lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1306155058.20687.8.camel@edumazet-laptop>
Date:	Mon, 23 May 2011 14:50:58 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Denys Fedoryshchenko <denys@...p.net.lb>
Cc:	netdev@...r.kernel.org, hadi@...erus.ca
Subject: Re: 2.6.38.x, 2.6.39 sfq? kernel panic in sfq_enqueue

Le lundi 23 mai 2011 à 14:32 +0200, Eric Dumazet a écrit :

> Ouch, thats an ip_fragment() bug I am afraid... nothing to do with SFQ
> 
> It calls 
> 
> err = output(skb);
> 
> and a bit later does :
> 
> skb = frag;
> frag = skb->next;   // thats completely illegal here !
> skb->next = NULL;
> 
> I am cooking a patch and send it in a couple of minutes.

Oh well, false alarm, I am still trying to understand the case.

Some other reports would be appreciated, because here is the strange
thing :

[ 4461.969603] Code: b6 70 10 
3b b3 08 01 00 00 
0f 8d df 01 00 00 jge ....

41 8b 74 24 28    mov 0x28(%r12),%esi       qdisc_pkt_len(skb)
01 b3 b4 00 00 00                       sch->qstats.backlog += qdisc_pkt_len(skb);

RAX = slot
R12 = SKB

48 8b 70 08       mov    0x8(%rax),%rsi     slot->skblist_prev
49 89 04 24       mov    %rax,(%r12)        skb->next = (struct sk_buff *)slot;
49 89 74 24 08    mov    %rsi,0x8(%r12)     skb->prev = slot->skblist_prev;
48 8b 70 08       mov    0x8(%rax),%rsi     slot->skblist_prev   (refetch)

<4c> 89 26        mov    %r12,(%rsi)         slot->skblist_prev->next = skb;  // CRASH

0f b6 f2          movzbl %dl,%esi
4c 89 60 08       mov    %r12,0x8(%rax)      slot->skblist_prev = skb;
48 8d 3c 76       lea
48 8d bc fb 90 01 00



And in your report RAX = R12 !!! (ffff8801172a7d08) I cant see how it
can happen (Its not even a valid skb address, since an SKB should be
64bytes aligned)

If available a disassembly of sfq_enqueue() would be appreciated too ;)

Thanks !


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ