New OpenWrt release fixing several dnsmasq CVEs

New OpenWrt release fixing several dnsmasq CVEs

[Toke Høiland-Jørgensen]

Hi everyone

In case you haven't seen, there's a new OpenWrt release out[0] that
fixes several CVEs in dnsmasq; seems like quite a bunch at once[1].

So in the interest of keeping everyone's routers safe, here's a gentle
nudge to update :)

-Toke

[0] https://openwrt.org/releases/19.07/notes-19.07.6
[1] https://www.jsof-tech.com/disclosures/dnspooq/

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Jonathan Foulkes]

I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes.
Last night it locked up completely while attempting to stream.

See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up.
https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39

load is low, sirq is low, so box does not seem stressed.

Any reason Cake would be sensitive to a dnsmasq bug?

Anyway, heads-up to wait before deploying the update, A new one should be forthcoming.

Thanks,

Jonathan Foulkes

> On Jan 19, 2021, at 6:20 PM, Toke Høiland-Jørgensen via Bloat <bloat@lists.bufferbloat.net> wrote:
> 
> Hi everyone
> 
> In case you haven't seen, there's a new OpenWrt release out[0] that
> fixes several CVEs in dnsmasq; seems like quite a bunch at once[1].
> 
> So in the interest of keeping everyone's routers safe, here's a gentle
> nudge to update :)
> 
> -Toke
> 
> [0] https://openwrt.org/releases/19.07/notes-19.07.6
> [1] https://www.jsof-tech.com/disclosures/dnspooq/
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat

Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Toke Høiland-Jørgensen]

Jonathan Foulkes <jf@jonathanfoulkes.com> writes:

> I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes.
> Last night it locked up completely while attempting to stream.
>
> See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up.
> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39
>
> load is low, sirq is low, so box does not seem stressed.
>
> Any reason Cake would be sensitive to a dnsmasq bug?

No, not really. I mean, dnsmasq could be sending some traffic that
interferes with stuff? Or it could be a kernel regression - the release
did bump the kernel version as well...

-Toke

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Jonathan Foulkes]

I figure there should be no inter-dependencies there, but the side-effect of the new dnsmasq is pretty serious.

I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case.

But others running a full .6 build report similar QoS issues.

I regressed back to .4 and all is good on the QoS front, waiting until a new drop of dnsmasq before trying again.

- Jonathan

> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> 
> Jonathan Foulkes <jf@jonathanfoulkes.com> writes:
> 
>> I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes.
>> Last night it locked up completely while attempting to stream.
>> 
>> See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up.
>> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39
>> 
>> load is low, sirq is low, so box does not seem stressed.
>> 
>> Any reason Cake would be sensitive to a dnsmasq bug?
> 
> No, not really. I mean, dnsmasq could be sending some traffic that
> interferes with stuff? Or it could be a kernel regression - the release
> did bump the kernel version as well...
> 
> -Toke

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Daniel Sterling]

On Fri, Jan 22, 2021 at 4:25 PM Jonathan Foulkes <jf@jonathanfoulkes.com> wrote:
> I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case.

given you just updated the package -- that's extremely weird.
userspace update shouldn't be able to lock up the kernel in any
case..... very bizarre.

-- Dan

Re: [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Toke Høiland-Jørgensen]

Daniel Sterling <sterling.daniel@gmail.com> writes:

> On Fri, Jan 22, 2021 at 4:25 PM Jonathan Foulkes <jf@jonathanfoulkes.com> wrote:
>> I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case.
>
> given you just updated the package -- that's extremely weird.
> userspace update shouldn't be able to lock up the kernel in any
> case..... very bizarre.

Well, it's a daemon with pretty wide permissions to mess with the
system, so it's not impossible (evidently). Still, will be interesting
to see what turns out to be the root cause of this...

-Toke

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Sebastian Moeller]

Could you try to run top or htop and look at the CPU load? I could imagine that the fixes dnsmasq might have some CPU spikes that simply leave not enough cycles for the traffic shaper?

Best Regards
	Sebastian

> On Jan 22, 2021, at 22:25, Jonathan Foulkes <jf@jonathanfoulkes.com> wrote:
> 
> I figure there should be no inter-dependencies there, but the side-effect of the new dnsmasq is pretty serious.
> 
> I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case.
> 
> But others running a full .6 build report similar QoS issues.
> 
> I regressed back to .4 and all is good on the QoS front, waiting until a new drop of dnsmasq before trying again.
> 
> - Jonathan
> 
>> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>> 
>> Jonathan Foulkes <jf@jonathanfoulkes.com> writes:
>> 
>>> I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes.
>>> Last night it locked up completely while attempting to stream.
>>> 
>>> See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up.
>>> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39
>>> 
>>> load is low, sirq is low, so box does not seem stressed.
>>> 
>>> Any reason Cake would be sensitive to a dnsmasq bug?
>> 
>> No, not really. I mean, dnsmasq could be sending some traffic that
>> interferes with stuff? Or it could be a kernel regression - the release
>> did bump the kernel version as well...
>> 
>> -Toke
> 
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Jonathan Foulkes]

Hi Seb, someone did just that and even better, compared two builds with the dnsmasq being the only variable, and did not see any differences:
https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/85

From other comments, looks like they found the bug and are testing the fix.
https://git.openwrt.org/?p=openwrt/staging/ldir.git;a=commitdiff;h=9a18346676850646764072ffcfd32ad9396d95c3

Jonathan

> On Jan 22, 2021, at 4:40 PM, Sebastian Moeller <moeller0@gmx.de> wrote:
> 
> Could you try to run top or htop and look at the CPU load? I could imagine that the fixes dnsmasq might have some CPU spikes that simply leave not enough cycles for the traffic shaper?
> 
> Best Regards
> 	Sebastian
> 
>> On Jan 22, 2021, at 22:25, Jonathan Foulkes <jf@jonathanfoulkes.com> wrote:
>> 
>> I figure there should be no inter-dependencies there, but the side-effect of the new dnsmasq is pretty serious.
>> 
>> I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case.
>> 
>> But others running a full .6 build report similar QoS issues.
>> 
>> I regressed back to .4 and all is good on the QoS front, waiting until a new drop of dnsmasq before trying again.
>> 
>> - Jonathan
>> 
>>> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>>> 
>>> Jonathan Foulkes <jf@jonathanfoulkes.com> writes:
>>> 
>>>> I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes.
>>>> Last night it locked up completely while attempting to stream.
>>>> 
>>>> See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up.
>>>> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39
>>>> 
>>>> load is low, sirq is low, so box does not seem stressed.
>>>> 
>>>> Any reason Cake would be sensitive to a dnsmasq bug?
>>> 
>>> No, not really. I mean, dnsmasq could be sending some traffic that
>>> interferes with stuff? Or it could be a kernel regression - the release
>>> did bump the kernel version as well...
>>> 
>>> -Toke
>> 
>> _______________________________________________
>> Bloat mailing list
>> Bloat@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/bloat
> 

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Daniel Sterling]

that's great! thanks to the openwrt team for the quick work

from that patch:

"If identical queries from IPv4 and IPv6 sources are combined by the
new code added in 15b60ddf935a531269bb8c68198de012a4967156 then
replies can end up being sent via the wrong family of socket. The ->fd
should be per query, not per-question.

In bind-interfaces mode, this could also result in replies being sent
via the wrong socket even when IPv4/IPV6 issues are not in play."

On Sat, Jan 23, 2021 at 11:29 AM Jonathan Foulkes
<jf@jonathanfoulkes.com> wrote:
>
> Hi Seb, someone did just that and even better, compared two builds with the dnsmasq being the only variable, and did not see any differences:
> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/85
>
> From other comments, looks like they found the bug and are testing the fix.
> https://git.openwrt.org/?p=openwrt/staging/ldir.git;a=commitdiff;h=9a18346676850646764072ffcfd32ad9396d95c3
>
> Jonathan
>
> > On Jan 22, 2021, at 4:40 PM, Sebastian Moeller <moeller0@gmx.de> wrote:
> >
> > Could you try to run top or htop and look at the CPU load? I could imagine that the fixes dnsmasq might have some CPU spikes that simply leave not enough cycles for the traffic shaper?
> >
> > Best Regards
> >       Sebastian
> >
> >> On Jan 22, 2021, at 22:25, Jonathan Foulkes <jf@jonathanfoulkes.com> wrote:
> >>
> >> I figure there should be no inter-dependencies there, but the side-effect of the new dnsmasq is pretty serious.
> >>
> >> I did not install .6, I only performed an opkg update of the dnamasq package itself. So kernal is the same in my case.
> >>
> >> But others running a full .6 build report similar QoS issues.
> >>
> >> I regressed back to .4 and all is good on the QoS front, waiting until a new drop of dnsmasq before trying again.
> >>
> >> - Jonathan
> >>
> >>> On Jan 22, 2021, at 4:15 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> >>>
> >>> Jonathan Foulkes <jf@jonathanfoulkes.com> writes:
> >>>
> >>>> I installed the updated package on a 19.07.4 box running cake, and QoS performance went down the tubes.
> >>>> Last night it locked up completely while attempting to stream.
> >>>>
> >>>> See the PingPlots others have posted to this forum thread, mine look similar, went from constant sub 50ms to very spiky, then some loss, loss increasing, and if high traffic, lock-up.
> >>>> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/39
> >>>>
> >>>> load is low, sirq is low, so box does not seem stressed.
> >>>>
> >>>> Any reason Cake would be sensitive to a dnsmasq bug?
> >>>
> >>> No, not really. I mean, dnsmasq could be sending some traffic that
> >>> interferes with stuff? Or it could be a kernel regression - the release
> >>> did bump the kernel version as well...
> >>>
> >>> -Toke
> >>
> >> _______________________________________________
> >> Bloat mailing list
> >> Bloat@lists.bufferbloat.net
> >> https://lists.bufferbloat.net/listinfo/bloat
> >
>
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat

Re: [Cerowrt-devel] [Bloat] New OpenWrt release fixing several dnsmasq CVEs

[Etienne Champetier]

Hi Jonathan,

Le sam. 23 janv. 2021 à 11:29, Jonathan Foulkes
<jf@jonathanfoulkes.com> a écrit :
>
> Hi Seb, someone did just that and even better, compared two builds with the dnsmasq being the only variable, and did not see any differences:
> https://forum.openwrt.org/t/security-advisory-2021-01-19-1-dnsmasq-multiple-vulnerabilities/85903/85
>
> From other comments, looks like they found the bug and are testing the fix.
> https://git.openwrt.org/?p=openwrt/staging/ldir.git;a=commitdiff;h=9a18346676850646764072ffcfd32ad9396d95c3
>
> Jonathan
>
> > On Jan 22, 2021, at 4:40 PM, Sebastian Moeller <moeller0@gmx.de> wrote:
> >
> > Could you try to run top or htop and look at the CPU load? I could imagine that the fixes dnsmasq might have some CPU spikes that simply leave not enough cycles for the traffic shaper?

Is it possible you had a tab open on the Luci status page ?
In my experience if you don't have uhttpd-mod-ubus (and maybe
uhttpd-mod-lua) load average just keep climbing when you are looking
at this page.
https://bugs.openwrt.org/index.php?do=details&task_id=2613

Best
Etienne