Thanks to Jason for alerting us of this issue and pointing us at the fix! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1847478
Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" Status in linux package in Ubuntu: In Progress Bug description: [Impact] An unprivileged local attacker could cause a denial of service, or possibly execute arbitrary code due to an ipv6 regression. [Test Case] An unpatched system will crash with the following command: $ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1' [Regression Potential] Low. The change could theoretically introduce a memory leak but that would still be an improvement over immediate loss of system availability. [Original Description] Having recently upgraded to Eoan Ermine from Disco Dingo, my previously rock-solid wireguard now locks the system up shortly after I take the connection down with wg-quick down wg0. Package: wireguard: Installed: 0.0.20190913-1ubuntu1 Candidate: 0.0.20190913-1ubuntu1 Version table: *** 0.0.20190913-1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe i386 Packages 100 /var/lib/dpkg/status Kernel: 5.3.0-13-generic Snipped from /var/log/syslog: kernel: [ 776.930804] BUG: unable to handle page fault for address: 0000000000001070 kernel: [ 776.930807] #PF: supervisor read access in kernel mode kernel: [ 776.930808] #PF: error_code(0x0000) - not-present page kernel: [ 776.930809] PGD 0 P4D 0 kernel: [ 776.930811] Oops: 0000 [#1] SMP NOPTI kernel: [ 776.930813] CPU: 3 PID: 2598 Comm: Chrome_ChildIOT Tainted: G OE 5.3.0-13-generic #14-Ubuntu kernel: [ 776.930813] Hardware name: Dell Inc. XPS 13 9380/0KTW76, BIOS 1.7.0 08/05/2019 kernel: [ 776.930817] RIP: 0010:ip6_sk_dst_store_flow+0x80/0xc0 kernel: [ 776.930819] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50 kernel: [ 776.930820] RSP: 0018:ffffbeb841a9fcd8 EFLAGS: 00010202 kernel: [ 776.930821] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007 kernel: [ 776.930822] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00 kernel: [ 776.930823] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000 kernel: [ 776.930823] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360 kernel: [ 776.930824] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360 kernel: [ 776.930825] FS: 00007fbcd8a82700(0000) GS:ffffa0939e4c0000(0000) knlGS:0000000000000000 kernel: [ 776.930826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: [ 776.930827] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0 kernel: [ 776.930828] Call Trace: kernel: [ 776.930832] ip6_datagram_dst_update+0x15e/0x280 kernel: [ 776.930835] ? _raw_read_unlock_bh+0x20/0x30 kernel: [ 776.930837] __ip6_datagram_connect+0x1da/0x380 kernel: [ 776.930839] ip6_datagram_connect+0x2d/0x50 kernel: [ 776.930841] inet_dgram_connect+0x3f/0xc0 kernel: [ 776.930843] __sys_connect+0xf1/0x130 kernel: [ 776.930846] ? do_fcntl+0xe4/0x550 kernel: [ 776.930848] ? fput+0x13/0x15 kernel: [ 776.930849] __x64_sys_connect+0x1a/0x20 kernel: [ 776.930852] do_syscall_64+0x5a/0x130 kernel: [ 776.930854] entry_SYSCALL_64_after_hwframe+0x44/0xa9 kernel: [ 776.930855] RIP: 0033:0x7fbcde6324eb kernel: [ 776.930856] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 ab fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 e1 fa ff ff 8b 44 kernel: [ 776.930857] RSP: 002b:00007fbcd8a7ec90 EFLAGS: 00000293 ORIG_RAX: 000000000000002a kernel: [ 776.930859] RAX: ffffffffffffffda RBX: 00000000ffffff94 RCX: 00007fbcde6324eb kernel: [ 776.930859] RDX: 000000000000001c RSI: 00007fbcd8a7ecf0 RDI: 0000000000000022 kernel: [ 776.930860] RBP: 00007fbcd8a7edb0 R08: 0000000000000000 R09: 00007fbcd8a7edf8 kernel: [ 776.930861] R10: 00007fbcd8a7edf0 R11: 0000000000000293 R12: 0000250e77c19710 kernel: [ 776.930862] R13: 0000250e77c19900 R14: 00007fbcd8a7edc8 R15: 00007fbcd8a7edc8 kernel: [ 776.930863] Modules linked in: binfmt_misc wireguard(OE) ip6_udp_tunnel udp_tunnel ccm rfcomm uhid algif_hash algif_skcipher af_alg cmac bnep sof_pci_dev snd_sof_intel_hda_common snd_sof_intel_byt snd_sof_intel_ipc snd_sof snd_sof_nocodec snd_sof_xtensa_dsp snd_soc_skl snd_hda_codec_hdmi snd_soc_hdac_hda snd_hda_ext_core snd_soc_skl_ipc nls_iso8859_1 snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_hda_codec_realtek snd_compress snd_hda_codec_generic ac97_bus snd_pcm_dmaengine ath10k_pci mei_hdcp snd_hda_intel intel_rapl_msr snd_hda_codec ath10k_core snd_hda_core snd_hwdep dell_laptop ath snd_pcm ledtrig_audio joydev mac80211 snd_seq_midi x86_pkg_temp_thermal snd_seq_midi_event intel_powerclamp coretemp snd_rawmidi kvm_intel uvcvideo btusb dell_wmi videobuf2_vmalloc kvm btrtl snd_seq videobuf2_memops btbcm irqbypass dell_smbios intel_cstate dcdbas btintel videobuf2_v4l2 intel_rapl_perf snd_seq_device bluetooth snd_timer input_leds snd serio_raw kernel: [ 776.930888] wmi_bmof cfg80211 videobuf2_common intel_wmi_thunderbolt dell_wmi_descriptor ecdh_generic videodev rtsx_pci_ms soundcore processor_thermal_device mc mei_me libarc4 ecc ucsi_acpi hid_multitouch mei intel_rapl_common idma64 typec_ucsi memstick virt_dma intel_soc_dts_iosf intel_pch_thermal typec cdc_acm mac_hid int3403_thermal int340x_thermal_zone int3400_thermal intel_hid acpi_thermal_rel acpi_pad sparse_keymap sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 dm_crypt hid_generic crct10dif_pclmul crc32_pclmul ghash_clmulni_intel i915 aesni_intel aes_x86_64 crypto_simd rtsx_pci_sdmmc cryptd i2c_algo_bit glue_helper drm_kms_helper psmouse syscopyarea nvme sysfillrect sysimgblt fb_sys_fops thunderbolt rtsx_pci nvme_core drm i2c_i801 intel_lpss_pci intel_lpss i2c_hid wmi hid pinctrl_cannonlake video pinctrl_intel kernel: [ 776.930910] CR2: 0000000000001070 kernel: [ 776.930912] ---[ end trace a4cf4135f35abbbd ]--- kernel: [ 776.930913] RIP: 0010:ip6_sk_dst_store_flow+0x80/0xc0 kernel: [ 776.930915] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50 kernel: [ 776.930916] RSP: 0018:ffffbeb841a9fcd8 EFLAGS: 00010202 kernel: [ 776.930917] RAX: 0000000000000080 RBX: ffffa0933c829360 RCX: 0000000000000007 kernel: [ 776.930917] RDX: ffffbeb841a9fd20 RSI: 0000000000001000 RDI: ffffa0933c828f00 kernel: [ 776.930918] RBP: ffffbeb841a9fcf0 R08: 0000000000000000 R09: 0000000000000000 kernel: [ 776.930919] R10: 0000000000000000 R11: ffffa093948fd800 R12: ffffa0933c829360 kernel: [ 776.930919] R13: ffffa0933c828f38 R14: 0000000000000001 R15: ffffa0933c829360 kernel: [ 776.930921] FS: 00007fbcd8a82700(0000) GS:ffffa0939e4c0000(0000) knlGS:0000000000000000 kernel: [ 776.930921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: [ 776.930922] CR2: 0000000000001070 CR3: 000000049172a004 CR4: 00000000003606e0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
