eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| linux (Ubuntu) |
High
|
Tyler Hicks | ||
| Eoan |
High
|
Tyler Hicks |
Bug Description
[Impact]
An unprivileged local attacker could cause a denial of service, or possibly execute arbitrary code due to an ipv6 regression.
[Test Case]
An unpatched system will crash with the following command:
$ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_
[Regression Potential]
Low. The change could theoretically introduce a memory leak but that would still be an improvement over immediate loss of system availability.
[Original Description]
Having recently upgraded to Eoan Ermine from Disco Dingo, my previously rock-solid wireguard now locks the system up shortly after I take the connection down with wg-quick down wg0.
Package:
wireguard:
Installed: 0.0.20190913-
Candidate: 0.0.20190913-
Version table:
*** 0.0.20190913-
500 http://
500 http://
100 /var/lib/
Kernel:
5.3.0-13-generic
Snipped from /var/log/syslog:
kernel: [ 776.930804] BUG: unable to handle page fault for address: 0000000000001070
kernel: [ 776.930807] #PF: supervisor read access in kernel mode
kernel: [ 776.930808] #PF: error_code(0x0000) - not-present page
kernel: [ 776.930809] PGD 0 P4D 0
kernel: [ 776.930811] Oops: 0000 [#1] SMP NOPTI
kernel: [ 776.930813] CPU: 3 PID: 2598 Comm: Chrome_ChildIOT Tainted: G OE 5.3.0-13-generic #14-Ubuntu
kernel: [ 776.930813] Hardware name: Dell Inc. XPS 13 9380/0KTW76, BIOS 1.7.0 08/05/2019
kernel: [ 776.930817] RIP: 0010:ip6_
kernel: [ 776.930819] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50
kernel: [ 776.930820] RSP: 0018:ffffbeb841
kernel: [ 776.930821] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007
kernel: [ 776.930822] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00
kernel: [ 776.930823] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000
kernel: [ 776.930823] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360
kernel: [ 776.930824] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360
kernel: [ 776.930825] FS: 00007fbcd8a8270
kernel: [ 776.930826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [ 776.930827] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0
kernel: [ 776.930828] Call Trace:
kernel: [ 776.930832] ip6_datagram_
kernel: [ 776.930835] ? _raw_read_
kernel: [ 776.930837] __ip6_datagram_
kernel: [ 776.930839] ip6_datagram_
kernel: [ 776.930841] inet_dgram_
kernel: [ 776.930843] __sys_connect+
kernel: [ 776.930846] ? do_fcntl+0xe4/0x550
kernel: [ 776.930848] ? fput+0x13/0x15
kernel: [ 776.930849] __x64_sys_
kernel: [ 776.930852] do_syscall_
kernel: [ 776.930854] entry_SYSCALL_
kernel: [ 776.930855] RIP: 0033:0x7fbcde6324eb
kernel: [ 776.930856] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 ab fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 e1 fa ff ff 8b 44
kernel: [ 776.930857] RSP: 002b:00007fbcd8
kernel: [ 776.930859] RAX: ffffffffffffffda RBX: 00000000ffffff94 RCX: 00007fbcde6324eb
kernel: [ 776.930859] RDX: 000000000000001c RSI: 00007fbcd8a7ecf0 RDI: 0000000000000022
kernel: [ 776.930860] RBP: 00007fbcd8a7edb0 R08: 0000000000000000 R09: 00007fbcd8a7edf8
kernel: [ 776.930861] R10: 00007fbcd8a7edf0 R11: 0000000000000293 R12: 0000250e77c19710
kernel: [ 776.930862] R13: 0000250e77c19900 R14: 00007fbcd8a7edc8 R15: 00007fbcd8a7edc8
kernel: [ 776.930863] Modules linked in: binfmt_misc wireguard(OE) ip6_udp_tunnel udp_tunnel ccm rfcomm uhid algif_hash algif_skcipher af_alg cmac bnep sof_pci_dev snd_sof_
kernel: [ 776.930888] wmi_bmof cfg80211 videobuf2_common intel_wmi_
kernel: [ 776.930910] CR2: 0000000000001070
kernel: [ 776.930912] ---[ end trace a4cf4135f35abbbd ]---
kernel: [ 776.930913] RIP: 0010:ip6_
kernel: [ 776.930915] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50
kernel: [ 776.930916] RSP: 0018:ffffbeb841
kernel: [ 776.930917] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007
kernel: [ 776.930917] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00
kernel: [ 776.930918] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000
kernel: [ 776.930919] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360
kernel: [ 776.930919] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360
kernel: [ 776.930921] FS: 00007fbcd8a8270
kernel: [ 776.930921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [ 776.930922] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0
CVE References
Jason A. Donenfeld (zx2c4) wrote : | #1 |
Jason A. Donenfeld (zx2c4) wrote : | #2 |
Yep, confirmed that Eoan is broken. Here's reproduction steps:
root@scw-
Linux scw-competent-dirac 5.3.0-13-generic #14-Ubuntu SMP Tue Sep 24 02:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@scw-
root@scw-
root@scw-
root@scw-
root@scw-
root@scw-
PING 1234::1(1234::1) 56 data bytes
..Segmentation fault
root@scw-
root@scw-
[ 100.388052] general protection fault: 0000 [#1] SMP NOPTI
[ 100.396544] CPU: 1 PID: 1680 Comm: ping Tainted: G W 5.3.0-13-generic #14-Ubuntu
[ 100.398869] Hardware name: Scaleway Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
[ 100.401359] RIP: 0010:ip6_
[ 100.402157] Code: 85 c9 44 8b 45 d0 74 9b eb 82 0f 1f 44 00 00 0f 1f 44 00 00 48 8b 47 10 55 48 83 e0 fc 8b 40 24 48 89 e5 85 c0 75 15 48 8b 07 <48> 8b 90 10 03 00 00 48 85 d2 74 08 8b 82 1c 01 00 00 5d c3 48 8b
[ 100.405133] RSP: 0018:ffffb7dcc0
[ 100.405940] RAX: 3b3856482af84913 RBX: ffffa01db31d3cf0 RCX: 0000000000000000
[ 100.407045] RDX: 00000000ffffffff RSI: ffffa01dada4e300 RDI: ffffa01dada4e300
[ 100.408261] RBP: ffffb7dcc04e3c20 R08: 0000000000000006 R09: 0000000000000000
[ 100.409433] R10: ffffb7dcc04e3d00 R11: 0000000000000039 R12: ffffb7dcc04e3e10
[ 100.410611] R13: ffffb7dcc04e3d00 R14: ffffa01db31d3900 R15: 0000000000000000
[ 100.411889] FS: 00007f6c12b8e04
[ 100.413180] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 100.414126] CR2: 00007f5c067453e0 CR3: 0000000031900000 CR4: 00000000003406e0
[ 100.415335] Call Trace:
[ 100.415746] rawv6_sendmsg+
[ 100.416474] ? sock_common_
[ 100.417131] inet_sendmsg+
[ 100.417730] ? security_
[ 100.418468] ? inet_sendmsg+
[ 100.419109] sock_sendmsg+
[ 100.419775] __sys_sendto+
[ 100.420517] ? __sys_recvmsg+
[ 100.421307] __x64_sys_
[ 100.422036] do_syscall_
[ 100.422692] entry_SYSCALL_
[ 100.423479] RIP: 0033:0x7f6c12cd58aa
[ 100.424123] Code: 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c
[ 100.426939] RSP: 002b:00007ffe8e
[ 100.428248] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007f6c12cd58aa
[ 100.429498] RDX: 0000000000000040 RSI: 0000560c046766c0 RDI: 0000000000000004
[ 100.430647] RBP: 0000560c046766c0 R08: 0000560c04674640 R09: 000000000000001c
[ 100.431843] R10: 0000000000000000 R11: ...
Andrew Rennie (j-an6rew-u) wrote : | #3 |
Thanks - will wait for kernel fix.
Jason A. Donenfeld (zx2c4) wrote : | #4 |
Here's a one liner that *doesn't require root* that you can use to test whether the kernel fix has landed:
unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_
Note: this will crash your system.
Changed in linux (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in wireguard (Ubuntu): | |
status: | New → Invalid |
summary: |
- wireguard crashes system shortly after wg-quick down wg0 + eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF + is set on suppress rule" |
affects: | wireguard (Ubuntu) → linux-meta (Ubuntu) |
Changed in linux-meta (Ubuntu): | |
status: | Invalid → New |
status: | New → Invalid |
Andrew Rennie (j-an6rew-u) wrote : | #5 |
Thanks
description: | updated |
no longer affects: | linux-meta (Ubuntu) |
Tyler Hicks (tyhicks) wrote : | #6 |
Fix submitted: https:/
Since we're just about one week from the release of Eoan, this fix may not make the Eoan release. If that's the case, it will be included in the initial set of Stable Release Updates (SRU) for the Eoan kernels.
Tyler Hicks (tyhicks) wrote : | #7 |
Thanks to Jason for alerting us of this issue and pointing us at the fix!
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Tyler Hicks (tyhicks) wrote : | #8 |
This is CVE-2019-18198
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: verification-needed-eoan |
information type: | Public → Public Security |
Teemu Torma (teemu-torma) wrote : | #10 |
The proposed kernel works fine, tested with wireguard on multiple systems and the one liner mentioned in #4 does not crash the system.
tags: |
added: verification-done-eoan removed: verification-needed-eoan |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux - 5.3.0-19.20
---------------
linux (5.3.0-19.20) eoan; urgency=medium
* eoan/linux: 5.3.0-19.20 -proposed tracker (LP: #1848648)
* eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is
set on suppress rule" (LP: #1847478)
- ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule
-- Khalid Elmously <email address hidden> Fri, 18 Oct 2019 04:17:49 -0400
Changed in linux (Ubuntu Eoan): | |
status: | Fix Committed → Fix Released |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-gcp-5.3/5.3.0-1008.9~18.04.1) | #12 |
All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-
The following regressions have been reported in tests triggered by the package:
linux-gcp-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package linux - 5.3.0-24.26
---------------
linux (5.3.0-24.26) eoan; urgency=medium
* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)
* Eoan update: 5.3.9 upstream stable release (LP: #1851550)
- io_uring: fix up O_NONBLOCK handling for sockets
- dm snapshot: introduce account_
- dm snapshot: rework COW throttling to fix deadlock
- Btrfs: fix inode cache block reserve leak on failure to allocate data space
- btrfs: qgroup: Always free PREALLOC META reserve in
btrfs_
- iio: adc: meson_saradc: Fix memory allocation order
- iio: fix center temperature of bmc150-accel-core
- libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
- perf tests: Avoid raising SEGV using an obvious NULL dereference
- perf map: Fix overlapped map handling
- perf script brstackinsn: Fix recovery from LBR/binary mismatch
- perf jevents: Fix period for Intel fixed counters
- perf tools: Propagate get_cpuid() error
- perf annotate: Propagate perf_env__arch() error
- perf annotate: Fix the signedness of failure returns
- perf annotate: Propagate the symbol__annotate() error return
- perf annotate: Fix arch specific ->init() failure errors
- perf annotate: Return appropriate error code for allocation failures
- perf annotate: Don't return -1 for error when doing BPF disassembly
- staging: rtl8188eu: fix null dereference when kzalloc fails
- RDMA/siw: Fix serialization issue in write_space()
- RDMA/hfi1: Prevent memory leak in sdma_init
- RDMA/iw_cxgb4: fix SRQ access from dump_qp()
- RDMA/iwcm: Fix a lock inversion issue
- HID: hyperv: Use in-place iterator API in the channel callback
- kselftest: exclude failed TARGETS from runlist
- selftests/
- nfs: Fix nfsi->nrequests count error on nfs_inode_
- arm64: cpufeature: Effectively expose FRINT capability to userspace
- arm64: Fix incorrect irqflag restore for priority masking for compat
- arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
- tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
- tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
- serial/sifive: select SERIAL_EARLYCON
- tty: n_hdlc: fix build on SPARC
- misc: fastrpc: prevent memory leak in fastrpc_
- RDMA/core: Fix an error handling path in 'res_get_
- RDMA/cm: Fix memory leak in cm_add/remove_one
- RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
- RDMA/mlx5: Do not allow rereg of a ODP MR
- RDMA/mlx5: Order num_pending_
- RDMA/mlx5: Add missing synchronize_srcu() for MW cases
- gpio: max77620: Use correct unit for debounce times
- fs: cifs: mute -Wunused-
- arm64: vdso32: Fix broken compat vDSO build warnings
- arm64: vdso32: Detect binutils support for dmb ishld
- serial: mctrl_gpio: Check for NULL pointer
- serial: 8250_...
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
Most likely this is related to an invocation to `ip rule` that's being made, not WireGuard. Take a look at this mailing list post: https:/ /lists. zx2c4.com/ pipermail/ wireguard/ 2019-October/ 004588. html