net/ipv4: original ingress device index set as the loopback interface.

Bug #1683982 reported by Jorge Niedbalski on 2017-04-19
22
This bug affects 6 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Yakkety
Medium
Jorge Niedbalski
Zesty
Medium
Unassigned

Bug Description

[Environment]

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

# uname -a

Linux juju-niedbalski-xenial-machine-12 4.8.0-46-generic #49~16.04.1-Ubuntu SMP Fri Mar 31 14:51:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[Description]

We identified a bug in one of the utilities provided by dnsmasq, the 'dhcp_release' utility which
is executed as part of the DHCP lease cleanup mechanism by Neutron once a network resource is freed.
We noticed that some packets were discarded by the DHCP server (dnsmasq) in Ubuntu systems
running a kernel >= 4.7. The reason was the ipi_ifindex field on the pktinfo was incorrectly assumed to be 1 (loopback),
this causes the message to be ignored by the dnsmasq daemon since isn't the interface on which dnsmasq is bind to.

(gdb) p *p.p
$4 = {
ipi_ifindex = 1,
ipi_spec_dst = {
s_addr = 34973888
},
ipi_addr = {
s_addr = 34973888
}
}

(gdb) p ifr
$8 = {ifr_ifrn = {ifrn_name = "lo", '\000' <repeats 13 times>},

[Fix]

Upstream commit:
https://github.com/torvalds/linux/commit/f0c16ba8933ed217c2688b277410b2a37ba81591

[Test Case]

1) Configure a dnsmasq instance to server DHCP

(Example):

$ sudo dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/860b0cbb-37c3-4bcb-8345-52b942518dca/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/860b0cbb-37c3-4bcb-8345-52b942518dca/host -
-addn-hosts=/var/lib/neutron/dhcp/860b0cbb-37c3-4bcb-8345-52b942518dca/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/860b0cbb-37c3-4bcb-8345-52b942518dca/opts --dhcp-leasefile=/var/lib/neutron/dhcp/860b0cbb-37c3-4bcb-8345-52b942
518dca/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=ns-1cb1b7c7-c0 --dhcp-range=set:tag0,192.168.21.0,static,86400s --dhcp-option-force=option:mtu,1458 --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --
domain=openstacklocal

2) Boot a VM or container on the bridge/interface on which dnsmasq is bind to.
2) Use the dhcp_release utility to release the lease.

(Example):
$ sudo dhcp_release ns-1cb1b7c7-c0 192.168.21.8 fa:16:3e:f3:b2:fe

The expected result: The lease is freed.
Current results: dnsmasq ignored the DHCP Release message.

[Fix]

When we send a packet for our own local address on a non-loopback
interface (e.g. eth0), due to the change had been introduced from
commit 0b922b7 ("net: original ingress device index in PKTINFO"), the
original ingress device index would be set as the loopback interface.

* https://github.com/torvalds/linux/commit/f0c16ba8933ed217c2688b277410b2a37ba81591

CVE References

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1683982

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Joseph Salisbury (jsalisbury) wrote :

Do you plan on sending a SRU request to the kernel-team mailing list?

Changed in linux (Ubuntu Yakkety):
status: New → Triaged
Changed in linux (Ubuntu Zesty):
status: Confirmed → Triaged
Changed in linux (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in linux (Ubuntu Zesty):
importance: Undecided → Medium
tags: added: kernel-da-key yakkety zesty
Gavin Guo (mimi0213kimo) wrote :

@Joseph Salisbury,

Yes, Jorge has identified the bug and will send out the SRU patches.

tags: removed: kernel-da-key
tags: added: sts
description: updated
Changed in linux (Ubuntu Zesty):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Yakkety):
status: Triaged → In Progress
assignee: nobody → Jorge Niedbalski (niedbalski)
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
Changed in linux (Ubuntu):
status: Triaged → Fix Released
Jorge Niedbalski (niedbalski) wrote :

Hello,

Thanks for enabling this patch in proposed. I have performed a verification
of the fix on Xenial HWE.

With 4.8.0-52 (current linux-generic-hwe-16.04) the error is consistently
reproduced, as can be seen in the following lines:

root@juju-niedbalski-xenial-machine-30:/home/ubuntu# uname -a
Linux juju-niedbalski-xenial-machine-30 4.8.0-52-generic #55~16.04.1-Ubuntu SMP Fri Apr 28 14:36:29 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root@juju-niedbalski-xenial-machine-30:/home/ubuntu# /usr/bin/dhcp_release ns-8382c038-49 192.168.21.14 FA:16:3E:45:6F:AF

root@juju-niedbalski-xenial-machine-30:/home/ubuntu# more /var/lib/neutron/dhcp/72dd7d69-9107-45a2-bc0f-43dfe06fcbbb/addn_hosts
192.168.21.1 host-192-168-21-1.openstacklocal host-192-168-21-1
192.168.21.2 host-192-168-21-2.openstacklocal host-192-168-21-2
192.168.21.6 host-192-168-21-6.openstacklocal host-192-168-21-6
192.168.21.14 host-192-168-21-14.openstacklocal host-192-168-21-14
192.168.21.7 host-192-168-21-7.openstacklocal host-192-168-21-7

After installing the latest linux-generic-hwe-16.04-edge, the lease is correctly
removed, fixing the reported issue.

root@juju-niedbalski-xenial-machine-30:/home/ubuntu# uname -a
Linux juju-niedbalski-xenial-machine-30 4.10.0-21-generic #23~16.04.1-Ubuntu SMP Tue May 2 12:57:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root@juju-niedbalski-xenial-machine-30:/home/ubuntu# /usr/bin/dhcp_release ns-8382c038-49 192.168.21.6 fa:16:3e:4c:fb:e4
root@juju-niedbalski-xenial-machine-30:/home/ubuntu# more /var/lib/neutron/dhcp/72dd7d69-9107-45a2-bc0f-43dfe06fcbbb/leases
1494092249 fa:16:3e:d0:f7:1b 192.168.21.7 host-192-168-21-7 *
1494092249 fa:16:3e:f8:67:3b 192.168.21.2 host-192-168-21-2 *
1494092249 fa:16:3e:9f:05:3d 192.168.21.1 host-192-168-21-1 *

Marking verification-done-yakkety.

tags: added: verification-done-yakkety
removed: verification-needed-yakkety
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-52.55

---------------
linux (4.8.0-52.55) yakkety; urgency=low

  * linux: 4.8.0-52.55 -proposed tracker (LP: #1686976)

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * net/ipv4: original ingress device index set as the loopback interface.
    (LP: #1683982)
    - net: fix incorrect original ingress device index in PKTINFO

  * Touchpad not working correctly after kernel upgrade (LP: #1662589)
    - Input: ALPS - fix V8+ protocol handling (73 03 28)

  * ifup service of network device stay active after driver stop (LP: #1672144)
    - net: use net->count to check whether a netns is alive or not

  * [Hyper-V] mkfs regression in kernel 4.4+ (LP: #1682215)
    - block: relax check on sg gap

  * Potential memory corruption with capi adapters (LP: #1681469)
    - powerpc/mm: Add missing global TLB invalidate if cxl is active

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

 -- Stefan Bader <email address hidden> Fri, 28 Apr 2017 12:17:12 +0200

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Eduardo Gonzalez (egonzalez90) wrote :

Removing kolla as affected project, the fix is merged in packagers and we consume their packages.

no longer affects: kolla
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers