| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <46F0087A.3080104@redhat.com>
Date: Tue, 18 Sep 2007 13:18:50 -0400
From: Chuck Ebbert <cebbert@...hat.com>
To: Netdev <netdev@...r.kernel.org>
Subject: SFQ qdisc crashes with limit of 2 packets
Limit of 1 is forbidden, crashes with 2, works with 3:
https://bugzilla.redhat.com/show_bug.cgi?id=219895
=========
If the defect is produced at a console (as in ctrl-alt-f<0-6>) a kernel stack
trace can be seen the moment "ping" is invoked. Since the stack trace is not
written to the /var/log/messages here's part of it (manually copied):
syscall_call(()
sys_socketcall()
sys_sendmsg()
sock_sendmsg()
inet_sendmsg()
raw_sendmsg()
ip_push_pending_frames()
ip_output()
neigh_resolve_output()
dev_queue_xmit()
__qdisc_run()
The location given in __qdisc_run() is 0x30/0x19b. The value given for EIP is
sfq_dequeue+0xf6/0x179 in the sch_sfq module.
>From disassembling sch_sfq.ko it seems that it is on line 360 of sch_sfq.c:
sch->qstats.backlog -= skb->len;
where "skb" is an invalid pointer:
net/sched/sch_sfq.c:360
194: ff 4d 28 decl 0x28(%ebp)
197: 8b 14 24 mov (%esp),%edx
19a: 8b 42 60 mov 0x60(%edx),%eax ** crash **
19d: 29 45 58 sub %eax,0x58(%ebp)
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists