deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-24:06.wireguard

Hash: SHA512

FreeBSD-EN-24:06.wireguard                                      Errata Notice
                                                          The FreeBSD Project

Topic:          Insufficient barriers in WireGuard if_wg(4)

Category:       core
Module:         if_wg
Announced:      2024-03-28
Affects:        All supported versions of FreeBSD.
Corrected:      2024-03-22 15:21:39 UTC (stable/14, 14.0-STABLE)
                2024-03-28 05:06:22 UTC (releng/14.0, 14.0-RELEASE-p6)
                2024-03-22 15:21:42 UTC (stable/13, 13.3-STABLE)
                2024-03-28 07:14:19 UTC (releng/13.3, 13.3-RELEASE-p1)
                2024-03-28 05:07:54 UTC (releng/13.2, 13.2-RELEASE-p11)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit

I.   Background

if_wg is the kernel module that implements WireGuard tunnels between two
endpoints.  When packets arrive from the tunnel or are sent over the tunnel,
they are decrypted or encrypted in a separate thread from the one that delivers
the packet to its final destination.

II.  Problem Description

Insufficient barriers between the encrypt/decrypt threads and the delivery
threads may result in the wrong part of an mbuf chain being read and sent along
through the network stack on architectures with a weaker memory model, e.g.,
aarch64, under certain workloads.

III. Impact

The part of the mbuf chain being sent along may contain some invalid state that
causes a later fault and panic.

IV.  Workaround

No workaround is available, but X86 platforms (that is, i386 and amd64) are
not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot or reload the
if_wg kernel module.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD arm64 platform can be updated
via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

After the updates have installed, you will need to reboot the system or reload
the if_wg kernel module.

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch
# gpg --verify wireguard.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the
system or reload the if_wg kernel module.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              590e02d3c088    stable/14-2576116
releng/14.0/                            56be7cd84447  releng/14.0-n265412
stable/13/                              806e51f81dba    stable/13-n257611
releng/13.3/                            f07351f90aa3  releng/13.3-n257429
releng/13.2/                            8f1f4e60ceb9  releng/13.2-n254663
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:


To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References


The latest revision of this advisory is available at