| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Apr 2011 13:49:11 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Scot Doyle <lkml@...tdoyle.com>
Cc: Stephen Hemminger <shemminger@...tta.com>,
Hiroaki SHIMODA <shimoda.hiroaki@...il.com>,
netdev@...r.kernel.org, Jan Luebbe <jluebbe@...ian.org>
Subject: Re: Kernel panic when using bridge
Le mardi 12 avril 2011 à 02:02 -0500, Scot Doyle a écrit :
> On 04/12/2011 12:51 AM, Eric Dumazet wrote:
> >
> > Oh well, sorry (not enough time these days to even test patches)
> >
> > if (!skb_dst(skb)) {
>
> --- br_netfilter.c.a 2011-04-01 02:37:53.000000000 -0500
> +++ br_netfilter.c.b 2011-04-12 00:29:00.000000000 -0500
> @@ -221,6 +221,7 @@ static int br_parse_ip_options(struct sk
> struct ip_options *opt;
> struct iphdr *iph;
> struct net_device *dev = skb->dev;
> + struct rtable *rt;
> u32 len;
>
> iph = ip_hdr(skb);
> @@ -255,6 +256,16 @@ static int br_parse_ip_options(struct sk
> return 0;
> }
>
> + /* Associate bogus bridge route table */
> + if (!skb_dst(skb)) {
> + rt = bridge_parent_rtable(dev);
> + if (!rt) {
> + kfree_skb(skb);
> + return 0;
> + }
> + skb_dst_set_noref(skb,&rt->dst);
> + }
> +
> opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
> if (ip_options_compile(dev_net(dev), opt, skb))
> goto inhdr_error;
>
>
> Now we are making progress! With the patch above from Stephen and Eric,
> I cannot make the kernel panic when sending packets to the IP address of
> the bridge.
>
> However, if a guest virtual machine is sharing the bridge with the host
> via a tap device, I can cause a host panic by targeting the IP address
> of the guest. Is this an unrelated problem?
>
> Here are two kernel panics. The guest virtual machine was pingable
> before being attacked with IP Stack Checker's tcpsic command. Spanning
> Tree Protocol was off during the first panic and on during the second.
>
> ------------
>
> [ 606.921739] br0: port 2(tap0) entering forwarding state
> [ 636.058941] Kernel panic - not syncing: stack-protector: Kernel stack
> is corrupted in: ffffffff812c2781
> [ 636.058942]
> [ 636.069789] Pid: 2261, comm: kvm Tainted: G W 2.6.39-rc2+ #11
> [ 636.076292] Call Trace:
> [ 636.078725] <IRQ> [<ffffffff8132ad78>] ? panic+0x92/0x1a1
> [ 636.084287] [<ffffffff8104abe8>] ? _local_bh_enable_ip.clone.8+0x20/0x8c
> [ 636.091044] [<ffffffff812c2781>] ? icmp_send+0x337/0x349
> [ 636.096418] [<ffffffff810454e5>] ? __stack_chk_fail+0x17/0x17
> [ 636.102221] [<ffffffff812c2781>] ? icmp_send+0x337/0x349
> [ 636.107595] [<ffffffff81298527>] ? nf_iterate+0x41/0x7e
> [ 636.112883] [<ffffffff81298527>] ? nf_iterate+0x41/0x7e
> [ 636.118172] [<ffffffffa017b0d4>] ? br_flood+0xc8/0xc8 [bridge]
> [ 636.124065] [<ffffffffa017b250>] ? __br_deliver+0xb0/0xb0 [bridge]
> [ 636.130302] [<ffffffff812985d7>] ? nf_hook_slow+0x73/0x114
> [ 636.135850] [<ffffffffa017b250>] ? __br_deliver+0xb0/0xb0 [bridge]
> [ 636.142089] [<ffffffffa017be89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 636.148586] [<ffffffffa017b250>] ? __br_deliver+0xb0/0xb0 [bridge]
> [ 636.154826] [<ffffffffa017b186>] ? NF_HOOK.clone.5+0x3c/0x56 [bridge]
> [ 636.161323] [<ffffffffa017bfe1>] ?
> br_handle_frame_finish+0x158/0x1c7 [bridge]
> [ 636.168601] [<ffffffffa0180689>] ?
> br_nf_pre_routing_finish+0x1d4/0x1e1 [bridge]
> [ 636.176052] [<ffffffffa017fc76>] ? NF_HOOK_THRESH+0x3b/0x55 [bridge]
> [ 636.182463] [<ffffffffa0180c84>] ? br_nf_pre_routing+0x3be/0x3cb
> [bridge]
> [ 636.189307] [<ffffffff812985d7>] ? nf_hook_slow+0x73/0x114
> [ 636.194852] [<ffffffff81298527>] ? nf_iterate+0x41/0x7e
> [ 636.200139] [<ffffffffa017be89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 636.206637] [<ffffffffa017be89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 636.213133] [<ffffffff812985d7>] ? nf_hook_slow+0x73/0x114
> [ 636.218679] [<ffffffffa017be89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 636.225177] [<ffffffffa017bfe1>] ?
> br_handle_frame_finish+0x158/0x1c7 [bridge]
> [ 636.232455] [<ffffffffa017be89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 636.238954] [<ffffffffa017be6f>] ? NF_HOOK.clone.4+0x3c/0x56 [bridge]
> [ 636.245452] [<ffffffff812a7d8e>] ? tcp_gro_receive+0xa1/0x204
> [ 636.251258] [<ffffffffa017c1e5>] ? br_handle_frame+0x195/0x1ac [bridge]
> [ 636.257928] [<ffffffffa017c050>] ?
> br_handle_frame_finish+0x1c7/0x1c7 [bridge]
> [ 636.265204] [<ffffffff812764ef>] ? __netif_receive_skb+0x2a7/0x450
> [ 636.271443] [<ffffffff81276928>] ? netif_receive_skb+0x52/0x58
> [ 636.277335] [<ffffffff81276e2a>] ? napi_gro_receive+0x1f/0x2f
> [ 636.283139] [<ffffffff812769ff>] ? napi_skb_finish+0x1c/0x31
> [ 636.288865] [<ffffffffa0241fcd>] ? igb_poll+0x6d9/0x9ee [igb]
> [ 636.294673] [<ffffffffa003bde2>] ? scsi_run_queue+0x2ce/0x30a [scsi_mod]
> [ 636.301431] [<ffffffffa017be89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 636.307930] [<ffffffff812764ef>] ? __netif_receive_skb+0x2a7/0x450
> [ 636.314168] [<ffffffff81276f55>] ? net_rx_action+0xa4/0x1b1
> [ 636.319800] [<ffffffff8104ad26>] ? __do_softirq+0xb8/0x176
> [ 636.325346] [<ffffffff81333c5c>] ? call_softirq+0x1c/0x30
> [ 636.330807] [<ffffffff8100aa57>] ? do_softirq+0x3f/0x84
> [ 636.336092] [<ffffffff8104af91>] ? irq_exit+0x3f/0x8f
> [ 636.341204] [<ffffffff8100a793>] ? do_IRQ+0x85/0x9e
> [ 636.346146] [<ffffffff8132cbd3>] ? common_interrupt+0x13/0x13
> [ 636.351949] <EOI> [<ffffffff81271f58>] ? arch_local_irq_save+0x12/0x1b
> [ 636.358629] [<ffffffff8100a9f2>] ? arch_local_irq_restore+0x2/0x8
> [ 636.364781] [<ffffffff8127680d>] ? netif_rx_ni+0x1e/0x27
> [ 636.370154] [<ffffffffa01557d2>] ? tun_get_user+0x3a3/0x3cb [tun]
> [ 636.376305] [<ffffffffa0155bd8>] ? tun_get_socket+0x3b/0x3b [tun]
> [ 636.382457] [<ffffffffa0155c36>] ? tun_chr_aio_write+0x5e/0x79 [tun]
> [ 636.388869] [<ffffffff810f6b07>] ? do_sync_readv_writev+0x9a/0xd5
> [ 636.395021] [<ffffffff810371f3>] ? need_resched+0x1a/0x23
> [ 636.400481] [<ffffffff8132b725>] ? _cond_resched+0x9/0x20
> [ 636.405941] [<ffffffff810f5f77>] ? copy_from_user+0x18/0x30
> [ 636.411573] [<ffffffff8115fbf6>] ? security_file_permission+0x18/0x33
> [ 636.418068] [<ffffffff810f6d55>] ? do_readv_writev+0xa4/0x11a
> [ 636.423873] [<ffffffff810f7913>] ? fput+0x1a/0x1a2
> [ 636.428726] [<ffffffff810f6f39>] ? sys_writev+0x45/0x90
> [ 636.434012] [<ffffffff81332a52>] ? system_call_fastpath+0x16/0x1b
>
> ------------
>
> [ 110.442839] br0: port 2(tap0) entering forwarding state
> [ 136.948700] Kernel panic - not syncing: stack-protector: Kernel stack
> is corrupted in: ffffffff812c2781
> [ 136.948702]
> [ 136.959561] Pid: 1093, comm: md123_resync Not tainted 2.6.39-rc2+ #11
> [ 136.965977] Call Trace:
> [ 136.968408] <IRQ> [<ffffffff8132ad78>] ? panic+0x92/0x1a1
> [ 136.973970] [<ffffffff8104abe8>] ? _local_bh_enable_ip.clone.8+0x20/0x8c
> [ 136.980727] [<ffffffff812c2781>] ? icmp_send+0x337/0x349
> [ 136.986102] [<ffffffff810454e5>] ? __stack_chk_fail+0x17/0x17
> [ 136.991906] [<ffffffff812c2781>] ? icmp_send+0x337/0x349
> [ 136.997281] [<ffffffff81298527>] ? nf_iterate+0x41/0x7e
> [ 137.002570] [<ffffffffa0198fe1>] ?
> br_handle_frame_finish+0x158/0x1c7 [bridge]
> [ 137.009847] [<ffffffffa019d689>] ?
> br_nf_pre_routing_finish+0x1d4/0x1e1 [bridge]
> [ 137.017297] [<ffffffffa019cc76>] ? NF_HOOK_THRESH+0x3b/0x55 [bridge]
> [ 137.023707] [<ffffffffa019dc84>] ? br_nf_pre_routing+0x3be/0x3cb
> [bridge]
> [ 137.030551] [<ffffffff81298527>] ? nf_iterate+0x41/0x7e
> [ 137.035837] [<ffffffff8103704d>] ? test_tsk_need_resched+0xe/0x17
> [ 137.041991] [<ffffffffa0198e89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 137.048488] [<ffffffffa0198e89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 137.054984] [<ffffffff812985d7>] ? nf_hook_slow+0x73/0x114
> [ 137.060531] [<ffffffffa0198e89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 137.067028] [<ffffffffa0198e89>] ? NF_HOOK.clone.4+0x56/0x56 [bridge]
> [ 137.073526] [<ffffffffa0198e6f>] ? NF_HOOK.clone.4+0x3c/0x56 [bridge]
> [ 137.080023] [<ffffffff812a7d8e>] ? tcp_gro_receive+0xa1/0x204
> [ 137.085830] [<ffffffffa01991e5>] ? br_handle_frame+0x195/0x1ac [bridge]
> [ 137.092500] [<ffffffffa0199050>] ?
> br_handle_frame_finish+0x1c7/0x1c7 [bridge]
> [ 137.099776] [<ffffffff812764ef>] ? __netif_receive_skb+0x2a7/0x450
> [ 137.106013] [<ffffffff81276928>] ? netif_receive_skb+0x52/0x58
> [ 137.111906] [<ffffffff81276e2a>] ? napi_gro_receive+0x1f/0x2f
> [ 137.117713] [<ffffffff812769ff>] ? napi_skb_finish+0x1c/0x31
> [ 137.123438] [<ffffffffa0226fcd>] ? igb_poll+0x6d9/0x9ee [igb]
> [ 137.129243] [<ffffffff8109034f>] ? handle_irq_event+0x40/0x55
> [ 137.135049] [<ffffffff8132cbd3>] ? common_interrupt+0x13/0x13
> [ 137.140854] [<ffffffff81276f55>] ? net_rx_action+0xa4/0x1b1
> [ 137.146487] [<ffffffff8104ad26>] ? __do_softirq+0xb8/0x176
> [ 137.152034] [<ffffffff81333c5c>] ? call_softirq+0x1c/0x30
> [ 137.157494] [<ffffffff8100aa57>] ? do_softirq+0x3f/0x84
> [ 137.162779] [<ffffffff8104af91>] ? irq_exit+0x3f/0x8f
> [ 137.167893] [<ffffffff8100a793>] ? do_IRQ+0x85/0x9e
> [ 137.172833] [<ffffffff8132cbd3>] ? common_interrupt+0x13/0x13
> [ 137.178636] <EOI> [<ffffffff8106fc1a>] ? arch_local_irq_restore+0x2/0x8
> [ 137.185408] [<ffffffffa0050fca>] ? _scsih_qcmd+0x54f/0x561 [mpt2sas]
> [ 137.191823] [<ffffffffa01e452f>] ? scsi_dispatch_cmd+0x180/0x219
> [scsi_mod]
> [ 137.198841] [<ffffffffa01ea385>] ? scsi_request_fn+0x3e6/0x413
> [scsi_mod]
> [ 137.205683] [<ffffffff81187470>] ? elv_rqhash_add.clone.15+0x26/0x4c
> [ 137.212095] [<ffffffff8118bde2>] ? __blk_run_queue+0x5e/0x84
> [ 137.217814] [<ffffffff8118d63c>] ? __make_request+0x273/0x28f
> [ 137.223619] [<ffffffff8118b569>] ? generic_make_request+0x267/0x2e1
> [ 137.229943] [<ffffffff8105eb49>] ? remove_wait_queue+0x11/0x4d
> [ 137.235837] [<ffffffffa0002417>] ? raise_barrier+0x162/0x16f [raid1]
> [ 137.242246] [<ffffffff8103eba4>] ? try_to_wake_up+0x17c/0x17c
> [ 137.248052] [<ffffffffa0002f2f>] ? sync_request+0x567/0x583 [raid1]
> [ 137.254379] [<ffffffffa00bd834>] ? md_do_sync+0x776/0xb8e [md_mod]
> [ 137.260617] [<ffffffff8100e537>] ? sched_clock+0x5/0x8
> [ 137.265819] [<ffffffffa00bde83>] ? md_thread+0xfa/0x118 [md_mod]
> [ 137.271886] [<ffffffffa00bdd89>] ? md_rdev_init+0x8f/0x8f [md_mod]
> [ 137.278124] [<ffffffffa00bdd89>] ? md_rdev_init+0x8f/0x8f [md_mod]
> [ 137.284362] [<ffffffff8105e497>] ? kthread+0x7a/0x82
> [ 137.289390] [<ffffffff81333b64>] ? kernel_thread_helper+0x4/0x10
> [ 137.295454] [<ffffffff8105e41d>] ? kthread_worker_fn+0x149/0x149
> [ 137.301519] [<ffffffff81333b60>] ? gs_change+0x13/0x13
>
Considering recent changes in ip_options_echo() I would suggest to add
following patch and/or revert commit 8628bd8af7c4c14f40
(ipv4: Fix IP timestamp option (IPOPT_TS_PRESPEC) handling in
ip_options_echo())
Thanks
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 28a736f..35f2bf9 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -200,6 +200,11 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
*dptr++ = IPOPT_END;
dopt->optlen++;
}
+ if (unlikely(dopt->optlen > 40)) {
+ pr_err("ip_options_echo() fatal error optlen=%u > 40\n", dopt->optlen);
+ print_hex_dump(KERN_ERR, "ip options: ", DUMP_PREFIX_OFFSET,
+ 16, 1, dopt->__data, dopt->optlen, false);
+ }
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists