lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 14 May 2007 13:24:45 -0700 (PDT)
From:	Curtis Doty <Curtis@...enKey.net>
To:	Patrick McHardy <kaber@...sh.net>
cc:	James Morris <jmorris@...ei.org>, netdev@...r.kernel.org
Subject: Re: oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr
 (fwd)

8:46pm Patrick McHardy said:

> James Morris wrote:
>> ---------- Forwarded message ----------
>> Date: Mon, 14 May 2007 08:15:50 -0700 (PDT)
>> From: Curtis Doty <Curtis@...enKey.net>
>> To: Linux Kernel <linux-kernel@...r.kernel.org>
>> Subject: oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr
>>
>> Summary: On a multi-homed box, after turning on
>> /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr, it now periodically oopses
>> when trying to lookup the source address to use for sending an ICMP in response
>> to a jump ipt_REJECT.
>>
>> I'm still trying to figure out what makes this test case unique. It spuriously
>> occurs with many fedora builds of 2.6.{18,19,20} all of which don't appear to
>> have any patches in this area of the kernel. Just _maybe_ it's because of a
>> combination of dogleg routing and overloading one vlan with multiple subnets:
>>
>> [..]
>>
>> BUG: unable to handle kernel NULL pointer dereference at virtual address
>> 000000a8
>> [...]
>> EIP is at inet_select_addr+0x4/0x9f
>> eax: 00000000   ebx: f8b97046   ecx: 000000fd   edx: 00000000
>> esi: 000000fd   edi: 00000001   ebp: f71cd0ac   esp: c078bc9c
>> ds: 007b   es: 007b   ss: 0068
>> Process swapper (pid: 0, ti=c078b000 task=c06fc480 task.ti=c0746000)
>> Stack: f8b97046 f601b130 c05fd0b6 f728b980 f728b980 f8b5adbb c05bcb6e c078bd74
>>        00000003 00000003 00000246 00000246 00000000 f887e014 f8a611a6 f7c1ea80
>>        f728b9a8 00000000 f727d220 f887e000 00000001 00000072 f7383800 f728b980
>> Call Trace:
>>  [<f8b97046>] reject+0x0/0x4ae [ipt_REJECT]
>>  [<c05fd0b6>] icmp_send+0x14d/0x39b
>
>
> A REJECT target in the output chain will trigger this in combination
> with icmp_errors_use_inbound_ifaddr because skb->dev is still NULL
> at this point and its passed to inet_select_addr.
>

Indeed, thanks!

curtis@...t~$ nc kernel.org 42
BUG: unable to handle kernel NULL pointer dereference at virtual address 000000a8
  printing eip:
c05fe72b
*pde = 00000000
Oops: 0000 [#1]
...

And for now, the easy userland workaround is to add '-i ! eth+ -j DROP' 
just before any jumps to REJECT. This now causes delays/timeouts for any 
forbidden outbound traffic. But it's better than an oops.

Now I'm off to figure out what daemon is trying to make these odd 
connections...or if netfilter/conntrack is periodically scrambling its 
brains.

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ