eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Eoan |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
[Impact]
An unprivileged local attacker could cause a denial of service, or possibly execute arbitrary code due to an ipv6 regression.
[Test Case]
An unpatched system will crash with the following command:
$ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_
[Regression Potential]
Low. The change could theoretically introduce a memory leak but that would still be an improvement over immediate loss of system availability.
[Original Description]
Having recently upgraded to Eoan Ermine from Disco Dingo, my previously rock-solid wireguard now locks the system up shortly after I take the connection down with wg-quick down wg0.
Package:
wireguard:
Installed: 0.0.20190913-
Candidate: 0.0.20190913-
Version table:
*** 0.0.20190913-
500 http://
500 http://
100 /var/lib/
Kernel:
5.3.0-13-generic
Snipped from /var/log/syslog:
kernel: [ 776.930804] BUG: unable to handle page fault for address: 0000000000001070
kernel: [ 776.930807] #PF: supervisor read access in kernel mode
kernel: [ 776.930808] #PF: error_code(0x0000) - not-present page
kernel: [ 776.930809] PGD 0 P4D 0
kernel: [ 776.930811] Oops: 0000 [#1] SMP NOPTI
kernel: [ 776.930813] CPU: 3 PID: 2598 Comm: Chrome_ChildIOT Tainted: G OE 5.3.0-13-generic #14-Ubuntu
kernel: [ 776.930813] Hardware name: Dell Inc. XPS 13 9380/0KTW76, BIOS 1.7.0 08/05/2019
kernel: [ 776.930817] RIP: 0010:ip6_
kernel: [ 776.930819] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50
kernel: [ 776.930820] RSP: 0018:ffffbeb841
kernel: [ 776.930821] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007
kernel: [ 776.930822] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00
kernel: [ 776.930823] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000
kernel: [ 776.930823] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360
kernel: [ 776.930824] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360
kernel: [ 776.930825] FS: 00007fbcd8a8270
kernel: [ 776.930826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [ 776.930827] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0
kernel: [ 776.930828] Call Trace:
kernel: [ 776.930832] ip6_datagram_
kernel: [ 776.930835] ? _raw_read_
kernel: [ 776.930837] __ip6_datagram_
kernel: [ 776.930839] ip6_datagram_
kernel: [ 776.930841] inet_dgram_
kernel: [ 776.930843] __sys_connect+
kernel: [ 776.930846] ? do_fcntl+0xe4/0x550
kernel: [ 776.930848] ? fput+0x13/0x15
kernel: [ 776.930849] __x64_sys_
kernel: [ 776.930852] do_syscall_
kernel: [ 776.930854] entry_SYSCALL_
kernel: [ 776.930855] RIP: 0033:0x7fbcde6324eb
kernel: [ 776.930856] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 ab fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 e1 fa ff ff 8b 44
kernel: [ 776.930857] RSP: 002b:00007fbcd8
kernel: [ 776.930859] RAX: ffffffffffffffda RBX: 00000000ffffff94 RCX: 00007fbcde6324eb
kernel: [ 776.930859] RDX: 000000000000001c RSI: 00007fbcd8a7ecf0 RDI: 0000000000000022
kernel: [ 776.930860] RBP: 00007fbcd8a7edb0 R08: 0000000000000000 R09: 00007fbcd8a7edf8
kernel: [ 776.930861] R10: 00007fbcd8a7edf0 R11: 0000000000000293 R12: 0000250e77c19710
kernel: [ 776.930862] R13: 0000250e77c19900 R14: 00007fbcd8a7edc8 R15: 00007fbcd8a7edc8
kernel: [ 776.930863] Modules linked in: binfmt_misc wireguard(OE) ip6_udp_tunnel udp_tunnel ccm rfcomm uhid algif_hash algif_skcipher af_alg cmac bnep sof_pci_dev snd_sof_
kernel: [ 776.930888] wmi_bmof cfg80211 videobuf2_common intel_wmi_
kernel: [ 776.930910] CR2: 0000000000001070
kernel: [ 776.930912] ---[ end trace a4cf4135f35abbbd ]---
kernel: [ 776.930913] RIP: 0010:ip6_
kernel: [ 776.930915] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50
kernel: [ 776.930916] RSP: 0018:ffffbeb841
kernel: [ 776.930917] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007
kernel: [ 776.930917] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00
kernel: [ 776.930918] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000
kernel: [ 776.930919] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360
kernel: [ 776.930919] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360
kernel: [ 776.930921] FS: 00007fbcd8a8270
kernel: [ 776.930921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [ 776.930922] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0
CVE References
Changed in linux (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in wireguard (Ubuntu): | |
status: | New → Invalid |
summary: |
- wireguard crashes system shortly after wg-quick down wg0 + eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF + is set on suppress rule" |
affects: | wireguard (Ubuntu) → linux-meta (Ubuntu) |
Changed in linux-meta (Ubuntu): | |
status: | Invalid → New |
status: | New → Invalid |
description: | updated |
no longer affects: | linux-meta (Ubuntu) |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
information type: | Public → Public Security |
Most likely this is related to an invocation to `ip rule` that's being made, not WireGuard. Take a look at this mailing list post: https:/ /lists. zx2c4.com/ pipermail/ wireguard/ 2019-October/ 004588. html