lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <464C884D.4010100@trash.net>
Date:	Thu, 17 May 2007 18:52:29 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	"David S. Miller" <davem@...emloft.net>
CC:	netdev@...r.kernel.org, James Morris <jmorris@...ei.org>,
	Curtis Doty <Curtis@...enKey.net>
Subject: Re: oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr
 (fwd)

Patrick McHardy wrote:
>>>BUG: unable to handle kernel NULL pointer dereference at virtual address
>>>000000a8
>>>[...]
>>>EIP is at inet_select_addr+0x4/0x9f
>>>Call Trace:
>>>[<f8b97046>] reject+0x0/0x4ae [ipt_REJECT]
>>>[<c05fd0b6>] icmp_send+0x14d/0x39b
>>
>>
>>A REJECT target in the output chain will trigger this in combination
>>with icmp_errors_use_inbound_ifaddr because skb->dev is still NULL
>>at this point and its passed to inet_select_addr.
>>
>>I'll look into this.
> 
> 
> 
> saddr = iph->daddr;
> if (!(rt->rt_flags & RTCF_LOCAL)) {
>         if (sysctl_icmp_errors_use_inbound_ifaddr)
> 
> 
>                 saddr = inet_select_addr(skb_in->dev, 0, RT_SCOPE_LINK);
>         else
>                 saddr = 0;
> }
> 
> Fixing the crash is easy, the right thing to do when skb->dev
> is not set is to let routing choose the address because the
> packet was locally generated and icmp_errors_use_inbound_ifaddr
> shouldn't apply (the crash can also happen with IPsec tunnels
> by the way).
> 
> This leaves the question what to do in the path after ip_output,
> when skb->dev points to the output device. We don't know the
> input device anymore, so there doesn't seem to be a way to make
> it do what the sysctl promises.


The last problem seems to be unfixable, so this patch fixes the crash
and adds a comment about the brokeness of this option.


View attachment "x" of type "text/plain" (1817 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ