Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
that's great! thanks to the openwrt team for the quick work from that patch: "If identical queries from IPv4 and IPv6 sources are combined by the new code added in 15b60ddf935a531269bb8c68198de012a4967156 then replies can end up being sent via the wrong family of socket. The ->fd should be per query, not per-question. In bind-interfaces mode, this could also result in replies being sent via the wrong socket even when IPv4/IPV6 issues are not in play." On Sat, Jan 23, 2021 at 11:29 AM Jonathan Foulkes wrote: > > Hi Seb, someone did just that and even better, compared two builds with the > dnsmasq being the only variable, and did not see any differences: > https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/85 > > From other comments, looks like they found the bug and are testing the fix. > https://git.openwrt.org/?p=openwrt/staging/ldir.git;a=commitdiff;h=9a18346676850646764072ffcfd32ad9396d95c3 > > Jonathan > > > On Jan 22, 2021, at 4:40 PM, Sebastian Moeller wrote: > > > > Could you try to run top or htop and look at the CPU load? I could imagine > > that the fixes dnsmasq might have some CPU spikes that simply leave not > > enough cycles for the traffic shaper? > > > > Best Regards > > Sebastian > > > >> On Jan 22, 2021, at 22:25, Jonathan Foulkes > >> wrote: > >> > >> I figure there should be no inter-dependencies there, but the side-effect > >> of the new dnsmasq is pretty serious. > >> > >> I did not install .6, I only performed an opkg update of the dnamasq > >> package itself. So kernal is the same in my case. > >> > >> But others running a full .6 build report similar QoS issues. > >> > >> I regressed back to .4 and all is good on the QoS front, waiting until a > >> new drop of dnsmasq before trying again. > >> > >> - Jonathan > >> > >>> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen wrote: > >>> > >>> Jonathan Foulkes writes: > >>> > I installed the updated package on a 19.07.4 box running cake, and QoS > performance went down the tubes. > Last night it locked up completely while attempting to stream. > > See the PingPlots others have posted to this forum thread, mine look > similar, went from constant sub 50ms to very spiky, then some loss, loss > increasing, and if high traffic, lock-up. > https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39 > > load is low, sirq is low, so box does not seem stressed. > > Any reason Cake would be sensitive to a dnsmasq bug? > >>> > >>> No, not really. I mean, dnsmasq could be sending some traffic that > >>> interferes with stuff? Or it could be a kernel regression - the release > >>> did bump the kernel version as well... > >>> > >>> -Toke > >> > >> ___ > >> Bloat mailing list > >> Bloat@lists.bufferbloat.net > >> https://lists.bufferbloat.net/listinfo/bloat > > > > ___ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
Hi Seb, someone did just that and even better, compared two builds with the dnsmasq being the only variable, and did not see any differences: https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/85 From other comments, looks like they found the bug and are testing the fix. https://git.openwrt.org/?p=openwrt/staging/ldir.git;a=commitdiff;h=9a18346676850646764072ffcfd32ad9396d95c3 Jonathan > On Jan 22, 2021, at 4:40 PM, Sebastian Moeller wrote: > > Could you try to run top or htop and look at the CPU load? I could imagine > that the fixes dnsmasq might have some CPU spikes that simply leave not > enough cycles for the traffic shaper? > > Best Regards > Sebastian > >> On Jan 22, 2021, at 22:25, Jonathan Foulkes wrote: >> >> I figure there should be no inter-dependencies there, but the side-effect of >> the new dnsmasq is pretty serious. >> >> I did not install .6, I only performed an opkg update of the dnamasq package >> itself. So kernal is the same in my case. >> >> But others running a full .6 build report similar QoS issues. >> >> I regressed back to .4 and all is good on the QoS front, waiting until a new >> drop of dnsmasq before trying again. >> >> - Jonathan >> >>> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen wrote: >>> >>> Jonathan Foulkes writes: >>> I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes. Last night it locked up completely while attempting to stream. See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up. https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39 load is low, sirq is low, so box does not seem stressed. Any reason Cake would be sensitive to a dnsmasq bug? >>> >>> No, not really. I mean, dnsmasq could be sending some traffic that >>> interferes with stuff? Or it could be a kernel regression - the release >>> did bump the kernel version as well... >>> >>> -Toke >> >> ___ >> Bloat mailing list >> Bloat@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/bloat > ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
Could you try to run top or htop and look at the CPU load? I could imagine that the fixes dnsmasq might have some CPU spikes that simply leave not enough cycles for the traffic shaper? Best Regards Sebastian > On Jan 22, 2021, at 22:25, Jonathan Foulkes wrote: > > I figure there should be no inter-dependencies there, but the side-effect of > the new dnsmasq is pretty serious. > > I did not install .6, I only performed an opkg update of the dnamasq package > itself. So kernal is the same in my case. > > But others running a full .6 build report similar QoS issues. > > I regressed back to .4 and all is good on the QoS front, waiting until a new > drop of dnsmasq before trying again. > > - Jonathan > >> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen wrote: >> >> Jonathan Foulkes writes: >> >>> I installed the updated package on a 19.07.4 box running cake, and QoS >>> performance went down the tubes. >>> Last night it locked up completely while attempting to stream. >>> >>> See the PingPlots others have posted to this forum thread, mine look >>> similar, went from constant sub 50ms to very spiky, then some loss, loss >>> increasing, and if high traffic, lock-up. >>> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39 >>> >>> load is low, sirq is low, so box does not seem stressed. >>> >>> Any reason Cake would be sensitive to a dnsmasq bug? >> >> No, not really. I mean, dnsmasq could be sending some traffic that >> interferes with stuff? Or it could be a kernel regression - the release >> did bump the kernel version as well... >> >> -Toke > > ___ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
Daniel Sterling writes: > On Fri, Jan 22, 2021 at 4:25 PM Jonathan Foulkes > wrote: >> I did not install .6, I only performed an opkg update of the dnamasq package >> itself. So kernal is the same in my case. > > given you just updated the package -- that's extremely weird. > userspace update shouldn't be able to lock up the kernel in any > case. very bizarre. Well, it's a daemon with pretty wide permissions to mess with the system, so it's not impossible (evidently). Still, will be interesting to see what turns out to be the root cause of this... -Toke ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
On Fri, Jan 22, 2021 at 4:25 PM Jonathan Foulkes wrote: > I did not install .6, I only performed an opkg update of the dnamasq package > itself. So kernal is the same in my case. given you just updated the package -- that's extremely weird. userspace update shouldn't be able to lock up the kernel in any case. very bizarre. -- Dan ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
I figure there should be no inter-dependencies there, but the side-effect of the new dnsmasq is pretty serious. I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case. But others running a full .6 build report similar QoS issues. I regressed back to .4 and all is good on the QoS front, waiting until a new drop of dnsmasq before trying again. - Jonathan > On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen wrote: > > Jonathan Foulkes writes: > >> I installed the updated package on a 19.07.4 box running cake, and QoS >> performance went down the tubes. >> Last night it locked up completely while attempting to stream. >> >> See the PingPlots others have posted to this forum thread, mine look >> similar, went from constant sub 50ms to very spiky, then some loss, loss >> increasing, and if high traffic, lock-up. >> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39 >> >> load is low, sirq is low, so box does not seem stressed. >> >> Any reason Cake would be sensitive to a dnsmasq bug? > > No, not really. I mean, dnsmasq could be sending some traffic that > interferes with stuff? Or it could be a kernel regression - the release > did bump the kernel version as well... > > -Toke ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
Jonathan Foulkes writes: > I installed the updated package on a 19.07.4 box running cake, and QoS > performance went down the tubes. > Last night it locked up completely while attempting to stream. > > See the PingPlots others have posted to this forum thread, mine look similar, > went from constant sub 50ms to very spiky, then some loss, loss increasing, > and if high traffic, lock-up. > https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39 > > load is low, sirq is low, so box does not seem stressed. > > Any reason Cake would be sensitive to a dnsmasq bug? No, not really. I mean, dnsmasq could be sending some traffic that interferes with stuff? Or it could be a kernel regression - the release did bump the kernel version as well... -Toke ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs
I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes. Last night it locked up completely while attempting to stream. See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up. https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39 load is low, sirq is low, so box does not seem stressed. Any reason Cake would be sensitive to a dnsmasq bug? Anyway, heads-up to wait before deploying the update, A new one should be forthcoming. Thanks, Jonathan Foulkes > On Jan 19, 2021, at 6:20 PM, Toke Høiland-Jørgensen via Bloat > wrote: > > Hi everyone > > In case you haven't seen, there's a new OpenWrt release out[0] that > fixes several CVEs in dnsmasq; seems like quite a bunch at once[1]. > > So in the interest of keeping everyone's routers safe, here's a gentle > nudge to update :) > > -Toke > > [0] https://openwrt.org/releases/19.07/notes-19.07.6 > [1] https://www.jsof-tech.com/disclosures/dnspooq/ > ___ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat
[Bloat] New OpenWrt release fixing several dnsmasq CVEs
Hi everyone In case you haven't seen, there's a new OpenWrt release out[0] that fixes several CVEs in dnsmasq; seems like quite a bunch at once[1]. So in the interest of keeping everyone's routers safe, here's a gentle nudge to update :) -Toke [0] https://openwrt.org/releases/19.07/notes-19.07.6 [1] https://www.jsof-tech.com/disclosures/dnspooq/ ___ Bloat mailing list Bloat@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/bloat