| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 May 2007 13:22:30 +0200 From: Eric Sesterhenn / Snakebyte <snakebyte@....de> To: netdev@...r.kernel.org Subject: BUG with ipv6 jumbo frames over loopback Hi, with the double skb_free() issue fixed, I ran some more ip6sic tests, after a while i hit the following: [ 346.941000] Oops: 0000 [#1] [ 346.941000] PREEMPT [ 346.941000] Modules linked in: [ 346.941000] CPU: 0 [ 346.941000] EIP: 0060:[<c05ce396>] Not tainted VLI [ 346.941000] EFLAGS: 00010246 (2.6.21-g40caf5ea #3) [ 346.941000] EIP is at ipv6_hop_jumbo+0x26/0x180 [ 346.941000] eax: 00000000 ebx: c93ce978 ecx: 00000001 edx: 00000103 [ 346.941000] esi: c8ca2126 edi: 0000008c ebp: c0816f14 esp: c0816f04 [ 346.941000] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 [ 346.941000] Process ip6sic (pid: 4959, ti=c0816000 task=c9ea4aa0 task.ti=c8c2e000) [ 346.941000] Stack: c945a400 c0816f34 c07bf33c 0000002a c0816f3c c05cdb9f c0816f6c c07bf334 [ 346.941000] c93ce978 c8ca20fc 00000496 c93ce978 c0816f6c c93ce9b4 c0816f4c c05ce6f1 [ 346.941000] 00000000 cf8cfd84 c0816f7c c05ada2e 00000001 00000514 c07a3be0 00000506 [ 346.941000] Call Trace: [ 346.941000] [<c010490a>] show_trace_log_lvl+0x1a/0x30 [ 346.941000] [<c01049c9>] show_stack_log_lvl+0xa9/0xd0 [ 346.941000] [<c0104c0c>] show_registers+0x21c/0x3a0 [ 346.941000] [<c0104e94>] die+0x104/0x260 [ 346.941000] [<c0116087>] do_page_fault+0x277/0x610 [ 346.941000] [<c062a75c>] error_code+0x74/0x7c [ 346.941000] [<c05cdb9f>] ip6_parse_tlv+0xef/0x130 [ 346.941000] [<c05ce6f1>] ipv6_parse_hopopts+0x41/0xb0 [ 346.941000] [<c05ada2e>] ipv6_rcv+0x1be/0x370 [ 346.941000] [<c053978b>] netif_receive_skb+0x21b/0x2b0 [ 346.941000] [<c053b6e2>] process_backlog+0x82/0xf0 [ 346.941000] [<c053b97b>] net_rx_action+0xab/0x1c0 [ 346.941000] [<c01209a2>] __do_softirq+0x62/0xc0 [ 346.941000] [<c010632a>] do_softirq+0x8a/0xf0 [ 346.941000] [<c0120c96>] local_bh_enable+0xa6/0x160 [ 346.941000] [<c053bb28>] dev_queue_xmit+0x98/0x330 [ 346.941000] [<c05dfe38>] packet_sendmsg+0x208/0x260 [ 346.941000] [<c052eb05>] sock_sendmsg+0xc5/0xf0 [ 346.941000] [<c052ee0f>] sys_sendto+0xbf/0xe0 [ 346.941000] [<c052fd37>] sys_socketcall+0x187/0x260 [ 346.941000] [<c0104194>] sysenter_past_esp+0x5d/0x99 [ 346.941000] ======================= [ 346.941000] Code: 90 8d 74 26 00 55 89 e5 56 53 83 ec 08 8b 18 8b 4b 78 8d 34 11 80 7e 01 04 74 3b a1 30 7c 7c c0 85 c0 0f 85 7d 00 00 00 8b 43 1c <8b> 80 8c 00 00 00 85 c0 74 09 8b 80 38 01 00 00 ff 40 08 a1 04 [ 346.941000] EIP: [<c05ce396>] ipv6_hop_jumbo+0x26/0x180 SS:ESP 0068:c0816f04 [ 346.953000] Kernel panic - not syncing: Fatal exception in interrupt It looks like packets coming via the loopback interface dont have skb->dst set, therefore we crash in ipv6_hop_jumbo() in exthdrs.c doing: IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS); the ip6_dst_idev() call dereferences skb->dst which is not set, causing the oops and hardlocking the box. The obvious fix would be to make ip6_dst_idev() return NULL if the parameter is NULL, since IP6_INC_STATS_BH() can handle a NULL argument, but not sure if this would be correct. To reproduce use: ip6sic -i lo -d ::1 -p 100000 -r 4959 it should crash at 92.4%, i was unable to capture the stuff, since the box locks up hard, if i find a faster testcase I'll let you know. Greetings, Eric -- www.cobra-basket.de -- just my stuff - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists