| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Oct 2018 02:40:12 -0700
From: Maciej Żenczykowski <zenczykowski@...il.com>
To: Florian Westphal <fw@...len.de>
Cc: Lorenzo Colitti <lorenzo@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Linux NetDev <netdev@...r.kernel.org>
Subject: Re: crash in xt_policy due to skb_dst_drop() in nf_ct_frag6_gather()
> That is not supposed to happen.
# uname -a
Linux (none) 4.9.119 #3 Tue Oct 16 02:34:36 PDT 2018 x86_64 GNU/Linux
root@(none)# ip6tables -A OUTPUT -m policy --dir out --pol ipsec
root@(none)# python -c "import os, socket;
ip='00000000000000000000000000000001';
x='6001234504d82c40'+ip+ip+'3a000001a1224d20' + 'ff'*(1280-40-8);
y='6001234500092c40'+ip+ip+'3a0004d0a1224d20' + 'ff';
s=socket.socket(socket.AF_INET6,socket.SOCK_RAW,socket.IPPROTO_RAW);
s.sendto(x.decode('hex'),('::1',0,0,1));
s.sendto(y.decode('hex'),('::1',0,0,1));"
Modules linked in:
Pid: 297, comm: python Not tainted 4.9.119
RIP: 0033:[<0000000060272eca>]
RSP: 00000000802afa10 EFLAGS: 00010246
RAX: 0000000060492fa8 RBX: 0000000060272c6f RCX: 00000000803a12a8
RDX: 00000000803a1288 RSI: 00000000802afa98 RDI: 0000000080314d00
RBP: 00000000802afa40 R08: 0000000000000001 R09: 0100000000000000
R10: 0000000000000000 R11: 00000000803a12a8 R12: 0000000000010002
R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000
Kernel panic - not syncing: Kernel mode fault at addr 0x48, ip 0x60272eca
CPU: 0 PID: 297 Comm: python Not tainted 4.9.119 #3
Stack:
800d5000 803a11e0 80314d00 803a1000
00000000 00000000 802afb00 6031afe1
00000000 803a1288 803a100c 100000003
Call Trace:
[<6031afe1>] ip6t_do_table+0x2a3/0x3d4
[<6026d440>] ? netfilter_net_init+0xbe/0x14f
[<6026d4d1>] ? nf_iterate+0x0/0x5c
[<6031cca5>] ip6table_filter_hook+0x21/0x23
[<6026d509>] nf_iterate+0x38/0x5c
[<6026d561>] nf_hook_slow+0x34/0xa2
[<6003166c>] ? set_signals+0x0/0x3f
[<6003165d>] ? get_signals+0x0/0xf
[<603048b0>] rawv6_sendmsg+0x842/0xc4b
[<60033d15>] ? wait_stub_done+0x40/0x10a
[<60021176>] ? copy_chunk_from_user+0x23/0x2e
[<60021153>] ? copy_chunk_from_user+0x0/0x2e
[<6030307f>] ? dst_output+0x0/0x11
[<602b0926>] inet_sendmsg+0x1e/0x5c
[<600fe15f>] ? __fdget+0x15/0x17
[<602264b9>] sock_sendmsg+0xf/0x62
[<602279aa>] SyS_sendto+0x108/0x140
[<600389c2>] ? arch_switch_to+0x2b/0x2e
[<60367ff4>] ? __schedule+0x428/0x44f
[<60367bcc>] ? __schedule+0x0/0x44f
[<60021125>] handle_syscall+0x79/0xa7
[<6003445c>] userspace+0x3bb/0x453
[<6001dd92>] ? interrupt_end+0x0/0x94
[<6001dc42>] fork_handler+0x85/0x87
Powered by blists - more mailing lists