 22:02:11.118926120 +0100
@@ -68,8 +68,8 @@ struct recent_table {
 };
 
 static LIST_HEAD(tables);
-static DEFINE_SPINLOCK(recent_lock);
-static DEFINE_MUTEX(recent_mutex);
+static spinlock_t recent_lock = SPIN_LOCK_UNLOCKED;
+static DECLARE_MUTEX(recent_mutex);
 
 #ifdef CONFIG_PROC_FS
 static struct proc_dir_entry	*proc_dir;
@@ -166,8 +166,8 @@ static void recent_table_flush(struct re
 static int
 ipt_recent_match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
-		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 const void *matchinfo,
+		 int offset, int *hotdrop)
 {
 	const struct ipt_recent_info *info = matchinfo;
 	struct recent_table *t;
@@ -233,13 +233,14 @@ out:
 }
 
 static int
-ipt_recent_checkentry(const char *tablename, const void *ip,
-		      const struct xt_match *match, void *matchinfo,
+ipt_recent_checkentry(const char *tablename, const struct ipt_ip *ip,
+		      void *matchinfo,
 		      unsigned int matchsize, unsigned int hook_mask)
 {
 	const struct ipt_recent_info *info = matchinfo;
 	struct recent_table *t;
 	unsigned i;
+	unsigned tlen = sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size;
 	int ret = 0;
 
 	if (hweight8(info->check_set &
@@ -253,7 +254,7 @@ ipt_recent_checkentry(const char *tablen
 	    strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN)
 		return 0;
 
-	mutex_lock(&recent_mutex);
+	down(&recent_mutex);
 	t = recent_table_lookup(info->name);
 	if (t != NULL) {
 		t->refcnt++;
@@ -261,10 +262,10 @@ ipt_recent_checkentry(const char *tablen
 		goto out;
 	}
 
-	t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
-		    GFP_KERNEL);
+	t = kmalloc(tlen, GFP_KERNEL);
 	if (t == NULL)
 		goto out;
+	memset(t, 0, tlen);
 	t->refcnt = 1;
 	strcpy(t->name, info->name);
 	INIT_LIST_HEAD(&t->lru_list);
@@ -284,18 +285,18 @@ ipt_recent_checkentry(const char *tablen
 	spin_unlock_bh(&recent_lock);
 	ret = 1;
 out:
-	mutex_unlock(&recent_mutex);
+	up(&recent_mutex);
 	return ret;
 }
 
 static void
-ipt_recent_destroy(const struct xt_match *match, void *matchinfo,
+ipt_recent_destroy(void *matchinfo,
 		   unsigned int matchsize)
 {
 	const struct ipt_recent_info *info = matchinfo;
 	struct recent_table *t;
 
-	mutex_lock(&recent_mutex);
+	down(&recent_mutex);
 	t = recent_table_lookup(info->name);
 	if (--t->refcnt == 0) {
 		spin_lock_bh(&recent_lock);
@@ -307,7 +308,7 @@ ipt_recent_destroy(const struct xt_match
 #endif
 		kfree(t);
 	}
-	mutex_unlock(&recent_mutex);
+	up(&recent_mutex);
 }
 
 #ifdef CONFIG_PROC_FS
@@ -383,9 +384,10 @@ static int recent_seq_open(struct inode 
 	struct recent_iter_state *st;
 	int ret;
 
-	st = kzalloc(sizeof(*st), GFP_KERNEL);
+	st = kmalloc(sizeof(*st), GFP_KERNEL);
 	if (st == NULL)
 		return -ENOMEM;
+	memset(st, 0, sizeof(*st));
 	ret = seq_open(file, &recent_seq_ops);
 	if (ret)
 		kfree(st);
@@ -462,7 +464,6 @@ static struct file_operations recent_fop
 static struct ipt_match recent_match = {
 	.name		= "recent",
 	.match		= ipt_recent_match,
-	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
 	.destroy	= ipt_recent_destroy,
 	.me		= THIS_MODULE,

Reply sent to Martin Michlmayr <tbm@cyrius.com>:
You have taken responsibility. (Fri, 14 Nov 2008 18:00:12 GMT) Full text and rfc822 format available.

Notification sent to Ludovic Drolez <ldrolez@debian.org>:
Bug acknowledged by developer. (Fri, 14 Nov 2008 18:00:13 GMT) Full text and rfc822 format available.

Message #48 received at 332231-done@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: 332231-done@bugs.debian.org
Subject: 2.6.8 kernel removed from Debian
Date: Fri, 14 Nov 2008 18:58:20 +0100
The 2.6.8 kernel is no longer supported by Debian so I'm closing
your bug report.  Please try the 2.6.26 kernel from Debian lenny.
If this issue is still present, let me know.

Thanks.

-- 
Martin Michlmayr
http://www.cyrius.com/




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 13 Dec 2008 07:32:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:58:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.