lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 20 Aug 2007 18:08:08 +0200
From:	Thomas Jarosch <thomas.jarosch@...ra2net.com>
To:	linux-kernel@...r.kernel.org
Cc:	netfilter-devel@...ts.netfilter.org
Subject: Kernel oops during netfilter memory allocation

Hey there,

I'm currently debugging a kernel oops with kernel 2.6.21.7 that occurs
from time to time with our netfilter accounting module ipt_ACCOUNT 
(http://www.intra2net.com/de/produkte/opensource/ipt_account/).

What basically happens is that the module allocates memory
inside an interrupt handler like many other netfilter modules do.
Except that it does it very often if you have a large, busy network.

To me it looks like I found a bug in the kernel memory handler.
I've written a minimalistic netfilter module ipt_CRASH that
just allocates and frees memory to demonstrate the problem.

Here's a screenshot of the oops:
http://img231.imageshack.us/img231/9064/kerneloopsiptcrashzb1.jpg

Another shot of it with a "tainted" kernel:
http://img529.imageshack.us/img529/6681/kerneloopsey1.jpg

I would have included the backtrace as text, but unfortunately
the USB serial console dies before it outputs anything useful.

You need a fast machine with lots of RAM to reproduce it, I used a 3 Ghz 
machine with 3 GB of RAM. ipt_CRASH allocates and frees memory for every 
packet, a packet generator like "sendip" might help:
http://www.earth.li/projectpurple/progs/sendip.html

The machine dies after 15-30 minutes or as soon as I try to reboot it.

Please CC: answers, I'm only on netfilter-devel.

Thanks in advance,
Thomas

Download attachment "crashit.sh" of type "application/x-shellscript" (172 bytes)

View attachment "libipt_CRASH.c" of type "text/x-csrc" (2082 bytes)

View attachment "ipt_CRASH.c" of type "text/x-csrc" (3106 bytes)

View attachment "ipt_CRASH.h" of type "text/x-chdr" (843 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ