[Bug 1877159] Re: netlink: 'systemd-network': attribute type 5 has an invalid length.

Simon Déziel 1877159 at bugs.launchpad.net
Mon May 11 17:04:50 UTC 2020 

Steps to reproduce:

lxc launch images:ubuntu/bionic --vm -c security.secureboot=false foo
sleep 10 # allow booting
lxc exec foo -- apt install -y software-properties-common
lxc exec foo -- add-apt-repository -y ppa:wireguard/wireguard
lxc exec foo -- apt install -y wireguard-tools

cat << EOF | lxc exec foo -- tee /etc/systemd/network/wg0.netdev
# foo
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
ListenPort=5555
PrivateKey=cBkljQSKhtEe/U8GZmCAk2MBbKWL4TLC9PVtbMFyCVQ=

[WireGuardPeer]
PublicKey=emfIuZ3hZ+AnWIrKex/EqCp2mfzip8AxJu6RuweyRGc=
AllowedIPs=192.168.255.2
Endpoint=bar.lxd:5555
EOF

cat << EOF | lxc exec foo -- tee /etc/systemd/network/wg0.network
# foo
[Match]
Name=wg0

[Network]
Address=192.168.255.1/24
EOF

lxc exec foo -- systemctl restart systemd-networkd


lxc launch images:ubuntu/bionic --vm -c security.secureboot=false bar
sleep 10 # allow booting
lxc exec bar -- apt install -y software-properties-common
lxc exec bar -- add-apt-repository -y ppa:wireguard/wireguard
lxc exec bar -- apt install -y wireguard-tools

cat << EOF | lxc exec bar -- tee /etc/systemd/network/wg0.netdev
# bar
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
ListenPort=5555
PrivateKey=AHNwUJjVO939UYnp+SjrxYDa1ZlU1uIToCF9CHUitXE=

[WireGuardPeer]
PublicKey=7TJBZdnkY8zMRVPACZSxT6xL2pAi7/IL4R1DGeThEhY=
AllowedIPs=192.168.255.1
Endpoint=foo.lxd:5555
EOF

cat << EOF | lxc exec bar -- tee /etc/systemd/network/wg0.network
# bar
[Match]
Name=wg0

[Network]
Address=192.168.255.2/24
EOF

lxc exec bar -- systemctl restart systemd-networkd

# test connectivity
lxc exec foo -- ping -qc2 192.168.255.2

# notice the invalid length in dmesg
$ lxc exec foo -- journalctl -kn 8
-- Logs begin at Mon 2020-05-11 16:56:40 UTC, end at Mon 2020-05-11 17:03:46 UTC. --
May 11 16:58:25 foo kernel: nf_tables: (c) 2007-2009 Patrick McHardy <kaber at trash.net>
May 11 17:01:57 foo kernel: PKCS#7 signature not signed with a trusted key
May 11 17:01:57 foo kernel: wireguard: module verification failed: signature and/or required key missing - tainting kernel
May 11 17:01:57 foo kernel: wireguard: WireGuard 1.0.20200429 loaded. See www.wireguard.com for information.
May 11 17:01:57 foo kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason at zx2c4.com>. All Rights Reserved.
May 11 17:01:57 foo kernel: netlink: 'systemd-network': attribute type 5 has an invalid length.
May 11 17:01:57 foo kernel: netlink: 'systemd-network': attribute type 5 has an invalid length.
May 11 17:02:23 foo kernel: netlink: 'systemd-network': attribute type 5 has an invalid length.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1877159

Title:
  netlink: 'systemd-network': attribute type 5 has an invalid length.

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Bionic:
  In Progress
Status in systemd source package in Eoan:
  Fix Released
Status in systemd source package in Focal:
  Fix Released

Bug description:
  [impact]

  systemd-networkd uses incorrect netlink attribute length for
  wireguard's persistent keepalive interval, which logs error messages
  from the kernel, and may incorrectly set the parameter.

  [test case]

  Only 1 Bionic VM is required to reproduce the problem:

  $ lxc launch images:ubuntu/bionic --vm -c security.secureboot=false foo
  $ sleep 10 # allow booting
  $ lxc exec foo -- apt install -y software-properties-common
  $ lxc exec foo -- add-apt-repository -y ppa:wireguard/wireguard
  $ lxc exec foo -- apt install -y wireguard-tools

  $ cat << EOF | lxc exec foo -- tee /etc/systemd/network/wg0.netdev
  # foo
  [NetDev]
  Name=wg0
  Kind=wireguard

  [WireGuard]
  ListenPort=5555
  PrivateKey=cBkljQSKhtEe/U8GZmCAk2MBbKWL4TLC9PVtbMFyCVQ=

  [WireGuardPeer]
  PublicKey=emfIuZ3hZ+AnWIrKex/EqCp2mfzip8AxJu6RuweyRGc=
  AllowedIPs=192.168.255.2
  Endpoint=bar.lxd:5555
  EOF

  $ cat << EOF | lxc exec foo -- tee /etc/systemd/network/wg0.network
  # foo
  [Match]
  Name=wg0

  [Network]
  Address=192.168.255.1/24
  EOF

  $ lxc exec foo -- systemctl restart systemd-networkd

  # notice the invalid length in dmesg
  $ lxc exec foo -- journalctl -kn 8
  -- Logs begin at Mon 2020-05-11 16:56:40 UTC, end at Mon 2020-05-11 17:03:46 UTC. --
  May 11 16:58:25 foo kernel: nf_tables: (c) 2007-2009 Patrick McHardy <kaber at trash.net>
  May 11 17:01:57 foo kernel: PKCS#7 signature not signed with a trusted key
  May 11 17:01:57 foo kernel: wireguard: module verification failed: signature and/or required key missing - tainting kernel
  May 11 17:01:57 foo kernel: wireguard: WireGuard 1.0.20200429 loaded. See www.wireguard.com for information.
  May 11 17:01:57 foo kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason at zx2c4.com>. All Rights Reserved.
  May 11 17:01:57 foo kernel: netlink: 'systemd-network': attribute type 5 has an invalid length.
  May 11 17:01:57 foo kernel: netlink: 'systemd-network': attribute type 5 has an invalid length.
  May 11 17:02:23 foo kernel: netlink: 'systemd-network': attribute type 5 has an invalid length.

  [regression potential]

  this adjusts the length of the specific netlink parameter, so any
  regression would likely relate to incorrectly setting the persistent
  keepalive interval parameter, or failure to set the parameter.

  [scope]

  this is needed only for Bionic.

  this was fixed upstream in commit
  7d0b26a027118ca063780421cb31c74e9d2664ee which was first included in
  v240, so this is fixed in Eoan and later.  Xenial does not include
  support for wireguard, so this does not apply there.

  [original description]

  This morning, our 2 Bionic machine configured with the wireguard's PPA
  and using systemd-networkd to configure the wireguard tunnel started
  misbehaving. Why this started just now is unclear ATM but their dmesg
  was filled with this:

  validate_nla: 100 callbacks suppressed
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.
  netlink: 'systemd-network': attribute type 5 has an invalid length.

  Folks in #systemd mentioned
  https://github.com/systemd/systemd/issues/11575 which points to 2
  commits missing from Bionic's systemd version:

  https://github.com/systemd/systemd/commit/7d0b26a027118ca063780421cb31c74e9d2664ee
  https://github.com/systemd/systemd/commit/624a47694cad4c87b2e807c32db656f3e9d679c5

  Focal's systemd have the above commits. Would it be possible to
  backport those 2 commits to Bionic?

  Additional information:

  # uname -a
  Linux noc-eu1 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

  # apt-cache policy systemd wireguard{,-tools,-dkms}
  systemd:
    Installed: 237-3ubuntu10.39
    Candidate: 237-3ubuntu10.39
    Version table:
   *** 237-3ubuntu10.39 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       237-3ubuntu10.38 500
          500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
       237-3ubuntu10 500
          500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  wireguard:
    Installed: 1.0.20200319-1ubuntu1~18.04
    Candidate: 1.0.20200319-1ubuntu1~18.04
    Version table:
   *** 1.0.20200319-1ubuntu1~18.04 500
          500 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 Packages
          500 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main i386 Packages
          100 /var/lib/dpkg/status
  wireguard-tools:
    Installed: 1.0.20200319-1ubuntu1~18.04
    Candidate: 1.0.20200319-1ubuntu1~18.04
    Version table:
   *** 1.0.20200319-1ubuntu1~18.04 500
          500 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 Packages
          100 /var/lib/dpkg/status
  wireguard-dkms:
    Installed: 1.0.20200429-2~18.04
    Candidate: 1.0.20200429-2~18.04
    Version table:
   *** 1.0.20200429-2~18.04 500
          500 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 Packages
          500 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main i386 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1877159/+subscriptions

More information about the foundations-bugs mailing list