865621 – net-misc/connman-1.42_pre20220801: breaks routing 30-60 seconds after VPN client is connected

Bug 865621 - net-misc/connman-1.42_pre20220801: breaks routing 30-60 seconds after VPN client is connected

Summary: net-misc/connman-1.42_pre20220801: breaks routing 30-60 seconds after VPN cli...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Ben Kohler

URL:
Whiteboard:
Keywords:	REGRESSION

Depends on:
Blocks:

Reported:	2022-08-17 21:53 UTC by i.Dark_Templar
Modified:	2023-05-19 20:37 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2022-32292, CVE-2022-32293 CVE-2022-23096, CVE-2022-23097, CVE-2022-23098
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description i.Dark_Templar 2022-08-17 21:53:08 UTC

When running VPN (both openvpn and hamachi tested) with new net-misc/connman, it updates routing table and breaks network. It doesn't work with 1.42_pre20220801, but it works fine with 1.41-r1. It looks like it adds second default gateway. It's a regression.

Reproducible: Always

Steps to Reproduce:
1. USE="ethernet nftables policykit wifi" emerge net-misc/connman
2. start connman: /etc/init.d/connman start
3. emerge $vpnclient (openvpn and hamachi tested)
4. start $vpnvlient
Actual Results:  
After 30-60 seconds connman updates routing table and routing breaks.

Expected Results:  
connman must not break routing.

Routing table with connman-1.41-r1 after connecting to hamachi network:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         255.255.255.255 UH    0      0        0 ham0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
25.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 ham0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 ham0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0

$ ip route
0.0.0.0 dev ham0 scope link
default via 192.168.1.1 dev eth0
25.0.0.0/8 dev ham0 proto kernel scope link src 25.75.105.187
169.254.0.0/16 dev ham0 proto kernel scope link src 169.254.124.73
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.158
192.168.1.1 dev eth0 scope link

Routing table with connman-1.42_pre20220801 after connecting to hamachi network:
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         255.255.255.255 UH    0      0        0 ham0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ham0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
25.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 ham0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 ham0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0

$ ip route
0.0.0.0 dev ham0 scope link
default dev ham0 scope link
default via 192.168.1.1 dev eth0
25.0.0.0/8 dev ham0 proto kernel scope link src 25.75.105.187
169.254.0.0/16 dev ham0 proto kernel scope link src 169.254.55.155
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.158
192.168.1.1 dev eth0 scope link

And here's same issue with openvpn instead of hamachi and connman-1.42_pre20220801:
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         255.255.255.255 UH    0      0        0 tap0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tap0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 tap0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0

$ ip route
0.0.0.0 dev tap0 scope link
default dev tap0 scope link
default via 192.168.1.1 dev eth0
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2
169.254.0.0/16 dev tap0 proto kernel scope link src 169.254.22.219
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.158
192.168.1.1 dev eth0 scope link

Comment 1 i.Dark_Templar 2022-08-17 21:53:52 UTC

Emerge info for downgraded connman. For current connman all settings are same.

$ emerge --info net-misc/connman
Portage 3.0.30 (python 3.10.5-final-0, default/linux/amd64/17.1/desktop, gcc-11.3.0, glibc-2.35-r8, 5.15.59-gentoo.60 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.15.59-gentoo.60-x86_64-Intel-R-_Core-TM-_i7-3720QM_CPU_@_2.60GHz-with-glibc2.35
KiB Mem:    16002088 total,  12149596 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Wed, 17 Aug 2022 06:45:01 +0000
Head commit of repository gentoo: 5e109607c953a4b24f85acd2a0df55bc14c6e039
Head commit of repository dt-overlay-patches: e9da12e0b2670cb52722ae55958725668730a14a

Head commit of repository dt-overlay-public: 56ff2988a5194c3f47e85b72c8548d390eed86e4

sh bash 5.1_p16-r1
ld GNU ld (Gentoo 2.38 p4) 2.38
app-misc/pax-utils:        1.3.4::gentoo
app-shells/bash:           5.1_p16-r1::gentoo
dev-lang/perl:             5.34.1-r3::gentoo
dev-lang/python:           3.9.13::gentoo, 3.10.5::gentoo
dev-lang/rust:             1.62.1::gentoo
dev-util/cmake:            3.22.4::gentoo
dev-util/meson:            0.62.2::gentoo
sys-apps/baselayout:       2.8::gentoo
sys-apps/openrc:           0.45.2::gentoo
sys-apps/sandbox:          2.29::gentoo
sys-devel/autoconf:        2.13-r2::gentoo, 2.71-r1::gentoo
sys-devel/automake:        1.16.5::gentoo
sys-devel/binutils:        2.38-r2::gentoo
sys-devel/binutils-config: 5.4.1::gentoo
sys-devel/clang:           14.0.6-r1::gentoo
sys-devel/gcc:             11.3.0::gentoo
sys-devel/gcc-config:      2.5-r1::gentoo
sys-devel/libtool:         2.4.7::gentoo
sys-devel/lld:             14.0.6::gentoo
sys-devel/llvm:            14.0.6-r2::gentoo
sys-devel/make:            4.3::gentoo
sys-kernel/linux-headers:  5.15-r3::gentoo (virtual/os-headers)
sys-libs/glibc:            2.35-r8::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.de.gentoo.org/gentoo-portage/
    priority: -1000
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-metamanifest: yes
    sync-rsync-extra-opts: --no-progress --no-verbose --no-motd
    sync-rsync-verify-jobs: 1

dt-overlay-crossdev
    location: /var/db/repos/dt-overlay-crossdev
    masters: gentoo
    priority: 50

dt-overlay-patches
    location: /var/db/repos/dt-overlay-patches
    sync-openpgp-key-refresh: no
    sync-type: git
    sync-uri: https://github.com/iDarkTemplar/dt-overlay-patches.git
    masters: gentoo
    priority: 50
    sync-git-verify-commit-signature: Yes

dt-overlay-private
    location: /var/db/repos/dt-overlay-private
    masters: gentoo
    priority: 50

dt-overlay-public
    location: /var/db/repos/dt-overlay-public
    sync-openpgp-key-refresh: no
    sync-type: git
    sync-uri: https://github.com/iDarkTemplar/dt-overlay-public.git
    masters: gentoo
    priority: 50
    sync-git-verify-commit-signature: Yes

rion
    location: /var/lib/layman/rion
    sync-type: laymansync
    sync-uri: https://github.com/rion-overlay/rion-overlay.git
    masters: gentoo
    priority: 50

steam-overlay
    location: /var/lib/layman/steam-overlay
    sync-type: laymansync
    sync-uri: https://github.com/anyc/steam-overlay.git
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer -fwrapv"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer -fwrapv"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --binpkg-respect-use=y --autounmask=n --complete-graph=y --keep-going --quiet-build=y"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live distlocks ebuild-locks fakeroot fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.halifax.rwth-aachen.de/gentoo/ http://mirror.dkm.cz/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ https://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://ftp.belnet.be/pub/rsync.gentoo.org/gentoo/ http://www.mirrorservice.org/sites/distfiles.gentoo.org/ http://ftp.free.fr/mirrors/ftp.gentoo.org/ http://mirror.leaseweb.com/gentoo/ https://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/"
LANG="ru_RU.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--no-progress --no-verbose --no-motd"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="X a52 aac acl acpi alsa amd64 amr apm ares bash-completion bidi bluetooth bluray branding bzip2 c++0x cairo caps cdda cdio cdr cleartype cli connman cracklib crypt cue cups cxx dbus designer dga dirac dri dts dvd dvdr egl elogind encode exif faad fbcon ffmpeg filecaps flac fontconfig fontforge freetype fribidi gif gles2 gme gmp gpm gtk gtkstyle gui ibus iconv icu idn imlib inotify ipv6 jadetex jpeg kde lcms libass libdvdcss libglvnd libtirpc lzma lzo mad matroska midi mmap mng mp3 mp4 mpeg multilib ncurses network nfs nls nptl offensive ogg openal opengl openmp opus pam pango pcmcia pcntl pcre pdf pic plasma plymouth png policykit posix postproc ppds private-headers projectm pulseaudio qml qt5 raw readline schroedinger seccomp sftp sndfile sockets spell split-usr ssl startup-notification svg system-cairo system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-sqlite tga theora threads tiff truetype udev udisks unicode upower usb utils v4l vaapi vdpau vorbis vpx vulkan wavpack wayland wifi wma x264 xattr xcb xcomposite xft xinerama xpm xscreensaver xv xvid zlib zstd" ABI_X86="64 32" ADA_TARGET="gnat_2020" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev joystick libinput" KERNEL="linux" L10N="ru en de ja" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_10" PYTHON_TARGETS="python3_10" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby27" SANE_BACKENDS="hp" USERLAND="GNU" VIDEO_CARDS="vesa vga intel i915 nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS

=================================================================
                        Package Settings
=================================================================

net-misc/connman-1.41-r1::dt-overlay-patches was built with the following:
USE="ethernet nftables policykit wifi -bluetooth -debug -doc -examples -iptables -iwd -l2tp -networkmanager -ofono -openconnect -openvpn -pptp -tools -vpnc -wireguard -wispr" ABI_X86="(64)"

Comment 2 i.Dark_Templar 2022-08-18 07:00:05 UTC

Found first bad commit with git bisect:

https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a

Comment 3 Ben Kohler gentoo-dev

2022-08-21 16:17:06 UTC

Thanks for reporting upstream as well [1], I will take another look in a couple of days and hopefully they will have a fix for us to backport.

[1] https://lore.kernel.org/connman/b4938292-e2a0-e572-77c1-19dda0a16d0c@dark-templar-archives.net/T/#u

Comment 4 i.Dark_Templar 2022-08-28 18:43:38 UTC

This commit fixes issue for me:

https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=cb05780d86c39cfb5e6d9ac2b288bf3244a95d57

Comment 5 Larry the Git Cow gentoo-dev

2022-08-28 20:41:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7f443ab9d94395389b54a91dc258679ad4e02c7

commit e7f443ab9d94395389b54a91dc258679ad4e02c7
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2022-08-28 20:41:00 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2022-08-28 20:41:45 +0000

    net-misc/connman: add 1.42_pre20220828
    
    Bug: https://bugs.gentoo.org/865621
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-misc/connman/Manifest                        |   1 +
 net-misc/connman/connman-1.42_pre20220828.ebuild | 106 +++++++++++++++++++++++
 2 files changed, 107 insertions(+)