From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id CDEAC3B29D; Sat, 23 Jan 2021 11:33:25 -0500 (EST) Received: by mail-oi1-x233.google.com with SMTP id w8so9817957oie.2; Sat, 23 Jan 2021 08:33:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=6m8SfvHHxqzLeFeHbR9ubnnlbp7loO7jwUjgnyVQuSw=; b=XXxUL6NHrW4iq3coz70viKkFRoY80L0Ix5y37b5UBk4p+w3JkKWCfXoJNB40F2AIRc iIpu+1X+sMEKMmf4aX4UP5ASj6RQJa+HSceCa357I9Jlj7UGKenM9WLPh9qW8htnRngY 7JXSeibdXsp1KGmA1cEO7Gy327eHuTAIUiXv67zKbnX5lGKralk7A7Sm7TAdBpmuuYP4 06gI1mzg3mlCd9fz7KPirhaRbCW5FdUNDWU5YbE3NJDJRzS2jQB3T9zid4eyspbNPniS /Z71+MlxjJ3W5L+bhSfl8BCScBUHCQ71X0jD3PCYUnV/EfH5EHOlABx8Qr7Ywt0oO4DD +sMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=6m8SfvHHxqzLeFeHbR9ubnnlbp7loO7jwUjgnyVQuSw=; b=HT0VpAUeJE3BZYgj6x7IqBGU5u+xbWcNED5OnBtjfuxPV5IK/dh/03wjwQ7biThhj1 /ulo7Wbj41h2qdJOyMtpQ6irlmoL6ZPcTOj/iFnkxZ9UrfNYdm5A9/oI2PVm0h5xYZDF 8LSXvDMkPUrNDWOBnJ3lhDJF9EybZvn5albjCJdN8UBwcKi04qCKUJH5BkSdbMUwiye/ GGvAXtQMtFt7UJ0uSKG87tCWkqkXYcVN9OM4KJx4yYeKNmmiOhkYOUDE1lOZmKQJO0Ao peym94Mtx+x2uo6XktGufXE+iYNyO31gxa6RZouC4YIzJKvgdApx8GkKpAYjkgTDL9Fr K0+w== X-Gm-Message-State: AOAM530ytmwV37EDdxpPPogBHCfZ8bH3b5GQifmcyt9VwoJBiwI2FIBm 28DgL0YWMBGMbzzNGESwfSGecHDZIQkugeQ4LPM= X-Google-Smtp-Source: ABdhPJyFkJkilo+mfHe0kXNkxC9DBA0Mb32VG5BfKeGGAG94eMxzIjQg0mlBfM0EzLgafWWtCjCmE+3pM7cfmYIud3E= X-Received: by 2002:aca:4912:: with SMTP id w18mr6386681oia.61.1611419604996; Sat, 23 Jan 2021 08:33:24 -0800 (PST) MIME-Version: 1.0 References: <87turceco5.fsf@toke.dk> <557C22F5-BF2E-478A-8C48-BE52F9C75256@jonathanfoulkes.com> <875z3o65c9.fsf@toke.dk> <626C02F8-C761-44B1-A5B0-0B55B564BC94@gmx.de> In-Reply-To: From: Daniel Sterling Date: Sat, 23 Jan 2021 11:33:13 -0500 Message-ID: To: Jonathan Foulkes Cc: Sebastian Moeller , cerowrt-devel@lists.bufferbloat.net, Y via Bloat Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2021 16:33:25 -0000 that's great! thanks to the openwrt team for the quick work from that patch: "If identical queries from IPv4 and IPv6 sources are combined by the new code added in 15b60ddf935a531269bb8c68198de012a4967156 then replies can end up being sent via the wrong family of socket. The ->fd should be per query, not per-question. In bind-interfaces mode, this could also result in replies being sent via the wrong socket even when IPv4/IPV6 issues are not in play." On Sat, Jan 23, 2021 at 11:29 AM Jonathan Foulkes wrote: > > Hi Seb, someone did just that and even better, compared two builds with t= he dnsmasq being the only variable, and did not see any differences: > https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multip= le-vulnerabilities/85903/85 > > From other comments, looks like they found the bug and are testing the fi= x. > https://git.openwrt.org/?p=3Dopenwrt/staging/ldir.git;a=3Dcommitdiff;h=3D= 9a18346676850646764072ffcfd32ad9396d95c3 > > Jonathan > > > On Jan 22, 2021, at 4:40 PM, Sebastian Moeller wrote: > > > > Could you try to run top or htop and look at the CPU load? I could imag= ine that the fixes dnsmasq might have some CPU spikes that simply leave not= enough cycles for the traffic shaper? > > > > Best Regards > > Sebastian > > > >> On Jan 22, 2021, at 22:25, Jonathan Foulkes w= rote: > >> > >> I figure there should be no inter-dependencies there, but the side-eff= ect of the new dnsmasq is pretty serious. > >> > >> I did not install .6, I only performed an opkg update of the dnamasq p= ackage itself. So kernal is the same in my case. > >> > >> But others running a full .6 build report similar QoS issues. > >> > >> I regressed back to .4 and all is good on the QoS front, waiting until= a new drop of dnsmasq before trying again. > >> > >> - Jonathan > >> > >>> On Jan 22, 2021, at 4:15 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > >>> > >>> Jonathan Foulkes writes: > >>> > >>>> I installed the updated package on a 19.07.4 box running cake, and Q= oS performance went down the tubes. > >>>> Last night it locked up completely while attempting to stream. > >>>> > >>>> See the PingPlots others have posted to this forum thread, mine look= similar, went from constant sub 50ms to very spiky, then some loss, loss i= ncreasing, and if high traffic, lock-up. > >>>> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-m= ultiple-vulnerabilities/85903/39 > >>>> > >>>> load is low, sirq is low, so box does not seem stressed. > >>>> > >>>> Any reason Cake would be sensitive to a dnsmasq bug? > >>> > >>> No, not really. I mean, dnsmasq could be sending some traffic that > >>> interferes with stuff? Or it could be a kernel regression - the relea= se > >>> did bump the kernel version as well... > >>> > >>> -Toke > >> > >> _______________________________________________ > >> Bloat mailing list > >> Bloat@lists.bufferbloat.net > >> https://lists.bufferbloat.net/listinfo/bloat > > > > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat