-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-24:06.wireguard                                      Errata Notice
                                                          The FreeBSD Project

Topic:          Insufficient barriers in WireGuard if_wg(4)

Category:       core
Module:         if_wg
Announced:      2024-03-28
Affects:        All supported versions of FreeBSD.
Corrected:      2024-03-22 15:21:39 UTC (stable/14, 14.0-STABLE)
                2024-03-28 05:06:22 UTC (releng/14.0, 14.0-RELEASE-p6)
                2024-03-22 15:21:42 UTC (stable/13, 13.3-STABLE)
                2024-03-28 07:14:19 UTC (releng/13.3, 13.3-RELEASE-p1)
                2024-03-28 05:07:54 UTC (releng/13.2, 13.2-RELEASE-p11)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

if_wg is the kernel module that implements WireGuard tunnels between two
endpoints.  When packets arrive from the tunnel or are sent over the tunnel,
they are decrypted or encrypted in a separate thread from the one that delivers
the packet to its final destination.

II.  Problem Description

Insufficient barriers between the encrypt/decrypt threads and the delivery
threads may result in the wrong part of an mbuf chain being read and sent along
through the network stack on architectures with a weaker memory model, e.g.,
aarch64, under certain workloads.

III. Impact

The part of the mbuf chain being sent along may contain some invalid state that
causes a later fault and panic.

IV.  Workaround

No workaround is available, but X86 platforms (that is, i386 and amd64) are
not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot or reload the
if_wg kernel module.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD arm64 platform can be updated
via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

After the updates have installed, you will need to reboot the system or reload
the if_wg kernel module.

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch
# fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch.asc
# gpg --verify wireguard.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system or reload the if_wg kernel module.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              590e02d3c088    stable/14-2576116
releng/14.0/                            56be7cd84447  releng/14.0-n265412
stable/13/                              806e51f81dba    stable/13-n257611
releng/13.3/                            f07351f90aa3  releng/13.3-n257429
releng/13.2/                            8f1f4e60ceb9  releng/13.2-n254663
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264115>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:06.wireguard.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGagACgkQbljekB8A
Gu/p2g//cupzJnkQB/sXm0EWroHjy/I6X6gbZlDpHZFbetGx8niyCH/xK3FMySuq
q1XGKpXqQKBR3R+VmTNs+Tfd0DbFK8nwStPHXnewKZJ+Qddah27Y3zEuj9+vmmmq
rzgJNDNv53eZj0c2ExIWVSfjn1faiE4ctVUOROtvxvxr9RtFpatGTzT5i/wgoNnj
gyO/VoFIn3C4ya8F/7EMicnEdQuXW55Ds+3ub9MO4DcXDds3QLWnYIVYfnvnBNV4
YX7N+yynBxGOwD1Isbee6dCFTslsOgqV8WGkN4hMXvikPGvD+lXwCpDftfJCEFbR
xDUzf+M/6eBDgTztMmg7bTQO53Dp1iv5nd6Sw71rqS6tCwJ4BoxHV8Cx31yBbPRq
S2JsUjT0UsH5Cdvq8Ky5vMPSuSa/n8Ma/CeNtAQ0wvMw9WXkDGOZQSfBuEvJIItB
WQyfpBgrWjUZ3fMX7URPc5hca04y/bLyBV+gRfRqVy2nc4T4AwplWYOvBb5f8EXs
2+Jq1Bh3PQTBM4ZdXJtGmBct7ciZn3tZSrAt8c2sNLV5tUfVhWgNTYmcj5ffpPGh
r6D9m++Oq4ZORrFpydDfgv/0qXJQrp/9nFVxv8TdhwHBOkdYWP9mJpIUJxVxwfYp
jlFBr6yZWp4bWsGGgdtQqQ5+gKo8B25aQ52IE22weZsFxxaYn24=
=oKHT
-----END PGP SIGNATURE-----