lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070104145747.280d5928.akpm@osdl.org>
Date:	Thu, 4 Jan 2007 14:57:47 -0800
From:	Andrew Morton <akpm@...l.org>
To:	Bernhard Schmidt <berni@...kenwald.de>
Cc:	netfilter-devel@...ts.netfilter.org, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [Bug] OOPS with nf_conntrack_ipv6, probably fragmented UDPv6

On Thu, 04 Jan 2007 17:58:23 +0100
Bernhard Schmidt <berni@...kenwald.de> wrote:

> Hi,
> 
> I've hit another kernel oops with 2.6.20-rc3 on i386 platform. It is 
> reproducible, as soon as I load nf_conntrack_ipv6 and try to send 
> something large (scp or so) inside an OpenVPN tunnel on my client 
> (patched with UDPv6 transport) the router (another box) OOPSes.
> 
> tcpdump suggests the problem appears as soon as my client sends 
> fragmented UDPv6 packets towards the destination. It does not happen 
> when nf_conntrack_ipv6 is not loaded. This is the OOPS as dumped from 
> the serial console:
> 
> heimdall login: Oops: 0000 [#1]
> Modules linked in: sit sch_red sch_htb pppoe pppox ppp_generic slhc 
> xt_CLASSIFY ipt_TOS xt_length ipt_tos ipt_TCPMSS xt_tcpudp 
> ipt_MASQUERADE xt_state iptable_mangle iptable_filter
>   iptable_nat nf_nat nf_conntrack_ipv4 ip_tables x_tables 
> nf_conntrack_ipv6 nf_conntrack nfnetlink
> CPU:    0
> EIP:    0060:[<00000001>]    Not tainted VLI
> EFLAGS: 00010246   (2.6.20-rc3 #2)
> EIP is at 0x1
> eax: cd215bc0   ebx: cd1f3160   ecx: cc59002a   edx: cd215bc0
> esi: cd215bc0   edi: cd215bc0   ebp: 00000000   esp: c030bd3c
> ds: 007b   es: 007b   ss: 0068
> Process swapper (pid: 0, ti=c030a000 task=c02e93a0 task.ti=c030a000)
> Stack: c0212cc4 00000004 cc83f160 cd2130c0 cd215bc0 cd2130c0 cd215bc0 
> c021734b
>         c030bdb4 c0307a60 0000000a cceee800 cceee800 cd215bc0 cd1f3160 
> 00000000
>         c021896b c0307a60 cd215bc0 cd215bc0 cceee800 cd1f3160 c025f1c6 
> 00000000
> Call Trace:
>   [<c0212cc4>] __kfree_skb+0x84/0xe0
>   [<c021734b>] dev_hard_start_xmit+0x1bb/0x1d0
>   [<c021896b>] dev_queue_xmit+0x11b/0x1b0
>   [<c025f1c6>] ip6_output2+0x276/0x2b0
>   [<c025ed30>] ip6_output_finish+0x0/0xf0
>   [<c025fc0a>] ip6_output+0x90a/0x940
>   [<c013e9e5>] cache_alloc_refill+0x2c5/0x3f0
>   [<c0212eed>] pskb_expand_head+0xdd/0x130
>   [<c02608d5>] ip6_forward+0x465/0x4b0
>   [<c02618c6>] ip6_rcv_finish+0x16/0x30
>   [<ce81a056>] nf_ct_frag6_output+0x86/0xb0 [nf_conntrack_ipv6]
>   [<c02618b0>] ip6_rcv_finish+0x0/0x30
>   [<ce81911b>] ipv6_defrag+0x3b/0x50 [nf_conntrack_ipv6]
>   [<c02618b0>] ip6_rcv_finish+0x0/0x30
>   [<c022c618>] nf_iterate+0x38/0x70
>   [<c02618b0>] ip6_rcv_finish+0x0/0x30
>   [<c022c75d>] nf_hook_slow+0x4d/0xc0
>   [<c02618b0>] ip6_rcv_finish+0x0/0x30
>   [<c0261ac0>] ipv6_rcv+0x1e0/0x250
>   [<c02618b0>] ip6_rcv_finish+0x0/0x30
>   [<c0217068>] netif_receive_skb+0x1a8/0x200
>   [<c021868e>] process_backlog+0x6e/0xe0
>   [<c0218752>] net_rx_action+0x52/0xd0
>   [<c0113885>] __do_softirq+0x35/0x80
>   [<c01138f2>] do_softirq+0x22/0x30
>   [<c010453e>] do_IRQ+0x5e/0x70
>   [<c0102b33>] common_interrupt+0x23/0x30
>   [<c0101820>] default_idle+0x0/0x40
>   [<c0101847>] default_idle+0x27/0x40
>   [<c0101017>] cpu_idle+0x37/0x50
>   [<c030c676>] start_kernel+0x266/0x270
>   [<c030c200>] unknown_bootoption+0x0/0x210
>   =======================
> Code:  Bad EIP value.
> EIP: [<00000001>] 0x1 SS:ESP 0068:c030bd3c
>   <0>Kernel panic - not syncing: Fatal exception in interrupt
>   <0>Rebooting in 20 seconds..<4>atkbd.c: Spurious ACK on 
> isa0060/serio0. Some program might be trying access hardware directly.
> 

At a guess I'd say that skb->nfct->destroy has value 0x00000001.  Not a
good function address.

Presumably it is suppsoed to be zero...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ