lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <562CA13C.90500@wiesinger.com>
Date:	Sun, 25 Oct 2015 10:30:36 +0100
From:	Gerhard Wiesinger <lists@...singer.com>
To:	Willy Tarreau <w@....eu>, Greg KH <gregkh@...uxfoundation.org>
Cc:	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	torvalds@...ux-foundation.org, stable@...r.kernel.org, lwn@....net,
	Jiri Slaby <jslaby@...e.cz>
Subject: Re: Linux 4.2.4

On 25.10.2015 10:03, Willy Tarreau wrote:
> On Sun, Oct 25, 2015 at 01:25:47AM -0700, Greg KH wrote:
>> On Sun, Oct 25, 2015 at 08:25:49AM +0100, Gerhard Wiesinger wrote:
>>> On 23.10.2015 02:33, Greg KH wrote:
>>>> I'm announcing the release of the 4.2.4 kernel.
>>>>
>>>> All users of the 4.2 kernel series must upgrade.
>>>>
>>>> The updated 4.2.y git tree can be found at:
>>>> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.2.y
>>>> and can be browsed at the normal kernel.org git web browser:
>>>> 	http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
>>>>
>>>> thanks,
>>>>
>>>> greg k-h
>>>>
>>> Hello Greg,
>>>
>>> Kernel 4.2.4 is still broken regarding iptables/ipset:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1272645
>>>
>>> Kernel 4.1.10 works well.
>>>
>>> Please fix it ASAP.
>> Fix it with what patch?
> It's not even sure there's a patch for this. There were numerous changes
> to ipset between 4.1 and 4.2 and very few in 4.3-rc, any you backported
> them all. Also, Gerhard's trace in the bugzilla report above is very
> poor, there's just one line of the panic, nothing exploitable at all,
> nothing even indicates that it is related to ipset at all.

Sorry, don't have any more information. From the bugzilla report:
Message from syslogd@arm at Oct 24 20:05:09 ...
  kernel:Process ipset (pid: 2055, stack limit = 0xe8404220)

So ipset has a problem ...


> Gerhard, it would be easier if you could bisect between 4.1 and 4.2 to
> find what patch introduced the regression if you can easily reproduce
> the issue. That would make it more obvious what to look at and the
> patch author might have some ideas about the real problem.
>
>

The device is in production so I can't play around here. Nevertheless I 
can try a patch. But should be easy to reproduce in developers testing 
environment with shorewall/netfilter and ipset. As shorewall6 is 
activated it might also be an IPv6 issue.

Kernel 4.2 seems to me not well tested in the netfilter parts at all 
(Bug with already known bugfix 
https://lists.debian.org/debian-kernel/2015/10/msg00034.html was 
triggered on 2 of 3 of my machines, the new bug on 1 of 1 tested machine).

Ciao,
Gerhard

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ