ipsec: policy priority management is broken

Bug #1890796 reported by Nicolas Dichtel on 2020-08-07
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
High
Unassigned
Bionic
High
Unassigned
Focal
High
Unassigned
linux-hwe (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
High
Unassigned
Focal
Undecided
Unassigned
linux-oem-5.6 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
High
Unassigned

Bug Description

[Impact]

When the user tries to update the priority field of a SP, the SP is not updated *AND* a new SP is created. This results to a broken IPsec configuration.

This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm: policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7

[Test Case]

root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
        dir in priority 9
        tmpl src 3.3.3.3 dst 4.4.4.4
                proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
        dir in priority 5
        tmpl src 3.3.3.3 dst 4.4.4.4
                proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
        dir in priority 9
        tmpl src 3.3.3.3 dst 4.4.4.4
                proto esp reqid 1 mode tunnel
root@dut-vm:~#

=> Now, there is 2 SP instead of 1.

[Regression Potential]

The patch affects the xfrm stack only. Thus, the potential regressions are limited to this area.

CVE References

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1890796

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: focal
Stefan Bader (smb) on 2020-08-10
Changed in linux (Ubuntu):
status: Incomplete → Fix Released
Changed in linux (Ubuntu Eoan):
status: New → Triaged
Changed in linux (Ubuntu Focal):
status: New → Triaged
no longer affects: linux (Ubuntu Eoan)
no longer affects: linux-hwe (Ubuntu Eoan)
Changed in linux (Ubuntu Bionic):
status: New → Invalid
Changed in linux-hwe (Ubuntu Focal):
status: New → Invalid
Changed in linux-hwe (Ubuntu):
status: New → Invalid
Changed in linux-hwe (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → High
Changed in linux (Ubuntu Focal):
importance: Undecided → High
Stefan Bader (smb) wrote :

The same offending patch was already released with Xenial and is applied to the current SRU cycle for Bionic. Those would also need to be fixed.

Changed in linux (Ubuntu Bionic):
status: Invalid → Triaged
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Changed in linux-hwe (Ubuntu Xenial):
status: New → Invalid
Changed in linux (Ubuntu Focal):
status: Triaged → Fix Committed
Changed in linux-hwe (Ubuntu Bionic):
status: Triaged → Fix Committed
Timo Aaltonen (tjaalton) on 2020-08-11
Changed in linux-oem-5.6 (Ubuntu Xenial):
status: New → Invalid
Changed in linux-oem-5.6 (Ubuntu Bionic):
status: New → Invalid
Changed in linux-oem-5.6 (Ubuntu):
status: New → Confirmed
Stefan Bader (smb) on 2020-08-11
Changed in linux (Ubuntu Bionic):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Committed
Changed in linux-oem-5.6 (Ubuntu Focal):
importance: Undecided → High
status: New → Confirmed
Changed in linux-oem-5.6 (Ubuntu):
status: Confirmed → Invalid

if not already checked: hwe-5.4 needs the change.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-done-bionic verification-done-focal
removed: verification-needed-bionic verification-needed-focal

I don't understand which kernel should be tested on xenial. The kernel 4.15.0-112-generic does not have the bug.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-oem-5.6 - 5.6.0-1023.23

---------------
linux-oem-5.6 (5.6.0-1023.23) focal; urgency=medium

  * focal/linux-oem-5.6: 5.6.0-1023.23 -proposed tracker (LP: #1892465)

  * CVE-2020-15852
    - x86/ioperm: Fix io bitmap invalidation on Xen PV

  * Fix non-working USB devices plugged during system sleep (LP: #1892678)
    - xhci: Do warm-reset when both CAS and XDEV_RESUME are set

  * ASPM not enabled on child devices behind VMD controller (LP: #1889384)
    - SAUCE: PCI/ASPM: Enable ASPM for links under VMD domain

  * Fix non-working Goodix touchpad after system sleep (LP: #1891998)
    - HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands

  * [SRU] Fix acpi backlight issue on some thinkpads (LP: #1892010)
    - platform/x86: thinkpad_acpi: not loading brightness_init when _BCL invalid

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

 -- Timo Aaltonen <email address hidden> Tue, 25 Aug 2020 08:46:08 +0300

Changed in linux-oem-5.6 (Ubuntu Focal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (17.7 KiB)

This bug was fixed in the package linux - 4.4.0-189.219

---------------
linux (4.4.0-189.219) xenial; urgency=medium

  * xenial/linux: 4.4.0-189.219 -proposed tracker (LP: #1891057)

  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [Packaging] dkms -- dkms package build packaging support
    - [Packaging] wireguard -- add support for building signed .ko
    - [Packaging] ignore wireguard modules when wireguard is disabled
    - [Config] update dkms package versions
    - [Config] wireguard -- enable for all architectures

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

linux (4.4.0-188.218) xenial; urgency=medium

  * xenial/linux: 4.4.0-188.218 -proposed tracker (LP: #1890670)

  * Xenial update: v4.4.232 upstream stable release (LP: #1889928)
    - pinctrl: amd: fix npins for uart0 in kerncz_groups
    - mac80211: allow rx of mesh eapol frames with default rx key
    - scsi: scsi_transport_spi: Fix function pointer check
    - xtensa: fix __sync_fetch_and_{and,or}_4 declarations
    - xtensa: update *pos in cpuinfo_op.next
    - drivers/net/wan/lapbether: Fixed the value of hard_header_len
    - net: sky2: initialize return of gm_phy_read
    - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
    - SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
      compeletion")
    - perf/core: Fix locking for children siblings group read
    - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
      GDB regression
    - ALSA: info: Drop WARN_ON() from buffer NULL sanity check
    - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
    - btrfs: fix double free on ulist after backref resolution failure
    - x86/fpu: Disable bottom halves while loading FPU registers
    - btrfs: fix mount failure caused by race with umount
    - hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
      path
    - ax88172a: fix ax88172a_unbind() failures
    - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
      configuration
    - net: smc91x: Fix possible memory leak in smc_drv_probe()
    - scripts/decode_stacktrace: strip basepath from all paths
    - regmap: dev_get_regmap_match(): fix string comparison
    - usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init()
    - arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
    - x86: math-emu: Fix up 'cmp' insn for clang ias
    - Revert "cifs: Fix the target file was deleted when rename failed."
    - staging: wlan-ng: properly check endpoint types
    - staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
    - staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
    - staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
    - staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
    - serial: 8250: fix null-ptr-deref in serial8250_start_tx()
    - serial: 8250_mtk: Fix high-speed baud rates clamping
    - mm/memcg: fix refcount error while moving and swapping
 ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-hwe - 5.3.0-66.60

---------------
linux-hwe (5.3.0-66.60) bionic; urgency=medium

  * bionic/linux-hwe: 5.3.0-66.60 -proposed tracker (LP: #1891053)

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

  * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
    - cgroup: Fix sock_cgroup_data on big-endian.

 -- Stefan Bader <email address hidden> Tue, 11 Aug 2020 09:22:54 +0200

Changed in linux-hwe (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (97.9 KiB)

This bug was fixed in the package linux - 5.4.0-45.49

---------------
linux (5.4.0-45.49) focal; urgency=medium

  * focal/linux: 5.4.0-45.49 -proposed tracker (LP: #1893050)

  * [Potential Regression] dscr_inherit_exec_test from powerpc in
    ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
    - powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()

linux (5.4.0-44.48) focal; urgency=medium

  * focal/linux: 5.4.0-44.48 -proposed tracker (LP: #1891049)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

linux (5.4.0-43.47) focal; urgency=medium

  * focal/linux: 5.4.0-43.47 -proposed tracker (LP: #1890746)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * Devlink - add RoCE disable kernel support (LP: #1877270)
    - devlink: Add new "enable_roce" generic device param
    - net/mlx5: Document flow_steering_mode devlink param
    - net/mlx5: Handle "enable_roce" devlink param
    - IB/mlx5: Rename profile and init methods
    - IB/mlx5: Load profile according to RoCE enablement state
    - net/mlx5: Remove unneeded variable in mlx5_unload_one
    - net/mlx5: Add devlink reload
    - IB/mlx5: Do reverse sequence during device removal

  * msg_zerocopy.sh in net from ubuntu_kernel_selftests failed (LP: #1812620)
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test

  * Enlarge hisi_sec2 capability (LP: #1890222)
    - Revert "UBUNTU: [Config] Disable hisi_sec2 temporarily"
    - crypto: hisilicon - update SEC driver module parameter

  * Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
    - ALSA: hda/hdmi: Add quirk to force connectivity

  * Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
    - PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken

  * ASoC:amd:renoir: the dmic can't record sound after suspend and resume
    (LP: #1890220)
    - SAUCE: ASoC: amd: renoir: restore two more registers during resume

  * No sound, Dummy output on Acer Swift 3 SF314-57G with Ice Lake core-i7 CPU
    (LP: #1877757)
    - ASoC: SOF: Intel: hda: fix generic hda codec support

  * Fix right speaker of HP laptop (LP: #1889375)
    - SAUCE: hda/realtek: Fix right speaker of HP laptop

  * blk_update_request error when mount nvme partition (LP: #1872383)
    - SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command

  * soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
    - ASoC: amd: add logic to check dmic hardware runtime
    - ASoC: amd: add ACPI dependency check
    - ASoC: amd: fixed kernel warnings

  * soc/amd/renoir: change the module name to make it work with ucm3
    (LP: #1888166)
    - AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
      module
    - SAUCE: remove a kernel module since its name is changed

  * Focal update: v5.4.55 upstream stable release (LP: #1890343)
    - AX.25: Fix out-of-bounds read in ax25_connect()
    - AX.25: Prevent out-of-bounds read in ax25_sendmsg()
    - dev: Defer free of skbs in flush_backlog
    - drivers/net/wan/x25_asy: Fix to make i...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (55.0 KiB)

This bug was fixed in the package linux - 4.15.0-115.116

---------------
linux (4.15.0-115.116) bionic; urgency=medium

  * bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)

  * [Potential Regression] dscr_inherit_exec_test from powerpc in
    ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
    - powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()

linux (4.15.0-114.115) bionic; urgency=medium

  * bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

linux (4.15.0-113.114) bionic; urgency=medium

  * bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
    - usb: handle warm-reset port requests on hub resume

  * Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
    - gpio: arizona: handle pm_runtime_get_sync failure case
    - gpio: arizona: put pm_runtime in case of failure
    - pinctrl: amd: fix npins for uart0 in kerncz_groups
    - mac80211: allow rx of mesh eapol frames with default rx key
    - scsi: scsi_transport_spi: Fix function pointer check
    - xtensa: fix __sync_fetch_and_{and,or}_4 declarations
    - xtensa: update *pos in cpuinfo_op.next
    - drivers/net/wan/lapbether: Fixed the value of hard_header_len
    - net: sky2: initialize return of gm_phy_read
    - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
    - irqdomain/treewide: Keep firmware node unconditionally allocated
    - SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
      compeletion")
    - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
    - IB/umem: fix reference count leak in ib_umem_odp_get()
    - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
      GDB regression
    - ALSA: info: Drop WARN_ON() from buffer NULL sanity check
    - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
    - btrfs: fix double free on ulist after backref resolution failure
    - btrfs: fix mount failure caused by race with umount
    - btrfs: fix page leaks after failure to lock page for delalloc
    - bnxt_en: Fix race when modifying pause settings.
    - hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
      path
    - ax88172a: fix ax88172a_unbind() failures
    - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
      configuration
    - drm: sun4i: hdmi: Fix inverted HPD result
    - net: smc91x: Fix possible memory leak in smc_drv_probe()
    - bonding: check error value of register_netdevice() immediately
    - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
    - ipvs: fix the connection sync failed in some cases
    - i2c: rcar: always clear ICSAR to avoid side effects
    - bonding: check return value of register_netdevice() in bond_newlink()
    - serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
    - scripts/decode_stacktrace: strip basepath from all paths
    - HID: i...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (55.3 KiB)

This bug was fixed in the package linux-hwe - 4.15.0-115.116~16.04.1

---------------
linux-hwe (4.15.0-115.116~16.04.1) xenial; urgency=medium

  * xenial/linux-hwe: 4.15.0-115.116~16.04.1 -proposed tracker (LP: #1893057)

  [ Ubuntu: 4.15.0-115.116 ]

  * bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)
  * [Potential Regression] dscr_inherit_exec_test from powerpc in
    ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
    - powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()

linux-hwe (4.15.0-114.115~16.04.1) xenial; urgency=medium

  * xenial/linux-hwe: 4.15.0-114.115~16.04.1 -proposed tracker (LP: #1890704)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
    - [Packaging] update update.conf

  [ Ubuntu: 4.15.0-114.115 ]

  * bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

  [ Ubuntu: 4.15.0-113.114 ]

  * bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
    - usb: handle warm-reset port requests on hub resume
  * Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
    - gpio: arizona: handle pm_runtime_get_sync failure case
    - gpio: arizona: put pm_runtime in case of failure
    - pinctrl: amd: fix npins for uart0 in kerncz_groups
    - mac80211: allow rx of mesh eapol frames with default rx key
    - scsi: scsi_transport_spi: Fix function pointer check
    - xtensa: fix __sync_fetch_and_{and,or}_4 declarations
    - xtensa: update *pos in cpuinfo_op.next
    - drivers/net/wan/lapbether: Fixed the value of hard_header_len
    - net: sky2: initialize return of gm_phy_read
    - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
    - irqdomain/treewide: Keep firmware node unconditionally allocated
    - SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
      compeletion")
    - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
    - IB/umem: fix reference count leak in ib_umem_odp_get()
    - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
      GDB regression
    - ALSA: info: Drop WARN_ON() from buffer NULL sanity check
    - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
    - btrfs: fix double free on ulist after backref resolution failure
    - btrfs: fix mount failure caused by race with umount
    - btrfs: fix page leaks after failure to lock page for delalloc
    - bnxt_en: Fix race when modifying pause settings.
    - hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
      path
    - ax88172a: fix ax88172a_unbind() failures
    - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
      configuration
    - drm: sun4i: hdmi: Fix inverted HPD result
    - net: smc91x: Fix possible memory leak in smc_drv_probe()
    - bonding: check error value of register_netdevice() immediately
    - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
...

Changed in linux-hwe (Ubuntu Xenial):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers