[pkg-netfilter-team] Bug#946996: wireguard-tools: 'wg-quick down' segfaults

Celejar celejar at gmail.com
Tue Mar 10 01:18:44 GMT 2020 

On Mon, 09 Mar 2020 17:22:57 -0400
Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> On Mon 2020-02-03 13:20:22 -0500, Celejar wrote:
> > Okay, now I've gotten it. I've uninstalled nftables and put in the
> > debug line, and I get this (with 1.0.20200121-2):
> >
> > ~# ifdown wg0
> > [#] ip -4 rule delete table 51820
> > [#] ip -4 rule delete table main suppress_prefixlength 0
> > [#] ip link delete dev wg0
> > [#] resolvconf -d tun.wg0 -f
> > RESTORING: *filter
> > COMMIT
> > *nat
> > COMMIT
> > *mangle
> > -D PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
> > -D POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
> > COMMIT
> > *raw
> > COMMIT
> > [#] iptables-restore -n
> > /usr/bin/wg-quick: line 29: 2284068 Segmentation fault      "$@"
> 
> 
> OK, so it looks to me like the problem comes when feeding this set of
> commands into iptables-restore.
> 
> But hm, i'm still having trouble replicating the segfault.
> 
> Is this still happening for you?

Yes (with 1.0.20200206-2)

> Can you send the output of these two commands?
> 
>     dpkg -l iptables wireguard

~$ dpkg -l iptables wireguard
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Architecture Description
++
+-==============-==============-============-====================================================
ii  iptables       1.8.4-3        amd64        administration tools for
packet filtering and NAT ii  wireguard      1.0.20200206-2 all
fast, modern, secure kernel VPN tunnel (metapackage)


>     dpkg -S $(readlink -f $(which iptables-restore))

~# dpkg -S $(readlink -f $(which iptables-restore))
iptables: /usr/sbin/xtables-nft-multi

> That might help us narrow down the cause of the segfault.
> 
> Sorry for how long this is taking to debug!

Hey, wireguard itself seems entirely functional here - I'm just trying
to do my tiny bit to help Debian! Thank you for all your work on this
and Debian in general (and your privacy work).

Celejar

More information about the pkg-netfilter-team mailing list