Hello community, here is the log from the commit of package wireguard for openSUSE:Factory checked in at 2020-02-15 22:25:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wireguard (Old) and /work/SRC/openSUSE:Factory/.wireguard.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wireguard" Sat Feb 15 22:25:49 2020 rev:10 rq:774408 version:0.0.20200214 Changes: -------- --- /work/SRC/openSUSE:Factory/wireguard/wireguard.changes 2020-02-06 13:08:59.176360989 +0100 +++ /work/SRC/openSUSE:Factory/.wireguard.new.26092/wireguard.changes 2020-02-15 22:25:58.687327821 +0100 @@ -1,0 +2,9 @@ +Fri Feb 14 16:08:24 UTC 2020 - Martin Hauke <mar...@gmx.de> + +- Update to version 0.0.20200214 + * chacha20poly1305: defensively protect against large inputs + * netns: ensure that icmp src address is correct with nat + * receive: reset last_under_load to zero + * send: account for mtu=0 devices + +------------------------------------------------------------------- Old: ---- wireguard-linux-compat-0.0.20200205.tar.asc wireguard-linux-compat-0.0.20200205.tar.xz New: ---- wireguard-linux-compat-0.0.20200214.tar.asc wireguard-linux-compat-0.0.20200214.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wireguard.spec ++++++ --- /var/tmp/diff_new_pack.qbNheu/_old 2020-02-15 22:25:59.227328113 +0100 +++ /var/tmp/diff_new_pack.qbNheu/_new 2020-02-15 22:25:59.227328113 +0100 @@ -18,7 +18,7 @@ Name: wireguard -Version: 0.0.20200205 +Version: 0.0.20200214 Release: 0 Summary: Fast, modern, secure kernel VPN tunnel License: GPL-2.0-only ++++++ wireguard-linux-compat-0.0.20200205.tar.xz -> wireguard-linux-compat-0.0.20200214.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/compat/compat.h new/wireguard-linux-compat-0.0.20200214/src/compat/compat.h --- old/wireguard-linux-compat-0.0.20200205/src/compat/compat.h 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/compat/compat.h 2020-02-14 14:33:05.000000000 +0100 @@ -932,6 +932,98 @@ #define chacha20_neon zinc_chacha20_neon #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 19, 0) +#include <linux/skbuff.h> +static inline int skb_ensure_writable(struct sk_buff *skb, int write_len) +{ + if (!pskb_may_pull(skb, write_len)) + return -ENOMEM; + + if (!skb_cloned(skb) || skb_clone_writable(skb, write_len)) + return 0; + + return pskb_expand_head(skb, 0, 0, GFP_ATOMIC); +} +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) +#if IS_ENABLED(CONFIG_NF_NAT) +#include <linux/ip.h> +#include <linux/icmpv6.h> +#include <net/ipv6.h> +#include <net/icmp.h> +#include <net/netfilter/nf_conntrack.h> +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0) +#include <net/netfilter/nf_nat_core.h> +#endif +static inline void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) +{ + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); + if (!ct || !(ct->status & IPS_SRC_NAT)) { + icmp_send(skb_in, type, code, info); + return; + } + + if (skb_shared(skb_in)) + skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC); + + if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head || + (skb_network_header(skb_in) + sizeof(struct iphdr)) > + skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in, + skb_network_offset(skb_in) + sizeof(struct iphdr)))) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; + ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; + icmp_send(skb_in, type, code, info); + ip_hdr(skb_in)->saddr = orig_ip; +out: + consume_skb(cloned_skb); +} +static inline void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) +{ + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); + if (!ct || !(ct->status & IPS_SRC_NAT)) { + icmpv6_send(skb_in, type, code, info); + return; + } + + if (skb_shared(skb_in)) + skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC); + + if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head || + (skb_network_header(skb_in) + sizeof(struct ipv6hdr)) > + skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in, + skb_network_offset(skb_in) + sizeof(struct ipv6hdr)))) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; + ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; + icmpv6_send(skb_in, type, code, info); + ipv6_hdr(skb_in)->saddr = orig_ip; +out: + consume_skb(cloned_skb); +} +#else +#define icmp_ndo_send icmp_send +#define icmpv6_ndo_send icmpv6_send +#endif +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) +#define COMPAT_CANNOT_USE_MAX_MTU +#endif + #if defined(ISUBUNTU1604) #include <linux/siphash.h> #ifndef _WG_LINUX_SIPHASH_H @@ -956,40 +1048,6 @@ #define BUILD_BUG_ON(x) #endif -/* https://lkml.kernel.org/r/20170624021727.17835-1-ja...@zx2c4.com */ -#if IS_ENABLED(CONFIG_NF_CONNTRACK) -#include <linux/ip.h> -#include <linux/icmpv6.h> -#include <net/ipv6.h> -#include <net/icmp.h> -#include <net/netfilter/nf_conntrack.h> -#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0) -#include <net/netfilter/nf_nat_core.h> -#endif -static inline void new_icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) -{ - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb_in, &ctinfo); - if (skb_network_header(skb_in) < skb_in->head || (skb_network_header(skb_in) + sizeof(struct iphdr)) > skb_tail_pointer(skb_in)) - return; - if (ct) - ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; - icmp_send(skb_in, type, code, info); -} -static inline void new_icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info) -{ - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - if (skb_network_header(skb) < skb->head || (skb_network_header(skb) + sizeof(struct ipv6hdr)) > skb_tail_pointer(skb)) - return; - if (ct) - ipv6_hdr(skb)->saddr = ct->tuplehash[0].tuple.src.u3.in6; - icmpv6_send(skb, type, code, info); -} -#define icmp_send(a,b,c,d) new_icmp_send(a,b,c,d) -#define icmpv6_send(a,b,c,d) new_icmpv6_send(a,b,c,d) -#endif - /* PaX compatibility */ #ifdef CONSTIFY_PLUGIN #include <linux/cache.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/crypto/zinc/chacha20poly1305.c new/wireguard-linux-compat-0.0.20200214/src/crypto/zinc/chacha20poly1305.c --- old/wireguard-linux-compat-0.0.20200205/src/crypto/zinc/chacha20poly1305.c 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/crypto/zinc/chacha20poly1305.c 2020-02-14 14:33:05.000000000 +0100 @@ -92,6 +92,8 @@ __le64 lens[2]; } b __aligned(16) = { { 0 } }; + if (WARN_ON(src_len > INT_MAX)) + return false; chacha20_init(&chacha20_state, key, nonce); chacha20(&chacha20_state, b.block0, b.block0, sizeof(b.block0), @@ -253,7 +255,7 @@ } b __aligned(16) = { { 0 } }; bool ret = false; - if (unlikely(src_len < POLY1305_MAC_SIZE)) + if (unlikely(src_len < POLY1305_MAC_SIZE || WARN_ON(src_len > INT_MAX))) return ret; src_len -= POLY1305_MAC_SIZE; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/device.c new/wireguard-linux-compat-0.0.20200214/src/device.c --- old/wireguard-linux-compat-0.0.20200205/src/device.c 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/device.c 2020-02-14 14:33:05.000000000 +0100 @@ -211,9 +211,9 @@ err: ++dev->stats.tx_errors; if (skb->protocol == htons(ETH_P_IP)) - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); else if (skb->protocol == htons(ETH_P_IPV6)) - icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); + icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); kfree_skb(skb); return ret; } @@ -266,6 +266,8 @@ enum { WG_NETDEV_FEATURES = NETIF_F_HW_CSUM | NETIF_F_RXCSUM | NETIF_F_SG | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE | NETIF_F_HIGHDMA }; + const int overhead = MESSAGE_MINIMUM_LENGTH + sizeof(struct udphdr) + + max(sizeof(struct ipv6hdr), sizeof(struct iphdr)); dev->netdev_ops = &netdev_ops; dev->hard_header_len = 0; @@ -283,9 +285,10 @@ dev->features |= WG_NETDEV_FEATURES; dev->hw_features |= WG_NETDEV_FEATURES; dev->hw_enc_features |= WG_NETDEV_FEATURES; - dev->mtu = ETH_DATA_LEN - MESSAGE_MINIMUM_LENGTH - - sizeof(struct udphdr) - - max(sizeof(struct ipv6hdr), sizeof(struct iphdr)); + dev->mtu = ETH_DATA_LEN - overhead; +#ifndef COMPAT_CANNOT_USE_MAX_MTU + dev->max_mtu = round_down(INT_MAX, MESSAGE_PADDING_MULTIPLE) - overhead; +#endif SET_NETDEV_DEVTYPE(dev, &device_type); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/dkms.conf new/wireguard-linux-compat-0.0.20200214/src/dkms.conf --- old/wireguard-linux-compat-0.0.20200205/src/dkms.conf 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/dkms.conf 2020-02-14 14:33:05.000000000 +0100 @@ -1,5 +1,5 @@ PACKAGE_NAME="wireguard" -PACKAGE_VERSION="0.0.20200205" +PACKAGE_VERSION="0.0.20200214" AUTOINSTALL=yes BUILT_MODULE_NAME="wireguard" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/receive.c new/wireguard-linux-compat-0.0.20200214/src/receive.c --- old/wireguard-linux-compat-0.0.20200205/src/receive.c 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/receive.c 2020-02-14 14:33:05.000000000 +0100 @@ -119,10 +119,13 @@ under_load = skb_queue_len(&wg->incoming_handshakes) >= MAX_QUEUED_INCOMING_HANDSHAKES / 8; - if (under_load) + if (under_load) { last_under_load = ktime_get_coarse_boottime_ns(); - else if (last_under_load) + } else if (last_under_load) { under_load = !wg_birthdate_has_expired(last_under_load, 1); + if (!under_load) + last_under_load = 0; + } mac_state = wg_cookie_validate_packet(&wg->cookie_checker, skb, under_load); if ((under_load && mac_state == VALID_MAC_WITH_COOKIE) || diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/send.c new/wireguard-linux-compat-0.0.20200214/src/send.c --- old/wireguard-linux-compat-0.0.20200205/src/send.c 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/send.c 2020-02-14 14:33:05.000000000 +0100 @@ -149,7 +149,8 @@ * wouldn't want the final subtraction to overflow in the case of the * padded_size being clamped. */ - unsigned int last_unit = skb->len % PACKET_CB(skb)->mtu; + unsigned int last_unit = PACKET_CB(skb)->mtu ? + skb->len % PACKET_CB(skb)->mtu : skb->len; unsigned int padded_size = ALIGN(last_unit, MESSAGE_PADDING_MULTIPLE); if (padded_size > PACKET_CB(skb)->mtu) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/tests/netns.sh new/wireguard-linux-compat-0.0.20200214/src/tests/netns.sh --- old/wireguard-linux-compat-0.0.20200205/src/tests/netns.sh 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/tests/netns.sh 2020-02-14 14:33:05.000000000 +0100 @@ -24,6 +24,7 @@ set -e exec 3>&1 +export LANG=C export WG_HIDE_KEYS=never netns0="wg-test-$$-0" netns1="wg-test-$$-1" @@ -300,7 +301,17 @@ n1 ping -W 1 -c 100 -f abab::1111 fi +# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. +n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 +n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. +n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' +ip0 -4 route add 192.168.241.1 via 10.0.0.100 +n2 wg set wg0 peer "$pub1" remove +[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] + n0 iptables -t nat -F +n0 iptables -t filter -F +n2 iptables -t nat -F ip0 link del vethrc ip0 link del vethrs ip1 link del wg0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/version.h new/wireguard-linux-compat-0.0.20200214/src/version.h --- old/wireguard-linux-compat-0.0.20200205/src/version.h 2020-02-05 14:37:40.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200214/src/version.h 2020-02-14 14:33:05.000000000 +0100 @@ -1,3 +1,3 @@ #ifndef WIREGUARD_VERSION -#define WIREGUARD_VERSION "0.0.20200205" +#define WIREGUARD_VERSION "0.0.20200214" #endif