lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EF23BF2.4000601@bootc.net>
Date:	Wed, 21 Dec 2011 20:05:06 +0000
From:	Chris Boot <bootc@...tc.net>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	lkml <linux-kernel@...r.kernel.org>,
	netdev <netdev@...r.kernel.org>
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in ipv6_select_ident

On 21/12/2011 18:00, Eric Dumazet wrote:
> Le mercredi 21 décembre 2011 à 18:36 +0100, Eric Dumazet a écrit :
>
>> Good point, thats a different problem then, since 3.1 is not supposed to
>> have this bug.
>>
>> It seems rt->rt6i_peer points to invalid memory in your crash.
>>
>> (RBX=00000000000001f4)
>>
>> 8b 83 a4 00 00 00       mov    0xa4(%rbx),%eax    p->refcnt
>> 1f4+a4 ->  CR2=0000000000000298
>>
> It would help if you can confirm latest linux tree can reproduce the
> bug.

Hi Eric,

I just built a v3.2-rc6-140-gb9e26df with the same config as the Debian 
3.1.0 kernel. I can reproduce the bug just as easily with this kernel as 
with the Debian kernel. Unfortunately I wasn't able to get an entire 
trace, for some reason it didn't appear to be printed to the serial port 
and hung after the (long) list of loaded kernel modules. The crash 
happens at the same offset:

[  356.683420] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000298
[  356.691438] IP: [<ffffffff812ea0da>] ipv6_select_ident+0x31/0xa7
[  356.697633] PGD 425060067 PUD 41de8d067 PMD 0
[  356.702123] Oops: 0000 [#1] SMP
[  356.705451] CPU 4
[  356.707366] Modules linked in: tun sha1_ssse3 sha1_generic hmac 
sha256_generic dlm configfs ebtable_nat ebtables acpi_cpufreq mperf 
cpufreq_stats cpufreq_conservative cpufreq_powersave cpufreq_userspace 
microcode xt_NOTRACK ip_set_hash_net act_police cls_basic cls_flow 
cls_fw cls_u32 sch_tbf sch_prio sch_htb sch_hfsc sch_ingress sch_sfq 
xt_realm xt_addrtype xt_connlimit iptable_raw ip_set_hash_ip xt_comment 
ipt_ULOG ipt_REJECT ipt_REDIRECT ipt_NETMAP ipt_MASQUERADE ipt_ECN 
ipt_ecn ipt_CLUSTERIP ipt_ah nf_nat_tftp nf_nat_snmp_basic 
nf_conntrack_snmp xt_recent nf_nat_sip nf_nat_pptp nf_nat_proto_gre 
nf_nat_irc nf_nat_h323 nf_nat_ftp nf_nat_amanda ip6_queue xt_set ip_set 
nf_conntrack_tftp nf_conntrack_sip nf_conntrack_sane 
nf_conntrack_proto_udplite nf_conntrack_proto_sctp nf_conntrack_pptp 
nf_conntrack_proto_gre nf_conntrack_netlink nf_conntrack_netbios_ns 
nf_conntrack_broadcast nf_conntrack_irc nf_conntrack_h323 
nf_conntrack_ftp ts_kmp xt_NFLOG nfnetlink_log nf_conntrack_amanda 
xt_TPROXY nf_tproxy_core xt_time xt_TCPMSS xt_tcpmss xt_sctp xt_policy 
xt_pkttype xt_physdev xt_owner xt_NFQUEUE xt_multiport xt_mark xt_mac 
xt_limit xt_length xt_iprange xt_helper xt_hashlimit xt_DSCP xt_dscp 
xt_dccp xt_connmark ip6t_LOG xt_CLASSIFY ip6t_REJECT xt_AUDIT 
nf_conntrack_ipv6

I loaded the kernel in gdb to see where it thought that was:

(gdb) list *ipv6_select_ident+0x31/0xa7
0xffffffff812ea0a9 is in ipv6_select_ident (net/ipv6/ip6_output.c:602).
597
598             return offset;
599     }
600
601     void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
602     {
603             static atomic_t ipv6_fragmentation_id;
604             int old, new;
605
606             if (rt) {

HTH,
Chris

-- 
Chris Boot
bootc@...tc.net

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ