| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 May 2014 00:31:23 +0200
From: Mihai Moldovan <ionic@...ic.de>
To: LKML <linux-kernel@...r.kernel.org>
CC: Pablo Neira Ayuso <pablo@...filter.org>,
Patrick McHardy <kaber@...sh.net>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
Subject: NULL pointer dereference in netfilter
Hi
earlier today, I experienced a kernel panic due to a NULL pointer dereference
somewhere in the netfilter subsystem.
Full kernel output (may contain typos):
[360412.114033] BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
[360412.115643] IP: [<ffffffff81865efe>] nf_nat_setup_info+0x56e/0x900
[360412.117244] PGD: 0
[360412.117337] Oops: 0002 [#3] SMP
[360412.117337] Modules linked in: ath9k ath9k_common ath9k_hw ath mac80211
cfg80211 xt_conntrack xt_dscp kvm_intel kvm hfcsusb mISDN_core e1000e cp210x
i915 rfkil ptp video pps_core drm_kms_helper backlight [last unloaded: cfg80211]
[360412.117337] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D O
3.14.2-OSS4.2 #2
[360412.117337] Hardware name: /DQ45CB, BIOS
CBQ4510H.86A.0133.2011.0810.1010 08/10/2011
[360412.117337] task: ffff8802321c5540 ti: ffff8802321f4000 task.ti:
ffff8802321f40000
[360412.117337] RIP: 0010:[<ffffffff81865efe>] [<ffffffff81865efe>]
nf_nat_setup_info+0x56e/0x900
[360412.117337] RSP: 0018:ffff88023bd03668 EFLAGS: 000010246
[360412.117337] RAX: 0000000000000000 RBX: ffff8800b073d380 RCX: 000000000ae3d87f
[360412.117337] RDX: ffff88021cdc9800 RSI: 00000000b8061897 RDI: ffffffff824808b8
[360412.117337] RBP: ffff88023bd03748 R08: ffff88003773e000 R09: ffffffff820ac780
[360412.117337] R10: ffff88021cdc9800 R11: ffff88021cdc98e0 R12: 000000000000235d
[360412.117337] R13: 0000000000000000 R14: ffff88023bd03698 R15: ffff88023bd036c0
[360412.117337] FS: 0000000000000000(0000) GS:ffff88023bd00000(0000)
knlGS:0000000000000000
[360412.117337] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[360412.117337] CR2: 0000000000000010 CR3: 000000000200b000 CR4: 00000000000407e0
[360412.117337] Stack:
[360412.117337] ffffffff820ac780 ffffffff81d905b0 ffff88023bd036c0 ffffffff820ac780
[360412.117337] ffffffff81d964e0 ffffffff81d906a0 00000000df8e782a 0000000000000000
[360412.117337] 8343b75500027f96 0000000000000000 0006bb0600000000 000000008343b755
[360412.117337] Call Trace:
[360412.117337] <IRQ>
[360412.117337] [<ffffffff81874e9f>] xt_snat_target_v0+0x6f/0x90
[360412.117337] [<ffffffff818e0453>] ipt_do_table+0x2c3/0x6c0
[360412.117337] [<ffffffff818e04b6>] ? ipt_do_table+0x326/0x6c0
[360412.117337] [<ffffffff818e0d07>] nf_nat_ipv6_fn+0x1d7/0x330
[360412.117337] [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337] [<ffffffff818e1068>] nf_nat_ipv4_out+0x58/0x100
[360412.117337] [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337] [<ffffffff81846b75>] nf_iterate+0x85/0xb0
[360412.117337] [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337] [<ffffffff81846c0c>] nf_hook_slow+0x6c/0x130
[360412.117337] [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337] [<ffffffff81889bb2>] ip_output+0x82/0x90
[360412.117337] [<ffffffff81889314>] ip_local_out+0x24/0x30
[360412.117337] [<ffffffff818e2182>] reject_tg+0x4d2/0x4e0
[360412.117337] [<ffffffff818e0453>] ipt_do_table+0x2c3/0x6c0
[360412.117337] [<ffffffff81883f30>] ? ip_rcv_finish+0x360/0x360
[360412.117337] [<ffffffff818e0924>] iptable_filter_hook+0x34/0x70
[360412.117337] [<ffffffff81846b75>] nf_iterate+0x85/0xb0
[360412.117337] [<ffffffff81883f30>] ? ip_rcv_finish+0x360/0x360
[360412.117337] [<ffffffff81846c0c>] nf_hook_slow+0x6c/0x130
[360412.117337] [<ffffffff81883f30>] ? ip_rcv_finish+0x360/0x360
[360412.117337] [<ffffffff81884303>] ip_local_deliver+0x73/0x80
[360412.117337] [<ffffffff81883c53>] ip_rcv_finish+0x83/0x360
[360412.117337] [<ffffffff818845b8>] ip_rcv+0x2a8/0x3e0
[360412.117337] [<ffffffff817e7bb2>] __netif_receive_skb_core+0x632/0x7a0
[360412.117337] [<ffffffff817e7d3c>] __netif_receive_skb+0x1c/0x70
[360412.117337] [<ffffffff817e7e2c>] process_backlog+0x9c/0x170
[360412.117337] [<ffffffff817e823b>] net_rx_action+0xfb/0x1a0
[360412.117337] [<ffffffff810c3e65>] __do_softirq+0xd5/0x1f0
[360412.117337] [<ffffffff810c4185>] irq_exit+0x95/0xa0
[360412.117337] [<ffffffff81003d82>] do_IRQ+0x62/0x110
[360412.117337] [<ffffffff81a20d67>] common_interrupt_0x67/0x67
[360412.117337] <EOI>
[360412.117337] [<ffffffff81791ce6>] ? cpuidle_enter_state+0x56/0xd0
[360412.117337] [<ffffffff81791ce2>] ? cpuidle_enter_state+0x52/0xd0
[360412.117337] [<ffffffff81791dfa>] cpuidle_idle_call+0x9a/0x140
[360412.117337] [<ffffffff8100afe9>] arch_cpu_idle+0x9/0x20
[360412.117337] [<ffffffff8110a81a>] cpu_startup_entry+0xda/0x1c0
[360412.117337] [<ffffffff8102a1ad>] start_secondary+0x20d/0x2c0
[360412.117337] Code: e0 e8 a7 a9 1b 00 48 8b 93 e0 00 00 00 49 c1 ec 20 48 85
d2 74 0c 0f b6 42 11 84 c0 0f 85 93 02 00 00 31 c0 4c 8b 8d 38 ff ff ff <48> 89
58 10 49 8b 91 70 0b 00 00 4a 8d 14 e2 48 8b 0a 48 89 50
[360412.117337] RIP [<ffffffff81865efe>] nf_nat_setup_info+0x56e/0x900
[360412.117337] RSP <ffff88023bd03668>
[360412.117337] CR2: 0000000000000010
[360412.117337] - - -[ end trace 691638412d73c338 ]- - -
[360412.117337] Kernel panic - not syncing: Fatal exception in interrupt
[360412.117337] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range:
0xffffffff80000000-0xffffffff9fffffff)
[360412.117337] drm_kms_helper: panic occurred, switching back to text console
decodecode:
All code
========
0: e0 e8 loopne 0xffffffffffffffea
2: a7 cmpsl %es:(%rdi),%ds:(%rsi)
3: a9 1b 00 48 8b test $0x8b48001b,%eax
8: 93 xchg %eax,%ebx
9: e0 00 loopne 0xb
b: 00 00 add %al,(%rax)
d: 49 c1 ec 20 shr $0x20,%r12
11: 48 85 d2 test %rdx,%rdx
14: 74 0c je 0x22
16: 0f b6 42 11 movzbl 0x11(%rdx),%eax
1a: 84 c0 test %al,%al
1c: 0f 85 93 02 00 00 jne 0x2b5
22: 31 c0 xor %eax,%eax
24: 4c 8b 8d 38 ff ff ff mov -0xc8(%rbp),%r9
2b:* 48 89 58 10 mov %rbx,0x10(%rax) <-- trapping
instruction
2f: 49 8b 91 70 0b 00 00 mov 0xb70(%r9),%rdx
36: 4a 8d 14 e2 lea (%rdx,%r12,8),%rdx
3a: 48 8b 0a mov (%rdx),%rcx
3d: 48 rex.W
3e: 89 .byte 0x89
3f: 50 push %rax
Code starting with the faulting instruction
===========================================
0: 48 89 58 10 mov %rbx,0x10(%rax)
4: 49 8b 91 70 0b 00 00 mov 0xb70(%r9),%rdx
b: 4a 8d 14 e2 lea (%rdx,%r12,8),%rdx
f: 48 8b 0a mov (%rdx),%rcx
12: 48 rex.W
13: 89 .byte 0x89
14: 50 push %rax
And, if it's of any interest (at least I've seen snat in there, so I'm going
ahead with this), one of the many rules in iptables:
Chain POSTROUTING (policy ACCEPT 1836 packets, 89722 bytes)
2189 157K SNAT all -- * ppp0 0.0.0.0/0
0.0.0.0/0 to:85.183.67.131
Can/should I provide any more information?
Unfortunately, I don't have a full packet log of my network when the issue
happened. It came pretty much out of the blue.
Best regards,
Mihai
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4265 bytes)
Powered by blists - more mailing lists