lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Aug 2012 13:58:41 -0400 From: "Banerjee, Debabrata" <dbanerje@...mai.com> To: "netdev@...r.kernel.org" <netdev@...r.kernel.org> CC: "Hunt, Joshua" <johunt@...mai.com>, "dbavatar@...il.com" <dbavatar@...il.com>, "Lubashev, Igor" <ilubashe@...mai.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: IPv6 deadlock with CONFIG_IPV6_ROUTER_PREF This code tries to send a neighbor discovery ICMPv6 packet for router reachability while read_lock(tb6_lock) is held. The send may want to cause a fib6_clean_all() garbage collection, which will try to take write_lock(tb6_lock), resulting in deadlock. Garbage collection becomes more likely under high load of cloned routes, so this is exploitable as a DDOS attack, given enough attack hosts in relation max_size of the route table (default of 4k). I checked from 3.6-rc1 back to 2.6.32, it is present everywhere. Stack trace below. Thanks, Debabrata [46476.055009] Pid: 7963, comm: xxxx Not tainted 2.6.38-amd64 [46476.055009] RIP: 0010:[<ffffffff812878c9>] [<ffffffff812878c9>] __write_lock_failed+0x9/0x20 [46476.055009] RSP: 0018:ffff8801a099f8f0 EFLAGS: 00200287 [46476.055009] RAX: ffff8801a099ffd8 RBX: 0000000000000000 RCX: 0000000000000000 [46476.055009] RDX: 0000000000000000 RSI: ffffffffa0196e60 RDI: ffff88020bc95454 [46476.055009] RBP: ffff8801a099f908 R08: ffff8801a099fb78 R09: 0000000000000003 [46476.055009] R10: ffff8801a099fa38 R11: ffff88020ebf1c00 R12: ffffffff8100370e [46476.055009] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [46476.055009] FS: 00007fa1f4a596d0(0000) GS:ffff8800e7c00000(0063) knlGS:00000000f6a5fba0 [46476.055009] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b [46476.055009] CR2: 00000000f7791000 CR3: 00000001a0bcc000 CR4: 00000000000006f0 [46476.055009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [46476.055009] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [46476.055009] Process xxxx (pid: 7963, threadinfo ffff8801a099e000, task ffff8801a099c880) [46476.055009] Stack: [46476.055009] ffffffff81482c17 ffff8801a099f928 ffff88020bc95454 ffff8801a099f948 [46476.055009] ffffffffa01972f9 ffffffffa0196e60 0000000000000200 ffffffff81960a80 [46476.055009] 0000000000000d80 000000000000ea60 00000001004cbccc ffff8801a099f968 [46476.055009] Call Trace: [46476.055009] [<ffffffff81482c17>] ? _raw_write_lock_bh+0x27/0x30 (deadlock on write_lock tb6_lock) [46476.055009] [<ffffffffa01972f9>] fib6_clean_all+0x49/0x90 [ipv6] [46476.055009] [<ffffffffa0196e60>] ? fib6_age+0x0/0x80 [ipv6] [46476.055009] [<ffffffffa019744f>] fib6_run_gc+0x4f/0xe0 [ipv6] [46476.055009] [<ffffffffa0193547>] ip6_dst_gc+0x97/0x120 [ipv6] [46476.055009] [<ffffffff813d5515>] dst_alloc+0xa5/0xc0 [46476.055009] [<ffffffffa0196c91>] icmp6_dst_alloc+0x51/0x170 [ipv6] [46476.055009] [<ffffffffa019ac3f>] ndisc_send_skb+0x6f/0x2c0 [ipv6] [46476.055009] [<ffffffff81481b2d>] ? schedule_hrtimeout_range_clock+0xcd/0x110 [46476.055009] [<ffffffffa019aef1>] __ndisc_send+0x61/0x80 [ipv6] [46476.055009] [<ffffffffa019afbc>] ndisc_send_ns+0x6c/0xa0 [ipv6] [46476.055009] [<ffffffffa0195459>] rt6_probe+0xc9/0xd0 [ipv6] [46476.055009] [<ffffffff81120e50>] ? __pollwait+0x0/0x100 [46476.055009] [<ffffffffa0195575>] find_match+0x115/0x180 [ipv6] [46476.055009] [<ffffffffa01956b3>] ip6_pol_route+0xd3/0x2d0 [ipv6] (read_lock tb6_lock) [46476.055009] [<ffffffffa01958c6>] ip6_pol_route_output+0x16/0x20 [ipv6] [46476.055009] [<ffffffffa0196dfe>] fib6_rule_lookup+0x1e/0x20 [ipv6] [46476.055009] [<ffffffffa01948c1>] ip6_route_output+0x61/0xa0 [ipv6] [46476.055009] [<ffffffffa0188232>] ip6_dst_lookup_tail+0xe2/0xf0 [ipv6] [46476.055009] [<ffffffffa0188255>] ip6_dst_lookup+0x15/0x20 [ipv6] [46476.055009] [<ffffffffa01aca8c>] tcp_v6_connect+0x26c/0x6e0 [ipv6] [46476.055009] [<ffffffff81235a36>] ? security_sk_alloc+0x16/0x20 [46476.055009] [<ffffffff8142be49>] inet_stream_connect+0x2a9/0x300 [46476.055009] [<ffffffff81482be4>] ? _raw_spin_unlock_bh+0x14/0x20 [46476.055009] [<ffffffff813be329>] ? release_sock+0xd9/0x110 [46476.055009] [<ffffffff813bc00f>] sys_connect+0xaf/0xd0 [46476.055009] [<ffffffff813e4077>] ? compat_sys_setsockopt+0x87/0x220 [46476.055009] [<ffffffff81150e28>] ? compat_sys_fcntl64+0x1d8/0x380 [46476.055009] [<ffffffff813e4c93>] compat_sys_socketcall+0x93/0x1f0 [46476.055009] [<ffffffff810354ec>] cstar_dispatch+0x7/0x32 [46476.055009] Code: 00 00 48 8b 5b 20 48 83 eb 07 48 39 d9 73 06 48 89 01 31 c0 c3 b8 f2 ff ff ff c3 90 90 90 90 90 90 90 f0 81 07 00 00 00 01 f3 90 <81> 3f 00 00 00 01 75 f6 f0 81 2f 00 00 00 01 0f 85 e2 ff ff ff -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists