FreeBSD Errata Notice FreeBSD-EN-24:06.wireguard
28 March, 2024 by errata-notices@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:06.wireguard Errata Notice The FreeBSD Project Topic: Insufficient barriers in WireGuard if_wg(4) Category: core Module: if_wg Announced: 2024-03-28 Affects: All supported versions of FreeBSD. Corrected: 2024-03-22 15:21:39 UTC (stable/14, 14.0-STABLE) 2024-03-28 05:06:22 UTC (releng/14.0, 14.0-RELEASE-p6) 2024-03-22 15:21:42 UTC (stable/13, 13.3-STABLE) 2024-03-28 07:14:19 UTC (releng/13.3, 13.3-RELEASE-p1) 2024-03-28 05:07:54 UTC (releng/13.2, 13.2-RELEASE-p11) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background if_wg is the kernel module that implements WireGuard tunnels between two endpoints. When packets arrive from the tunnel or are sent over the tunnel, they are decrypted or encrypted in a separate thread from the one that delivers the packet to its final destination. II. Problem Description Insufficient barriers between the encrypt/decrypt threads and the delivery threads may result in the wrong part of an mbuf chain being read and sent along through the network stack on architectures with a weaker memory model, e.g., aarch64, under certain workloads. III. Impact The part of the mbuf chain being sent along may contain some invalid state that causes a later fault and panic. IV. Workaround No workaround is available, but X86 platforms (that is, i386 and amd64) are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot or reload the if_wg kernel module. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD arm64 platform can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install After the updates have installed, you will need to reboot the system or reload the if_wg kernel module. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch # fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch.asc # gpg --verify wireguard.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system or reload the if_wg kernel module. VI. Correction details This issue is corrected as of the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 590e02d3c088 stable/14-2576116 releng/14.0/ 56be7cd84447 releng/14.0-n265412 stable/13/ 806e51f81dba stable/13-n257611 releng/13.3/ f07351f90aa3 releng/13.3-n257429 releng/13.2/ 8f1f4e60ceb9 releng/13.2-n254663 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id&4115> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:06.wireguard.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGagACgkQbljekB8A Gu/p2g//cupzJnkQB/sXm0EWroHjy/I6X6gbZlDpHZFbetGx8niyCH/xK3FMySuq q1XGKpXqQKBR3R+VmTNs+Tfd0DbFK8nwStPHXnewKZJ+Qddah27Y3zEuj9+vmmmq rzgJNDNv53eZj0c2ExIWVSfjn1faiE4ctVUOROtvxvxr9RtFpatGTzT5i/wgoNnj gyO/VoFIn3C4ya8F/7EMicnEdQuXW55Ds+3ub9MO4DcXDds3QLWnYIVYfnvnBNV4 YX7N+yynBxGOwD1Isbee6dCFTslsOgqV8WGkN4hMXvikPGvD+lXwCpDftfJCEFbR xDUzf+M/6eBDgTztMmg7bTQO53Dp1iv5nd6Sw71rqS6tCwJ4BoxHV8Cx31yBbPRq S2JsUjT0UsH5Cdvq8Ky5vMPSuSa/n8Ma/CeNtAQ0wvMw9WXkDGOZQSfBuEvJIItB WQyfpBgrWjUZ3fMX7URPc5hca04y/bLyBV+gRfRqVy2nc4T4AwplWYOvBb5f8EXs 2+Jq1Bh3PQTBM4ZdXJtGmBct7ciZn3tZSrAt8c2sNLV5tUfVhWgNTYmcj5ffpPGh r6D9m++Oq4ZORrFpydDfgv/0qXJQrp/9nFVxv8TdhwHBOkdYWP9mJpIUJxVxwfYp jlFBr6yZWp4bWsGGgdtQqQ5+gKo8B25aQ52IE22weZsFxxaYn24=oKHT -----END PGP SIGNATURE-----