diff -Nru systemd-240/debian/changelog systemd-240/debian/changelog --- systemd-240/debian/changelog 2019-04-11 13:44:08.000000000 +0000 +++ systemd-240/debian/changelog 2019-09-05 11:01:29.000000000 +0000 @@ -1,3 +1,70 @@ +systemd (240-6ubuntu5.7) disco; urgency=medium + + * d/p/d/Revert-udev-network-device-renaming-immediately-give.patch: + - udev: add Revert-udev-network-device-renaming-immediately-give.patch back + Dropping this patch will cause the persistent network regression. + (LP: #1842651) + + -- Shih-Yuan Lee (FourDollars) Thu, 05 Sep 2019 19:01:29 +0800 + +systemd (240-6ubuntu5.6) disco-security; urgency=medium + + * SECURITY UPDATE: Unprivileged users are granted access to privileged + systemd-resolved D-Bus methods + - d/p/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch: + drop trusted annotation from bus_open_system_watch_bind_with_description() + - CVE-2019-15718 + + -- Chris Coulson Thu, 29 Aug 2019 23:29:13 +0100 + +systemd (240-6ubuntu5.4) disco; urgency=medium + + [ You-Sheng Yang ] + * d/p/d/Revert-udev-network-device-renaming-immediately-give.patch: + - udev: drop Revert-udev-network-device-renaming-immediately-give.patch. + The removing patch was for the already deprecated + "75-persistent-net-generator.rules" based interface renaming mechanism, + and it's causing unnecessary problem when a system happends to NICs with + same MAC address, e.g. Dell's MAC address pass-thru. (LP: #1837700) + + -- Shih-Yuan Lee (FourDollars) Wed, 21 Aug 2019 16:15:23 +0800 + +systemd (240-6ubuntu5.3) disco; urgency=medium + + [ Dan Streetman ] + * d/p/lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch: + - Set src address for dhcp 'classless' routes (LP: #1835581) + + [ Jorge Niedbalski ] + * d/p/lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch: + Allows cache=no-negative option to be set, ignoring negative + answers to be cached (LP: #1668771). + + -- Dan Streetman Mon, 22 Jul 2019 12:45:02 -0400 + +systemd (240-6ubuntu5.2) disco; urgency=medium + + [ Jeremy Soller ] + * random-util: eat up bad RDRAND values seen on AMD CPUs. + This fixes AMD Ryzen 3000 series failing to boot (LP: #1835809) + + -- Balint Reczey Tue, 09 Jul 2019 11:52:55 +0200 + +systemd (240-6ubuntu5.1) disco; urgency=medium + + * d/p/ask-password-prevent-buffer-overrow-when-reading-fro.patch: + - prevent buffer overflow when reading keyring (LP: #1814373) + * d/p/network-wireguard-fixes-sending-wireguard-peer-setti.patch, + d/p/test-network-add-more-checks-in-NetworkdNetDevTests..patch, + d/p/sd-netlink-introduce-sd_netlink_message_append_socka.patch, + d/p/network-wireguard-use-sd_netlink_message_append_sock.patch: + - systemd doesn't set wireguard peer endpoint (LP: #1825378) + * d/t/boot-smoke: + - Fix false negative checking for running jobs after boot + (LP: #1825997) + + -- Dan Streetman Thu, 16 May 2019 06:07:49 -0400 + systemd (240-6ubuntu5) disco; urgency=medium * systemd-stable: cherrypick many bugfixes from the v240-stable branch. diff -Nru systemd-240/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch systemd-240/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch --- systemd-240/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch 2019-08-29 22:29:11.000000000 +0000 @@ -0,0 +1,31 @@ +From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:00:34 +0200 +Subject: [PATCH] shared/but-util: drop trusted annotation from + bus_open_system_watch_bind_with_description() + +https://bugzilla.redhat.com/show_bug.cgi?id=1746057 + +This only affects systemd-resolved. bus_open_system_watch_bind_with_description() +is also used in timesyncd, but it has no methods, only read-only properties, and +in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does +polkit checks. +--- + src/shared/bus-util.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index 6af115e7aa..821339d4ae 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri + if (r < 0) + return r; + +- r = sd_bus_set_trusted(bus, true); +- if (r < 0) +- return r; +- + r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS); + if (r < 0) + return r; diff -Nru systemd-240/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch systemd-240/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch --- systemd-240/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,35 @@ +From 59c55e73eaee345e1ee67c23eace8895ed499693 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 13 May 2019 16:58:01 -0300 +Subject: [PATCH] ask-password: prevent buffer overrow when reading from + keyring + +When we read from keyring, a temporary buffer is allocated in order to +determine the size needed for the entire data. However, when zeroing that area, +we use the data size returned by the read instead of the lesser size allocate +for the buffer. + +That will cause memory corruption that causes systemd-cryptsetup to crash +either when a single large password is used or when multiple passwords have +already been pushed to the keyring. + +Signed-off-by: Thadeu Lima de Souza Cascardo + +Origin: upstream, https://github.com/systemd/systemd/commit/59c55e73eaee345e1ee67c23eace8895ed499693 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814373 + +--- + src/shared/ask-password-api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/shared/ask-password-api.c ++++ b/src/shared/ask-password-api.c +@@ -81,7 +81,7 @@ + if (n < m) + break; + +- explicit_bzero_safe(p, n); ++ explicit_bzero_safe(p, m); + free(p); + m *= 2; + } diff -Nru systemd-240/debian/patches/lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch systemd-240/debian/patches/lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch --- systemd-240/debian/patches/lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,203 @@ +From 412dcec58773b7debedd503c528760d5466739da Mon Sep 17 00:00:00 2001 +From: Jorge Niedbalski +Bug: https://github.com/systemd/systemd/issues/5552 +Origin: upstream, https://github.com/systemd/systemd/pull/13047 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1668771 +Date: Fri, 12 Jul 2019 15:34:24 -0400 +Subject: [PATCH] resolved: switch cache option to a tri-state option + (systemd#5552). + +Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values. + +If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995), +however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments) +and the only workaround would be to disable cache entirely or flush it , which isn't optimal. + +This change adds the 'no-negative' option when set it avoids putting in cache +negative answers but still works the same heuristics for positive answers. + +Signed-off-by: Jorge Niedbalski +--- + man/resolved.conf.xml | 3 ++- + src/resolve/resolved-dns-cache.c | 8 ++++++++ + src/resolve/resolved-dns-cache.h | 3 ++- + src/resolve/resolved-dns-transaction.c | 3 ++- + src/resolve/resolved-gperf.gperf | 4 ++-- + src/resolve/resolved-manager.c | 2 +- + src/resolve/resolved-manager.h | 2 +- + src/resolve/resolved-mdns.c | 2 +- + src/shared/resolve-util.c | 10 ++++++++++ + src/shared/resolve-util.h | 14 ++++++++++++++ + 10 files changed, 43 insertions(+), 8 deletions(-) + +--- a/man/resolved.conf.xml ++++ b/man/resolved.conf.xml +@@ -227,10 +227,11 @@ + + + Cache= +- Takes a boolean argument. If yes (the default), resolving a domain name ++ Takes a boolean or no-negative as argument. If yes (the default), resolving a domain name + which already got queried earlier will return the previous result as long as it is still valid, and thus does + not result in a new network request. Be aware that turning off caching comes at a performance penalty, which + is particularly high when DNSSEC is used. ++ If no-negative, only positive answers are cached. + + Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address + (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching. +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -619,6 +619,7 @@ + + int dns_cache_put( + DnsCache *c, ++ DnsCacheMode cache_mode, + DnsResourceKey *key, + int rcode, + DnsAnswer *answer, +@@ -726,6 +727,13 @@ + return 0; + } + ++ if (cache_mode == DNS_CACHE_MODE_NO_NEGATIVE) { ++ char key_str[DNS_RESOURCE_KEY_STRING_MAX]; ++ log_debug("Not caching negative entry for: %s, cache mode set to no-negative", ++ dns_resource_key_to_string(key, key_str, sizeof key_str)); ++ return 0; ++ } ++ + r = dns_cache_put_negative( + c, + key, +--- a/src/resolve/resolved-dns-cache.h ++++ b/src/resolve/resolved-dns-cache.h +@@ -4,6 +4,7 @@ + #include "hashmap.h" + #include "list.h" + #include "prioq.h" ++#include "resolve-util.h" + #include "time-util.h" + + typedef struct DnsCache { +@@ -21,7 +22,7 @@ + void dns_cache_flush(DnsCache *c); + void dns_cache_prune(DnsCache *c); + +-int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, bool authenticated, uint32_t nsec_ttl, usec_t timestamp, int owner_family, const union in_addr_union *owner_address); ++int dns_cache_put(DnsCache *c, DnsCacheMode cache_mode, DnsResourceKey *key, int rcode, DnsAnswer *answer, bool authenticated, uint32_t nsec_ttl, usec_t timestamp, int owner_family, const union in_addr_union *owner_address); + int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcode, DnsAnswer **answer, bool *authenticated); + + int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address); +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -673,7 +673,7 @@ + return; + + /* Caching disabled? */ +- if (!t->scope->manager->enable_cache) ++ if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO) + return; + + /* We never cache if this packet is from the local host, under +@@ -684,6 +684,7 @@ + return; + + dns_cache_put(&t->scope->cache, ++ t->scope->manager->enable_cache, + t->key, + t->answer_rcode, + t->answer, +--- a/src/resolve/resolved-gperf.gperf ++++ b/src/resolve/resolved-gperf.gperf +@@ -24,6 +24,6 @@ + Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support) + Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode) + Resolve.DNSOverTLS, config_parse_dns_over_tls_mode, 0, offsetof(Manager, dns_over_tls_mode) +-Resolve.Cache, config_parse_bool, 0, offsetof(Manager, enable_cache) ++Resolve.Cache, config_parse_dns_cache_mode, DNS_CACHE_MODE_YES, offsetof(Manager, enable_cache) + Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode) + Resolve.ReadEtcHosts, config_parse_bool, 0, offsetof(Manager, read_etc_hosts) +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -579,7 +579,7 @@ + .mdns_support = RESOLVE_SUPPORT_NO, + .dnssec_mode = DEFAULT_DNSSEC_MODE, + .dns_over_tls_mode = DEFAULT_DNS_OVER_TLS_MODE, +- .enable_cache = true, ++ .enable_cache = DNS_CACHE_MODE_YES, + .dns_stub_listener_mode = DNS_STUB_LISTENER_YES, + .read_resolv_conf = true, + .need_builtin_fallbacks = true, +--- a/src/resolve/resolved-manager.h ++++ b/src/resolve/resolved-manager.h +@@ -36,7 +36,7 @@ + ResolveSupport mdns_support; + DnssecMode dnssec_mode; + DnsOverTlsMode dns_over_tls_mode; +- bool enable_cache; ++ DnsCacheMode enable_cache; + DnsStubListenerMode dns_stub_listener_mode; + + /* Network */ +--- a/src/resolve/resolved-mdns.c ++++ b/src/resolve/resolved-mdns.c +@@ -318,7 +318,7 @@ + dns_transaction_process_reply(t, p); + } + +- dns_cache_put(&scope->cache, NULL, DNS_PACKET_RCODE(p), p->answer, false, (uint32_t) -1, 0, p->family, &p->sender); ++ dns_cache_put(&scope->cache, scope->manager->enable_cache, NULL, DNS_PACKET_RCODE(p), p->answer, false, (uint32_t) -1, 0, p->family, &p->sender); + + } else if (dns_packet_validate_query(p) > 0) { + log_debug("Got mDNS query packet for id %u", DNS_PACKET_ID(p)); +--- a/src/shared/resolve-util.c ++++ b/src/shared/resolve-util.c +@@ -26,4 +26,14 @@ + [DNS_OVER_TLS_NO] = "no", + [DNS_OVER_TLS_OPPORTUNISTIC] = "opportunistic", + }; ++ + DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dns_over_tls_mode, DnsOverTlsMode, _DNS_OVER_TLS_MODE_INVALID); ++ ++DEFINE_CONFIG_PARSE_ENUM(config_parse_dns_cache_mode, dns_cache_mode, DnsCacheMode, "Failed to parse DNS cache mode setting") ++ ++static const char* const dns_cache_mode_table[_DNS_CACHE_MODE_MAX] = { ++ [DNS_CACHE_MODE_YES] = "yes", ++ [DNS_CACHE_MODE_NO] = "no", ++ [DNS_CACHE_MODE_NO_NEGATIVE] = "no-negative", ++}; ++DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dns_cache_mode, DnsCacheMode, DNS_CACHE_MODE_YES); +--- a/src/shared/resolve-util.h ++++ b/src/shared/resolve-util.h +@@ -4,6 +4,16 @@ + #include "conf-parser.h" + #include "macro.h" + ++typedef enum DnsCacheMode DnsCacheMode; ++ ++enum DnsCacheMode { ++ DNS_CACHE_MODE_NO, ++ DNS_CACHE_MODE_YES, ++ DNS_CACHE_MODE_NO_NEGATIVE, ++ _DNS_CACHE_MODE_MAX, ++ _DNS_CACHE_MODE_INVALID = 1 ++}; ++ + typedef enum ResolveSupport ResolveSupport; + typedef enum DnssecMode DnssecMode; + typedef enum DnsOverTlsMode DnsOverTlsMode; +@@ -49,6 +59,7 @@ + CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support); + CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode); + CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode); ++CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode); + + const char* resolve_support_to_string(ResolveSupport p) _const_; + ResolveSupport resolve_support_from_string(const char *s) _pure_; +@@ -58,3 +69,6 @@ + + const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_; + DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_; ++ ++const char* dns_cache_mode_to_string(DnsCacheMode p) _const_; ++DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_; diff -Nru systemd-240/debian/patches/lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch systemd-240/debian/patches/lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch --- systemd-240/debian/patches/lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,43 @@ +From ac2dce5f36bb8b1a877ff765e6a4dfde6bfb2d49 Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Bug: https://github.com/systemd/systemd/issues/12969 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1835581 +Origin: upstream, https://github.com/systemd/systemd/commit/ac2dce5f36bb8b1a877ff765e6a4dfde6bfb2d49 +Date: Fri, 5 Jul 2019 16:42:38 -0400 +Subject: [PATCH] src/network/networkd-dhcp4.c: set prefsrc for classless or + static routes + +When a DHCP server provides only a gateway, the networkd-dhcp4 code adds a +default route using that gateway, and sets the just-provided address as +the route's prefsrc; this was added in commit +46b0c76e2c355c0d0cc4792abb98cde07b28bc53 + +However, if the DHCP server has also provided classless route(s), these +are used instead of a default route using the provided gateway; the +networkd-dhcp4 code sets up the classless routes, but does not use the +just-provided dhcp address as the prefsrc of the route(s). Note that +it also doesn't set the prefsrc for static routes, though it should. + +If the interface has only the dhcp-provided address, this is not usually +a problem, but if it has another address (e.g. a static address), then +traffic sent through the dhcp-provided gateway might not use the +dhcp-provided source address. If the gateway router only will route +traffic from the dhcp-provided address, then the dhcp client system's +networking through the router will not work. + +Fixes: #12969 +--- + src/network/networkd-dhcp4.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/network/networkd-dhcp4.c ++++ b/src/network/networkd-dhcp4.c +@@ -115,6 +115,8 @@ + route->priority = link->network->dhcp_route_metric; + route->table = table; + route->scope = route_scope_from_address(route, &address); ++ if (IN_SET(route->scope, RT_SCOPE_LINK, RT_SCOPE_UNIVERSE)) ++ route->prefsrc.in = address; + + r = route_configure(route, link, dhcp4_route_handler); + if (r < 0) diff -Nru systemd-240/debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch systemd-240/debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch --- systemd-240/debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,33 @@ +From 2301c54fa91379f5fe2458e28ed902aff5cf12d2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 28 Jan 2019 09:42:35 +0100 +Subject: [PATCH] network/wireguard: fixes sending wireguard peer settings + +This fixes a bug introduced by e1f717d4a02e15ae11a191dd4962b2f4d117678d. + +Fixes #11579. + +Origin: upstream, https://github.com/systemd/systemd/pull/11580/commits/2301c54fa91379f5fe2458e28ed902aff5cf12d2 +Bug: https://github.com/systemd/systemd/issues/11579 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1825378 + +--- + src/network/netdev/wireguard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c +index 1efd8863f6..dd239f79a8 100644 +--- a/src/network/netdev/wireguard.c ++++ b/src/network/netdev/wireguard.c +@@ -109,7 +109,7 @@ static int wireguard_set_peer_one(NetDev *netdev, sd_netlink_message *message, c + if (r < 0) + goto cancel; + +- if (!start) { ++ if (!*mask_start) { + r = sd_netlink_message_append_data(message, WGPEER_A_PRESHARED_KEY, &peer->preshared_key, WG_KEY_LEN); + if (r < 0) + goto cancel; +-- +2.20.1 + diff -Nru systemd-240/debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch systemd-240/debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch --- systemd-240/debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,33 @@ +From 624a47694cad4c87b2e807c32db656f3e9d679c5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 28 Jan 2019 12:27:37 +0100 +Subject: [PATCH] network/wireguard: use + sd_netlink_message_append_sockaddr_in{,6}() + +Origin: upstream, https://github.com/systemd/systemd/pull/11580/commits/624a47694cad4c87b2e807c32db656f3e9d679c5 +Bug: https://github.com/systemd/systemd/issues/11579 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1825378 + +--- + src/network/netdev/wireguard.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c +index dd239f79a8..0c0b16d1da 100644 +--- a/src/network/netdev/wireguard.c ++++ b/src/network/netdev/wireguard.c +@@ -123,9 +123,9 @@ static int wireguard_set_peer_one(NetDev *netdev, sd_netlink_message *message, c + goto cancel; + + if (peer->endpoint.sa.sa_family == AF_INET) +- r = sd_netlink_message_append_data(message, WGPEER_A_ENDPOINT, &peer->endpoint.in, sizeof(peer->endpoint.in)); ++ r = sd_netlink_message_append_sockaddr_in(message, WGPEER_A_ENDPOINT, &peer->endpoint.in); + else if (peer->endpoint.sa.sa_family == AF_INET6) +- r = sd_netlink_message_append_data(message, WGPEER_A_ENDPOINT, &peer->endpoint.in6, sizeof(peer->endpoint.in6)); ++ r = sd_netlink_message_append_sockaddr_in6(message, WGPEER_A_ENDPOINT, &peer->endpoint.in6); + if (r < 0) + goto cancel; + } +-- +2.20.1 + diff -Nru systemd-240/debian/patches/rdrand-workaround-on-amd.patch systemd-240/debian/patches/rdrand-workaround-on-amd.patch --- systemd-240/debian/patches/rdrand-workaround-on-amd.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/rdrand-workaround-on-amd.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,49 @@ +From: Jeremy Soller +Date: Tue, 9 Jul 2019 11:31:46 +0200 +Subject: random-util: eat up bad RDRAND values seen on AMD CPUs + +This fixes AMD Ryzen 3000 series failing to boot +From https://github.com/systemd/systemd/pull/12536 + +LP: #1835809 +=================================================================== +--- + src/basic/random-util.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index f7decf6..857027f 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -37,6 +37,7 @@ int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) + static int have_rdrand = -1; ++ unsigned long v; + unsigned char err; + + if (have_rdrand < 0) { +@@ -56,9 +57,22 @@ int rdrand(unsigned long *ret) { + + asm volatile("rdrand %0;" + "setc %1" +- : "=r" (*ret), ++ : "=r" (v), + "=qm" (err)); + ++ /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success ++ * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be ++ * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking ++ * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around ++ * only however and something AMD really should fix properly. The Linux kernel should probably work ++ * around this issue by turning off RDRAND altogether on those CPUs. See: ++ * https://github.com/systemd/systemd/issues/11810 */ ++ if (v == 0 || v == ULONG_MAX) ++ return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v); ++ ++ *ret = v; ++ + #if HAS_FEATURE_MEMORY_SANITIZER + __msan_unpoison(&err, sizeof(err)); + #endif diff -Nru systemd-240/debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch systemd-240/debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch --- systemd-240/debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,105 @@ +From abd48ec87f2ac5dd571a99dcb4db88c4affdffc8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 28 Jan 2019 12:19:29 +0100 +Subject: [PATCH] sd-netlink: introduce + sd_netlink_message_append_sockaddr_in{,6}() + +Origin: upstream, https://github.com/systemd/systemd/pull/11580/commits/abd48ec87f2ac5dd571a99dcb4db88c4affdffc8 +Bug: https://github.com/systemd/systemd/issues/11579 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1825378 + +--- + src/libsystemd/sd-netlink/netlink-message.c | 36 +++++++++++++++++++++ + src/libsystemd/sd-netlink/netlink-types.c | 2 +- + src/libsystemd/sd-netlink/netlink-types.h | 1 + + src/systemd/sd-netlink.h | 2 ++ + 4 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-netlink/netlink-message.c b/src/libsystemd/sd-netlink/netlink-message.c +index b0b25639f4..5e9bc45139 100644 +--- a/src/libsystemd/sd-netlink/netlink-message.c ++++ b/src/libsystemd/sd-netlink/netlink-message.c +@@ -370,6 +370,42 @@ int sd_netlink_message_append_in6_addr(sd_netlink_message *m, unsigned short typ + return 0; + } + ++int sd_netlink_message_append_sockaddr_in(sd_netlink_message *m, unsigned short type, const struct sockaddr_in *data) { ++ int r; ++ ++ assert_return(m, -EINVAL); ++ assert_return(!m->sealed, -EPERM); ++ assert_return(data, -EINVAL); ++ ++ r = message_attribute_has_type(m, NULL, type, NETLINK_TYPE_SOCKADDR); ++ if (r < 0) ++ return r; ++ ++ r = add_rtattr(m, type, data, sizeof(struct sockaddr_in)); ++ if (r < 0) ++ return r; ++ ++ return 0; ++} ++ ++int sd_netlink_message_append_sockaddr_in6(sd_netlink_message *m, unsigned short type, const struct sockaddr_in6 *data) { ++ int r; ++ ++ assert_return(m, -EINVAL); ++ assert_return(!m->sealed, -EPERM); ++ assert_return(data, -EINVAL); ++ ++ r = message_attribute_has_type(m, NULL, type, NETLINK_TYPE_SOCKADDR); ++ if (r < 0) ++ return r; ++ ++ r = add_rtattr(m, type, data, sizeof(struct sockaddr_in6)); ++ if (r < 0) ++ return r; ++ ++ return 0; ++} ++ + int sd_netlink_message_append_ether_addr(sd_netlink_message *m, unsigned short type, const struct ether_addr *data) { + int r; + +diff --git a/src/libsystemd/sd-netlink/netlink-types.c b/src/libsystemd/sd-netlink/netlink-types.c +index bb7e8c33ba..9dcd3f2ac8 100644 +--- a/src/libsystemd/sd-netlink/netlink-types.c ++++ b/src/libsystemd/sd-netlink/netlink-types.c +@@ -721,7 +721,7 @@ static const NLType genl_wireguard_peer_types[] = { + [WGPEER_A_FLAGS] = { .type = NETLINK_TYPE_U32 }, + [WGPEER_A_PRESHARED_KEY] = { .size = WG_KEY_LEN }, + [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NETLINK_TYPE_U16 }, +- [WGPEER_A_ENDPOINT] = { /* either size of sockaddr_in or sockaddr_in6 depending on address family */ }, ++ [WGPEER_A_ENDPOINT] = { .type = NETLINK_TYPE_SOCKADDR }, + [WGPEER_A_ALLOWEDIPS] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_allowedip_type_system }, + }; + +diff --git a/src/libsystemd/sd-netlink/netlink-types.h b/src/libsystemd/sd-netlink/netlink-types.h +index 3133e4863d..b84fa4762b 100644 +--- a/src/libsystemd/sd-netlink/netlink-types.h ++++ b/src/libsystemd/sd-netlink/netlink-types.h +@@ -16,6 +16,7 @@ enum { + NETLINK_TYPE_CACHE_INFO, + NETLINK_TYPE_NESTED, /* NLA_NESTED */ + NETLINK_TYPE_UNION, ++ NETLINK_TYPE_SOCKADDR, + }; + + typedef enum NLMatchType { +diff --git a/src/systemd/sd-netlink.h b/src/systemd/sd-netlink.h +index a97a965ec4..9e6e437bab 100644 +--- a/src/systemd/sd-netlink.h ++++ b/src/systemd/sd-netlink.h +@@ -78,6 +78,8 @@ int sd_netlink_message_append_u32(sd_netlink_message *m, unsigned short type, ui + int sd_netlink_message_append_data(sd_netlink_message *m, unsigned short type, const void *data, size_t len); + int sd_netlink_message_append_in_addr(sd_netlink_message *m, unsigned short type, const struct in_addr *data); + int sd_netlink_message_append_in6_addr(sd_netlink_message *m, unsigned short type, const struct in6_addr *data); ++int sd_netlink_message_append_sockaddr_in(sd_netlink_message *m, unsigned short type, const struct sockaddr_in *data); ++int sd_netlink_message_append_sockaddr_in6(sd_netlink_message *m, unsigned short type, const struct sockaddr_in6 *data); + int sd_netlink_message_append_ether_addr(sd_netlink_message *m, unsigned short type, const struct ether_addr *data); + int sd_netlink_message_append_cache_info(sd_netlink_message *m, unsigned short type, const struct ifa_cacheinfo *info); + +-- +2.20.1 + diff -Nru systemd-240/debian/patches/series systemd-240/debian/patches/series --- systemd-240/debian/patches/series 2019-04-11 13:07:36.000000000 +0000 +++ systemd-240/debian/patches/series 2019-09-05 11:01:29.000000000 +0000 @@ -142,3 +142,12 @@ curl-util-fix-use-after-free.patch shared-dissect-image-make-sure-that-we-don-t-truncate-dev.patch journal-avoid-buffer-overread-when-locale-name-is-too-lon.patch +network-wireguard-fixes-sending-wireguard-peer-setti.patch +test-network-add-more-checks-in-NetworkdNetDevTests..patch +sd-netlink-introduce-sd_netlink_message_append_socka.patch +network-wireguard-use-sd_netlink_message_append_sock.patch +ask-password-prevent-buffer-overrow-when-reading-fro.patch +rdrand-workaround-on-amd.patch +lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch +lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch +0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch diff -Nru systemd-240/debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch systemd-240/debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch --- systemd-240/debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-240/debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch 2019-07-22 16:45:02.000000000 +0000 @@ -0,0 +1,45 @@ +From 16ab043bda149ab1117b27464aa98d98ed4f2616 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 28 Jan 2019 10:09:22 +0100 +Subject: [PATCH] test-network: add more checks in + NetworkdNetDevTests.test_wireguard + +Origin: upstream, https://github.com/systemd/systemd/pull/11580/commits/16ab043bda149ab1117b27464aa98d98ed4f2616 +Bug: https://github.com/systemd/systemd/issues/11579 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1825378 + +--- + test/test-network/conf/25-wireguard.netdev | 3 ++- + test/test-network/systemd-networkd-tests.py | 10 ++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/test/test-network/conf/25-wireguard.netdev ++++ b/test/test-network/conf/25-wireguard.netdev +@@ -10,6 +10,7 @@ + [WireGuardPeer] + PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA= + AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24 +-Endpoint=wireguard.example.com:51820 ++#Endpoint=wireguard.example.com:51820 ++Endpoint=192.168.27.3:51820 + PresharedKey=IIWIV17wutHv7t4cR6pOT91z6NSz/T8Arh0yaywhw3M= + PersistentKeepalive=20 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -388,6 +388,16 @@ + + if shutil.which('wg'): + subprocess.call('wg') ++ output = subprocess.check_output(['wg', 'show', 'wg99', 'listen-port']).rstrip().decode('utf-8') ++ self.assertTrue(output, '51820') ++ output = subprocess.check_output(['wg', 'show', 'wg99', 'fwmark']).rstrip().decode('utf-8') ++ self.assertTrue(output, '0x4d2') ++ output = subprocess.check_output(['wg', 'show', 'wg99', 'allowed-ips']).rstrip().decode('utf-8') ++ self.assertTrue(output, 'RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=\t192.168.26.0/24 fd31:bf08:57cb::/48') ++ output = subprocess.check_output(['wg', 'show', 'wg99', 'persistent-keepalive']).rstrip().decode('utf-8') ++ self.assertTrue(output, 'RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=\t20') ++ output = subprocess.check_output(['wg', 'show', 'wg99', 'endpoints']).rstrip().decode('utf-8') ++ self.assertTrue(output, 'RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=\t192.168.27.3:51820') + + self.assertTrue(self.link_exits('wg99')) + diff -Nru systemd-240/debian/tests/boot-smoke systemd-240/debian/tests/boot-smoke --- systemd-240/debian/tests/boot-smoke 2019-04-11 12:54:43.000000000 +0000 +++ systemd-240/debian/tests/boot-smoke 2019-07-22 16:45:02.000000000 +0000 @@ -5,6 +5,10 @@ # with --copy /host/path/systemd-foo:/tmp/systemd-replace/systemd-foo set -e +RUNNING_TIMEOUT=35 +JOBS_TIMEOUT=35 +REBOOTS=5 + . `dirname $0`/assert.sh if [ -z "$ADT_REBOOT_MARK" ]; then @@ -32,7 +36,7 @@ ret=0 echo "waiting to boot..." - TIMEOUT=35 + TIMEOUT=$RUNNING_TIMEOUT while [ $TIMEOUT -ge 0 ]; do state="$(systemctl is-system-running || true)" case $state in @@ -71,9 +75,15 @@ fi echo "checking that there are no running jobs" - running="$(systemctl --no-pager --no-legend list-jobs || true)" + TIMEOUT=$JOBS_TIMEOUT + while [ $TIMEOUT -ge 0 ]; do + running="$(systemctl --no-pager --no-legend list-jobs || true)" + [ -n "$running" ] || break + sleep 1 + TIMEOUT=$((TIMEOUT - 1)) + done if [ -n "$running" ]; then - echo "running jobs after remaining timeout $TIMEOUT: $running" + echo "running jobs after remaining timeout $JOBS_TIMEOUT: $running" journalctl --sync journalctl -ab > $ADT_ARTIFACTS/journal.txt udevadm info --export-db > $ADT_ARTIFACTS/udevdb.txt @@ -85,7 +95,7 @@ fi fi -if [ "$ADT_REBOOT_MARK" -ge 5 ]; then +if [ "$ADT_REBOOT_MARK" -ge "$REBOOTS" ]; then exit 0 fi