lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 08 Jan 2007 23:33:18 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Peter Osterlund <petero2@...ia.com>
CC:	Linus Torvalds <torvalds@...l.org>,
	"David S. Miller" <davem@...emloft.net>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Netfilter Development Mailinglist 
	<netfilter-devel@...ts.netfilter.org>
Subject: Re: Linux 2.6.20-rc4

Linus Torvalds wrote:
> On Sun, 7 Jan 2007, Peter Osterlund wrote:
> 
>>I get kernel panics when doing large ethernet transfers. A loop doing
>>continuous scp transfers of some large (>100MB) files makes the kernel
>>crash after a few minutes. scp runs on a different machine and copies
>>data from the machine that crashes. (The first crash did not happen
>>when scp was used, but scp is an easy way to reproduce the problem.)
>>
>>I've seen this crash also with 2.6.20-rc2-git-something. Previously I
>>ran these kernels quite a lot and used a ppp link without problems.
>>Today I started using eth0 and the crashes started to occur. I have
>>netfilter rules for ppp0, but no rules for eth0. Earlier kernels have
>>been working perfectly for large eth0 transfers on this machine.
>>
>>Hand copied data from the console:
>>
>>  BUG: unable to handle kernel paging request at virtual address 9f5cea9f
>>   printing eip:
>>  c034c729
>>  *pde = 00000000
>>  Ooops: 0000 [#1]
>>  PREEMPT
>>  Modules linked in: ... 8139too ...
>>  CPU: 0
>>  EIP: 0060:[<c034c729>] Not tainted VLI
>>  EFALLGS: 00010206 (2.6.20-rc4 #13)
>>  EIP is at ipv4_conntrack_help+0x6b/0x83
>>  eax: c0475e44 ebx: 9f5cea37 ecx: d1dcebb0 edx: 00000014
>>  esi: d1dcebb0 edi: c0475e44 ebp: c0475dd8 esp: c0475dc4
> 
> 
> That's 
> 
> 	and    $0xf,%dl
> 	movzbl %dl,%edx
> 	lea    (%ecx,%edx,4),%edx
> 	movzbl %bl,%eax
> 	mov    %eax,(%esp)
> 	mov    %esi,%ecx
> 	mov    %edi,%eax
> 	mov    0xfffffff0(%ebp),%ebx
> **	call   *0x68(%ebx)		**
> 	add    $0x8,%esp
> 	pop    %ebx
> 	pop    %esi
> 	pop    %edi
> 	pop    %ebp
> 	ret
> 
> which is ipv4_conntrack_help():
> 
> 	return help->helper->help(pskb,
> 		(*pskb)->nh.raw - (*pskb)->data
> 				+ (*pskb)->nh.iph->ihl*4,
> 		ct, ctinfo);
> 
> and that call instruction is the one that oopses because "help->helper" is 
> corrupt (it's 0x9f5cea37 - not a valid kernel pointer).


I guess its because of an uninitialized helper field in struct
nf_conntrack_expect, which is then copied from the expectation to
the conntrack entry.

Peter, do you have locally generated netbios ns queries on the machine
running nf_conntrack? If so, please try this patch. Otherwise, are
there any other conntrack helpers that are actually used?


View attachment "x" of type "text/plain" (1204 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ