Fix submitted: https://lists.ubuntu.com/archives/kernel- team/2019-October/104623.html
Since we're just about one week from the release of Eoan, this fix may not make the Eoan release. If that's the case, it will be included in the initial set of Stable Release Updates (SRU) for the Eoan kernels. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" Status in linux package in Ubuntu: In Progress Bug description: [Impact] An unprivileged local attacker could cause a denial of service, or possibly execute arbitrary code due to an ipv6 regression. [Test Case] An unpatched system will crash with the following command: $ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1' [Regression Potential] Low. The change could theoretically introduce a memory leak but that would still be an improvement over immediate loss of system availability. [Original Description] Having recently upgraded to Eoan Ermine from Disco Dingo, my previously rock-solid wireguard now locks the system up shortly after I take the connection down with wg-quick down wg0. Package: wireguard: Installed: 0.0.20190913-1ubuntu1 Candidate: 0.0.20190913-1ubuntu1 Version table: *** 0.0.20190913-1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe i386 Packages 100 /var/lib/dpkg/status Kernel: 5.3.0-13-generic Snipped from /var/log/syslog: kernel: [ 776.930804] BUG: unable to handle page fault for address: 0000000000001070 kernel: [ 776.930807] #PF: supervisor read access in kernel mode kernel: [ 776.930808] #PF: error_code(0x0000) - not-present page kernel: [ 776.930809] PGD 0 P4D 0 kernel: [ 776.930811] Oops: 0000 [#1] SMP NOPTI kernel: [ 776.930813] CPU: 3 PID: 2598 Comm: Chrome_ChildIOT Tainted: G OE 5.3.0-13-generic #14-Ubuntu kernel: [ 776.930813] Hardware name: Dell Inc. XPS 13 9380/0KTW76, BIOS 1.7.0 08/05/2019 kernel: [ 776.930817] RIP: 0010:ip6_sk_dst_store_flow+0x80/0xc0 kernel: [ 776.930819] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50 kernel: [ 776.930820] RSP: 0018:ffffbeb841a9fcd8 EFLAGS: 00010202 kernel: [ 776.930821] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007 kernel: [ 776.930822] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00 kernel: [ 776.930823] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000 kernel: [ 776.930823] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360 kernel: [ 776.930824] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360 kernel: [ 776.930825] FS: 00007fbcd8a82700(0000) GS:ffffa0939e4c0000(0000) knlGS:0000000000000000 kernel: [ 776.930826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: [ 776.930827] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0 kernel: [ 776.930828] Call Trace: kernel: [ 776.930832] ip6_datagram_dst_update+0x15e/0x280 kernel: [ 776.930835] ? _raw_read_unlock_bh+0x20/0x30 kernel: [ 776.930837] __ip6_datagram_connect+0x1da/0x380 kernel: [ 776.930839] ip6_datagram_connect+0x2d/0x50 kernel: [ 776.930841] inet_dgram_connect+0x3f/0xc0 kernel: [ 776.930843] __sys_connect+0xf1/0x130 kernel: [ 776.930846] ? do_fcntl+0xe4/0x550 kernel: [ 776.930848] ? fput+0x13/0x15 kernel: [ 776.930849] __x64_sys_connect+0x1a/0x20 kernel: [ 776.930852] do_syscall_64+0x5a/0x130 kernel: [ 776.930854] entry_SYSCALL_64_after_hwframe+0x44/0xa9 kernel: [ 776.930855] RIP: 0033:0x7fbcde6324eb kernel: [ 776.930856] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 ab fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 e1 fa ff ff 8b 44 kernel: [ 776.930857] RSP: 002b:00007fbcd8a7ec90 EFLAGS: 00000293 ORIG_RAX: 000000000000002a kernel: [ 776.930859] RAX: ffffffffffffffda RBX: 00000000ffffff94 RCX: 00007fbcde6324eb kernel: [ 776.930859] RDX: 000000000000001c RSI: 00007fbcd8a7ecf0 RDI: 0000000000000022 kernel: [ 776.930860] RBP: 00007fbcd8a7edb0 R08: 0000000000000000 R09: 00007fbcd8a7edf8 kernel: [ 776.930861] R10: 00007fbcd8a7edf0 R11: 0000000000000293 R12: 0000250e77c19710 kernel: [ 776.930862] R13: 0000250e77c19900 R14: 00007fbcd8a7edc8 R15: 00007fbcd8a7edc8 kernel: [ 776.930863] Modules linked in: binfmt_misc wireguard(OE) ip6_udp_tunnel udp_tunnel ccm rfcomm uhid algif_hash algif_skcipher af_alg cmac bnep sof_pci_dev snd_sof_intel_hda_common snd_sof_intel_byt snd_sof_intel_ipc snd_sof snd_sof_nocodec snd_sof_xtensa_dsp snd_soc_skl snd_hda_codec_hdmi snd_soc_hdac_hda snd_hda_ext_core snd_soc_skl_ipc nls_iso8859_1 snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_hda_codec_realtek snd_compress snd_hda_codec_generic ac97_bus snd_pcm_dmaengine ath10k_pci mei_hdcp snd_hda_intel intel_rapl_msr snd_hda_codec ath10k_core snd_hda_core snd_hwdep dell_laptop ath snd_pcm ledtrig_audio joydev mac80211 snd_seq_midi x86_pkg_temp_thermal snd_seq_midi_event intel_powerclamp coretemp snd_rawmidi kvm_intel uvcvideo btusb dell_wmi videobuf2_vmalloc kvm btrtl snd_seq videobuf2_memops btbcm irqbypass dell_smbios intel_cstate dcdbas btintel videobuf2_v4l2 intel_rapl_perf snd_seq_device bluetooth snd_timer input_leds snd serio_raw kernel: [ 776.930888] wmi_bmof cfg80211 videobuf2_common intel_wmi_thunderbolt dell_wmi_descriptor ecdh_generic videodev rtsx_pci_ms soundcore processor_thermal_device mc mei_me libarc4 ecc ucsi_acpi hid_multitouch mei intel_rapl_common idma64 typec_ucsi memstick virt_dma intel_soc_dts_iosf intel_pch_thermal typec cdc_acm mac_hid int3403_thermal int340x_thermal_zone int3400_thermal intel_hid acpi_thermal_rel acpi_pad sparse_keymap sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 dm_crypt hid_generic crct10dif_pclmul crc32_pclmul ghash_clmulni_intel i915 aesni_intel aes_x86_64 crypto_simd rtsx_pci_sdmmc cryptd i2c_algo_bit glue_helper drm_kms_helper psmouse syscopyarea nvme sysfillrect sysimgblt fb_sys_fops thunderbolt rtsx_pci nvme_core drm i2c_i801 intel_lpss_pci intel_lpss i2c_hid wmi hid pinctrl_cannonlake video pinctrl_intel kernel: [ 776.930910] CR2: 0000000000001070 kernel: [ 776.930912] ---[ end trace a4cf4135f35abbbd ]--- kernel: [ 776.930913] RIP: 0010:ip6_sk_dst_store_flow+0x80/0xc0 kernel: [ 776.930915] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50 kernel: [ 776.930916] RSP: 0018:ffffbeb841a9fcd8 EFLAGS: 00010202 kernel: [ 776.930917] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007 kernel: [ 776.930917] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00 kernel: [ 776.930918] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000 kernel: [ 776.930919] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360 kernel: [ 776.930919] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360 kernel: [ 776.930921] FS: 00007fbcd8a82700(0000) GS:ffffa0939e4c0000(0000) knlGS:0000000000000000 kernel: [ 776.930921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: [ 776.930922] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
