Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Mon, 09 Mar 2020 17:22:57 -0400 Daniel Kahn Gillmor wrote: > On Mon 2020-02-03 13:20:22 -0500, Celejar wrote: > > Okay, now I've gotten it. I've uninstalled nftables and put in the > > debug line, and I get this (with 1.0.20200121-2): > > > > ~# ifdown wg0 > > [#] ip -4 rule delete table 51820 > > [#] ip -4 rule delete table main suppress_prefixlength 0 > > [#] ip link delete dev wg0 > > [#] resolvconf -d tun.wg0 -f > > RESTORING: *filter > > COMMIT > > *nat > > COMMIT > > *mangle > > -D PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j > > CONNMARK --restore-mark --nfmask 0x --ctmask 0x > > -D POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment > > "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0x > > --ctmask 0x > > COMMIT > > *raw > > COMMIT > > [#] iptables-restore -n > > /usr/bin/wg-quick: line 29: 2284068 Segmentation fault "$@" > > > OK, so it looks to me like the problem comes when feeding this set of > commands into iptables-restore. > > But hm, i'm still having trouble replicating the segfault. > > Is this still happening for you? Yes (with 1.0.20200206-2) > Can you send the output of these two commands? > > dpkg -l iptables wireguard ~$ dpkg -l iptables wireguard Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name VersionArchitecture Description ++ +-==-==-- ii iptables 1.8.4-3amd64administration tools for packet filtering and NAT ii wireguard 1.0.20200206-2 all fast, modern, secure kernel VPN tunnel (metapackage) > dpkg -S $(readlink -f $(which iptables-restore)) ~# dpkg -S $(readlink -f $(which iptables-restore)) iptables: /usr/sbin/xtables-nft-multi > That might help us narrow down the cause of the segfault. > > Sorry for how long this is taking to debug! Hey, wireguard itself seems entirely functional here - I'm just trying to do my tiny bit to help Debian! Thank you for all your work on this and Debian in general (and your privacy work). Celejar
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Mon 2020-02-03 13:20:22 -0500, Celejar wrote: > Okay, now I've gotten it. I've uninstalled nftables and put in the > debug line, and I get this (with 1.0.20200121-2): > > ~# ifdown wg0 > [#] ip -4 rule delete table 51820 > [#] ip -4 rule delete table main suppress_prefixlength 0 > [#] ip link delete dev wg0 > [#] resolvconf -d tun.wg0 -f > RESTORING: *filter > COMMIT > *nat > COMMIT > *mangle > -D PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j > CONNMARK --restore-mark --nfmask 0x --ctmask 0x > -D POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) > rule for wg0" -j CONNMARK --save-mark --nfmask 0x --ctmask 0x > COMMIT > *raw > COMMIT > [#] iptables-restore -n > /usr/bin/wg-quick: line 29: 2284068 Segmentation fault "$@" OK, so it looks to me like the problem comes when feeding this set of commands into iptables-restore. But hm, i'm still having trouble replicating the segfault. Is this still happening for you? Can you send the output of these two commands? dpkg -l iptables wireguard dpkg -S $(readlink -f $(which iptables-restore)) That might help us narrow down the cause of the segfault. Sorry for how long this is taking to debug! --dkg signature.asc Description: PGP signature
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Tue, 28 Jan 2020 14:14:01 -0500 Daniel Kahn Gillmor wrote: > On Mon 2020-01-27 19:45:36 -0500, Celejar wrote: > > I think I'm probably missing something, but lately "ifdown wg0" isn't > > segfaulting (even after downgrading back to 1.0.20200102-1) - but it > > doesn't seem to be calling iptables-restore at all, but only nft: > > Ah, that'd be because you installed nft. If you only had iptables > installed, and you didn't have nft installed, then you'd exercise the > different codepath in wg-quick. Okay, now I've gotten it. I've uninstalled nftables and put in the debug line, and I get this (with 1.0.20200121-2): ~# ifdown wg0 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] resolvconf -d tun.wg0 -f RESTORING: *filter COMMIT *nat COMMIT *mangle -D PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0x --ctmask 0x -D POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0x --ctmask 0x COMMIT *raw COMMIT [#] iptables-restore -n /usr/bin/wg-quick: line 29: 2284068 Segmentation fault "$@" Celejar
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Mon 2020-01-27 19:45:36 -0500, Celejar wrote: > I think I'm probably missing something, but lately "ifdown wg0" isn't > segfaulting (even after downgrading back to 1.0.20200102-1) - but it > doesn't seem to be calling iptables-restore at all, but only nft: Ah, that'd be because you installed nft. If you only had iptables installed, and you didn't have nft installed, then you'd exercise the different codepath in wg-quick. --dkg signature.asc Description: PGP signature
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Thu, 23 Jan 2020 12:16:07 -0500 Daniel Kahn Gillmor wrote: > On Thu 2020-01-23 00:01:57 -0500, Celejar wrote: > > So right after my last email, I upgraded to 1.0.20200121-1, and now I > > no longer get a segfault. Is there anything further I should do? Should > > I do a downgrade and try your modification? > > If you don't mind downgrading (just the wireguard-tools package), > modifying wg-quick as described, and retrying "ifdown wg0", that would > be useful data to the iptables maintainers, as it should be input that > produces a segmentation fault -- something that is not supposed to > happen. > > Then, you can probably upgrade wireguard-tools again and move on :) I think I'm probably missing something, but lately "ifdown wg0" isn't segfaulting (even after downgrading back to 1.0.20200102-1) - but it doesn't seem to be calling iptables-restore at all, but only nft: ~# ifdown wg0 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] resolvconf -d tun.wg0 -f [#] nft -f /dev/fd/63 ~# apt-cache policy wireguard-tools wireguard-tools: Installed: 1.0.20200102-1 Candidate: 1.0.20200121-2 Version table: 1.0.20200121-2 500 500 http://deb.debian.org/debian sid/main amd64 Packages *** 1.0.20200102-1 100 100 /var/lib/dpkg/status Celejar
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Thu 2020-01-23 00:01:57 -0500, Celejar wrote: > So right after my last email, I upgraded to 1.0.20200121-1, and now I > no longer get a segfault. Is there anything further I should do? Should > I do a downgrade and try your modification? If you don't mind downgrading (just the wireguard-tools package), modifying wg-quick as described, and retrying "ifdown wg0", that would be useful data to the iptables maintainers, as it should be input that produces a segmentation fault -- something that is not supposed to happen. Then, you can probably upgrade wireguard-tools again and move on :) --dkg signature.asc Description: PGP signature
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Wed, 22 Jan 2020 16:47:17 -0500
Daniel Kahn Gillmor wrote:
> Control: tags 946996 + moreinfo
>
> On Tue 2020-01-21 22:18:45 -0500, Celejar wrote:
> > Sorry, I'm still getting it:
> >
> > ~# apt-cache policy wireguard-tools
> > wireguard-tools:
> > Installed: 1.0.20200102-1
> > Candidate: 1.0.20200102-1
> > Version table:
> > *** 1.0.20200102-1 500
> > 500 http://deb.debian.org/debian sid/main amd64 Packages
> > 100 /var/lib/dpkg/status
> >
> > ~# ifdown wg0
> > [#] ip -4 rule delete table 51820
> > [#] ip -4 rule delete table main suppress_prefixlength 0
> > [#] ip link delete dev wg0
> > [#] resolvconf -d tun.wg0 -f
> > [#] iptables-restore -n
> > /usr/bin/wg-quick: line 29: 186243 Segmentation fault "$@"
>
> Interesting. Can you modify wg-quick locally to expose what is being
> piped into iptables-restore -n in this instance?
>
> For example, a change like this:
>
>
> --- wg-quick.orig 2020-01-22 16:05:42.456100207 -0500
> +++ wg-quick 2020-01-22 16:45:35.936536027 -0500
> @@ -198,6 +198,7 @@
> [[ $line == "-A"* ]] && found=1
> printf -v restore '%s%s\n' "$restore"
> "${line/#-A/-D}"
> done < <($iptables-save 2>/dev/null)
> +[[ $found -ne 1 ]] || echo -n "RESTORING: $restore"
> >&2
> [[ $found -ne 1 ]] || echo -n "$restore" | cmd
> $iptables-restore -n
> done
> fi
>
>
> Then report back what is printed there, and see whether feeding it into
> "iptables-restore -n" on its own is sufficient to cause a segfault.
So right after my last email, I upgraded to 1.0.20200121-1, and now I
no longer get a segfault. Is there anything further I should do? Should
I do a downgrade and try your modification?
> thanks for taking the time to report and debug!
Celejar
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
Control: tags 946996 + moreinfo
On Tue 2020-01-21 22:18:45 -0500, Celejar wrote:
> Sorry, I'm still getting it:
>
> ~# apt-cache policy wireguard-tools
> wireguard-tools:
> Installed: 1.0.20200102-1
> Candidate: 1.0.20200102-1
> Version table:
> *** 1.0.20200102-1 500
> 500 http://deb.debian.org/debian sid/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> ~# ifdown wg0
> [#] ip -4 rule delete table 51820
> [#] ip -4 rule delete table main suppress_prefixlength 0
> [#] ip link delete dev wg0
> [#] resolvconf -d tun.wg0 -f
> [#] iptables-restore -n
> /usr/bin/wg-quick: line 29: 186243 Segmentation fault "$@"
Interesting. Can you modify wg-quick locally to expose what is being
piped into iptables-restore -n in this instance?
For example, a change like this:
--- wg-quick.orig 2020-01-22 16:05:42.456100207 -0500
+++ wg-quick2020-01-22 16:45:35.936536027 -0500
@@ -198,6 +198,7 @@
[[ $line == "-A"* ]] && found=1
printf -v restore '%s%s\n' "$restore"
"${line/#-A/-D}"
done < <($iptables-save 2>/dev/null)
+[[ $found -ne 1 ]] || echo -n "RESTORING: $restore" >&2
[[ $found -ne 1 ]] || echo -n "$restore" | cmd
$iptables-restore -n
done
fi
Then report back what is printed there, and see whether feeding it into
"iptables-restore -n" on its own is sufficient to cause a segfault.
thanks for taking the time to report and debug!
--dkg
signature.asc
Description: PGP signature
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
On Tue, 21 Jan 2020 10:36:25 -0500 Daniel Kahn Gillmor wrote: > Control: reassign 946996 iptables > Control: affects 946996 + wireguard-tools > > Hi Celejar-- > > On Thu 2019-12-19 00:00:39 -0500, Celejar wrote: > > Package: wireguard-tools > > Version: 0.0.20191212-1 > > Severity: normal > > > > I use wireguard to establish a very simple point-to-point VPN. 'wg-quick > > up wgo' works fine; 'wg-quick down wg0' also seems to work correctly, > > but it segfaults after doing (AFAICT) everything that it's supposed to > > do. Everything seems to be working fine, though, both before and afterward. ... > Thanks for this report. It looks to me like this is a segfault in > iptables-restore, not in wg-quick, so i'm reassigning the bug report to > the iptables package, which shouldn't segfault, no matter what input it > receives. (maybe this is due to sending it empty lines? > > In the meantime, i believe that more recent versions of wireguard-tools > do not send empty lines to iptables-restore. Can you verify that this > doesn't happen for you with a more recent version? Sorry, I'm still getting it: ~# apt-cache policy wireguard-tools wireguard-tools: Installed: 1.0.20200102-1 Candidate: 1.0.20200102-1 Version table: *** 1.0.20200102-1 500 500 http://deb.debian.org/debian sid/main amd64 Packages 100 /var/lib/dpkg/status ~# ifdown wg0 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] resolvconf -d tun.wg0 -f [#] iptables-restore -n /usr/bin/wg-quick: line 29: 186243 Segmentation fault "$@" ... > Thanks for reporting this, Thank you for all your Debian, technology, and privacy work! Celejar
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
Control: reassign 946996 iptables Control: affects 946996 + wireguard-tools Hi Celejar-- On Thu 2019-12-19 00:00:39 -0500, Celejar wrote: > Package: wireguard-tools > Version: 0.0.20191212-1 > Severity: normal > > I use wireguard to establish a very simple point-to-point VPN. 'wg-quick > up wgo' works fine; 'wg-quick down wg0' also seems to work correctly, > but it segfaults after doing (AFAICT) everything that it's supposed to > do. Everything seems to be working fine, though, both before and afterward. > > I tried figuring out what, exactly, the script is doing when it > segfaults, but I couldn't quite make it out. It seems to successfully do > 'del_if', 'unset_dns', and 'remove_firewall', but then do something > wrong in the 'execute_hooks' stage? > > ~# wg-quick down wg0 > [#] ip -4 rule delete table 51820 > [#] ip -4 rule delete table main suppress_prefixlength 0 > [#] ip link delete dev wg0 > [#] resolvconf -d tun.wg0 -f > [#] iptables-restore -n > /usr/bin/wg-quick: line 29: 1411585 Segmentation fault "$@" Thanks for this report. It looks to me like this is a segfault in iptables-restore, not in wg-quick, so i'm reassigning the bug report to the iptables package, which shouldn't segfault, no matter what input it receives. (maybe this is due to sending it empty lines? In the meantime, i believe that more recent versions of wireguard-tools do not send empty lines to iptables-restore. Can you verify that this doesn't happen for you with a more recent version? Thanks for reporting this, --dkg signature.asc Description: PGP signature
Bug#946996: wireguard-tools: 'wg-quick down' segfaults
Package: wireguard-tools Version: 0.0.20191212-1 Severity: normal I use wireguard to establish a very simple point-to-point VPN. 'wg-quick up wgo' works fine; 'wg-quick down wg0' also seems to work correctly, but it segfaults after doing (AFAICT) everything that it's supposed to do. Everything seems to be working fine, though, both before and afterward. I tried figuring out what, exactly, the script is doing when it segfaults, but I couldn't quite make it out. It seems to successfully do 'del_if', 'unset_dns', and 'remove_firewall', but then do something wrong in the 'execute_hooks' stage? ~# wg-quick down wg0 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] resolvconf -d tun.wg0 -f [#] iptables-restore -n /usr/bin/wg-quick: line 29: 1411585 Segmentation fault "$@" -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wireguard-tools depends on: ii libc62.29-6 ii libmnl0 1.0.4-2+b1 Versions of packages wireguard-tools recommends: ii iptables1.8.4-1 ii wireguard-dkms 0.0.20191212-1 wireguard-tools suggests no packages. -- no debconf information
