lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 07 Jun 2013 17:49:13 -0400
From:	Brian Haley <brian.haley@...com>
To:	Tommi Rantala <tt.rantala@...il.com>
CC:	"David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	James Morris <jmorris@...ei.org>,
	Eric Dumazet <eric.dumazet@...il.com>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org,
	LKML <linux-kernel@...r.kernel.org>,
	Dave Jones <davej@...hat.com>
Subject: Re: ipv6 && kernel BUG at net/core/skbuff.c:126!

On 06/07/2013 02:33 PM, Tommi Rantala wrote:
> Hello,
> 
> Hit this while fuzzing v3.10-rc4-214-g1612e11 (plus a one-liner
> af_netlink patch from Patrick McHardy, that I hope is not related to
> this bug).
> 
> Tommi

> [19491.615447] Call Trace:
> [19491.616273]  [<ffffffff81eb6243>] skb_push+0x33/0x40
> [19491.617840]  [<ffffffff81fc402c>] ip6_push_pending_frames+0x20c/0x4b0
> [19491.619768]  [<ffffffff81119c55>] ? local_bh_enable+0xc5/0xf0
> [19491.621476]  [<ffffffff81fdf650>] udp_v6_push_pending_frames+0x390/0x3a0
> [19491.623475]  [<ffffffff81119c55>] ? local_bh_enable+0xc5/0xf0
> [19491.625236]  [<ffffffff81fdf2c0>] ? compat_udpv6_setsockopt+0x30/0x30
> [19491.627153]  [<ffffffff81f60812>] udp_lib_setsockopt+0xc2/0x1d0
> [19491.628965]  [<ffffffff81fdf67d>] udpv6_setsockopt+0x1d/0x30
> [19491.630674]  [<ffffffff81eb33bf>] sock_common_setsockopt+0xf/0x20
> [19491.632577]  [<ffffffff81ead7e6>] SyS_setsockopt+0x96/0xe0
> [19491.634376]  [<ffffffff822a47a9>] system_call_fastpath+0x16/0x1b

Does something as simple below crash?  It at least tickles the code path from
what I can tell.

-Brian


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/udp.h>

main()
{
	int s, cork, err, flags = 0;
	struct sockaddr_in6 sin6 = {0};
	char *buf = "1234546789";

	s = socket(AF_INET6, SOCK_DGRAM, 0);
	if (s < 0) {
		perror("socket");
		exit(1);
	}

	cork = 1;
	err = setsockopt(s, SOL_UDP, UDP_CORK, &cork, sizeof(cork));
	if (err < 0) {
		perror("setsockopt");
		goto out;
	}

	sin6.sin6_family = AF_INET6;
	sin6.sin6_port = htons(1234);
	err = sendto(s, buf, strlen(buf), flags,
			(const struct sockaddr *)&sin6,
			sizeof(sin6));
	if (err < 0) {
		perror("sendto");
		goto out;
	}

	cork = 0;
	err = setsockopt(s, SOL_UDP, UDP_CORK, &cork, sizeof(cork));
	if (err < 0)
		perror("setsockopt");

out:
	close(s);
	exit(0);
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ