lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2bc9e2079e864a9290561894d2a602d6@akamai.com>
Date: Fri, 1 Nov 2024 16:28:54 +0000
From: "Mortensen, Christian" <cworm@...mai.com>
To: "davem@...emloft.net" <davem@...emloft.net>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Stackoverflow when using seg6 routes

Hi!

I can consistently reproduce a stack-overflow in the kernel when using seg6 routes. I was hit by the bug in a stock 5.15.0-119 Ubuntu kernel. I reproduced it in QEMU using a custom 6.11.3 kernel. I have not tried other kernels.

Here is output from the 6.11.3 kernel:

BUG: IRQ stack guard page was hit at (____ptrval____) (stack is (____ptrval____)..(____ptrval____))
Oops: stack guard page: 0000 [#1] PREEMPT SMP PTI
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.3 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:fib_table_lookup+0x25/0x640
Code: 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 49 89 f8 49 89 f1 41 56 41 55 41 54 55 53 48 83 ec 58 48 8b 6f 28 44 8b 76 2c <89> 0c 24 48 8b 5d 08 48 85 db 0f 84 82 00 00 00 49 89 d2 45 31 e4
RSP: 0018:ffffa81e000f4fe0 EFLAGS: 00010282
RAX: ffff940dc2d9b600 RBX: ffff940dc1d7d9c0 RCX: 0000000000000001
RDX: ffffa81e000f5128 RSI: ffffa81e000f5158 RDI: ffff940dc2d9b600
RBP: ffff940dc2d9b630 R08: ffff940dc2d9b600 R09: ffffa81e000f5158
R10: ffff940dc6882200 R11: ffff940dc3360000 R12: 00000000fffffff5
R13: ffffa81e000f5158 R14: 000000000101a8c0 R15: ffff940dc793b080
FS:  0000000000000000(0000) GS:ffff940e79c80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa81e000f4fd8 CR3: 000000000ce2c000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <#DF>
 ? die+0x37/0x90
 ? handle_stack_overflow+0x4d/0x60
 ? exc_double_fault+0xe3/0x150
 ? asm_exc_double_fault+0x23/0x30
 ? fib_table_lookup+0x25/0x640
 </#DF>
 <IRQ>
 ? fib_table_lookup+0x223/0x640
 fib4_rule_action+0x7c/0xa0
 fib_rules_lookup+0x1db/0x260
 __fib_lookup+0x5f/0x90
 __fib_validate_source+0x2e0/0x410
 ? fib4_rule_action+0x84/0xa0
 ? fib_rules_lookup+0x106/0x260
 fib_validate_source+0x55/0x110
 ip_route_input_slow+0x69b/0xb60
 ip_route_input_noref+0x79/0x80
 input_action_end_dt4+0x8c/0x180
 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0
 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0
 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0
 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0

(MANY SIMILAR LINES OMITTED)

 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0
 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0
 seg6_local_input_core+0x34/0x70
 lwtunnel_input+0x62/0xb0
 lwtunnel_input+0x62/0xb0
 __netif_receive_skb_one_core+0x6b/0x80
 process_backlog+0x8a/0x130
 __napi_poll+0x2c/0x1b0
 net_rx_action+0x2e6/0x350
 ? sched_balance_domains+0xe9/0x350
 handle_softirqs+0xc4/0x290
 irq_exit_rcu+0x67/0x90
 sysvec_apic_timer_interrupt+0x75/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:default_idle+0xf/0x20
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 26 26 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffa81e000b3ef0 EFLAGS: 00000202
RAX: ffff940e79c80000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffffb5a2e8a9 RDI: 0000000000d4f884
RBP: ffff940dc0384000 R08: 0000000000d4f884 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 default_idle_call+0x30/0xf0
 do_idle+0x1b1/0x1c0
 cpu_startup_entry+0x29/0x30
 start_secondary+0xf5/0x100
 common_startup_64+0x13e/0x148
 </TASK>
Modules linked in: veth vrf
---[ end trace 0000000000000000 ]---
RIP: 0010:fib_table_lookup+0x25/0x640
Code: 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 49 89 f8 49 89 f1 41 56 41 55 41 54 55 53 48 83 ec 58 48 8b 6f 28 44 8b 76 2c <89> 0c 24 48 8b 5d 08 48 85 db 0f 84 82 00 00 00 49 89 d2 45 31 e4
RSP: 0018:ffffa81e000f4fe0 EFLAGS: 00010282
RAX: ffff940dc2d9b600 RBX: ffff940dc1d7d9c0 RCX: 0000000000000001
RDX: ffffa81e000f5128 RSI: ffffa81e000f5158 RDI: ffff940dc2d9b600
RBP: ffff940dc2d9b630 R08: ffff940dc2d9b600 R09: ffffa81e000f5158
R10: ffff940dc6882200 R11: ffff940dc3360000 R12: 00000000fffffff5
R13: ffffa81e000f5158 R14: 000000000101a8c0 R15: ffff940dc793b080
FS:  0000000000000000(0000) GS:ffff940e79c80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa81e000f4fd8 CR3: 000000000ce2c000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x33000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

The following script consistently reproduces the problem for me. It is probably not minimal:

#!/bin/bash

# Make a network namespace
ip netns delete network
ip netns add network
ip netns exec network ip link add br0 type bridge
ip netns exec network ip link set br0 up

# Setup host1:
ip netns delete host1
ip netns add host1
ip netns exec network ip link add host1 type veth peer frr0 netns host1
ip netns exec host1 ip addr add dev frr0 fe80::1
ip netns exec host1 ip link set dev frr0 address 00:00:01:00:00:01
ip netns exec host1 ip link set frr0 up
ip netns exec network ip link set host1 master br0
ip netns exec network ip link set host1 up
ip netns exec host1 ip l set dev lo up
ip netns exec host1 sysctl net.ipv4.ip_forward=1
ip netns exec host1 sysctl net.ipv4.conf.all.rp_filter=0
ip netns exec host1 sysctl net.ipv6.conf.all.forwarding=1
ip netns exec host1 sysctl net.ipv4.conf.default.log_martians=1
ip netns exec host1 sysctl net.vrf.strict_mode=1
ip netns exec host1 ip addr add dev lo fc00::1:6:0:0:1
ip netns exec host1 ip link add vrf9 type vrf table 1009
ip netns exec host1 ip link set vrf9 up
ip netns exec host1 ip r add fc00:0:0:1:7:: encap seg6local action End.DT4 vrftable 1009 dev vrf9 proto bgp metric 20 pref medium
ip netns exec host1 ip r add 192.168.2.1 encap seg6 mode encap segs fc00:0:0:1:7:: via inet6 fe80::2 dev frr0 vrf vrf9

# Setup pseduo-vm on host1
ip netns delete host1_1
ip netns add host1_1
ip netns exec host1 ip link add vm1 type veth peer eth0 netns host1_1
ip netns exec host1 ip link set vm1 master vrf9
ip netns exec host1 ip link set vm1 up
ip netns exec host1_1 ip link set eth0 up
ip netns exec host1 sysctl net.ipv4.conf.vm1.proxy_arp=1
ip netns exec host1_1 ip addr add dev eth0 192.168.1.1/16
ip netns exec host1 ip route add 192.168.1.1/32 dev vm1 vrf vrf9

# Setup host2
ip netns delete host2
ip netns add host2
ip netns exec network ip link add host2 type veth peer frr0 netns host2
ip netns exec host2 ip addr add dev frr0 fe80::2
ip netns exec host2 ip link set dev frr0 address 00:00:01:00:00:02
ip netns exec host2 ip link set frr0 up
ip netns exec network ip link set host2 master br0
ip netns exec network ip link set host2 up
ip netns exec host2 ip l set dev lo up
ip netns exec host2 sysctl net.ipv4.ip_forward=1
ip netns exec host2 sysctl net.ipv4.conf.all.rp_filter=0
ip netns exec host2 sysctl net.ipv6.conf.all.forwarding=1
ip netns exec host2 sysctl net.ipv4.conf.default.log_martians=1
ip netns exec host2 sysctl net.vrf.strict_mode=1
ip netns exec host2 ip addr add dev lo fc00::2:6:0:0:1
ip netns exec host2 ip link add vrf9 type vrf table 1009
ip netns exec host2 ip link set vrf9 up
ip netns exec host2 ip r add fc00:0:0:1:7:: encap seg6local action End.DT4 vrftable 1009 dev vrf9 proto bgp metric 20 pref medium
ip netns exec host2 ip r add 192.168.1.1 encap seg6 mode encap segs fc00:0:0:1:7:: via inet6 fe80::1 dev frr0 vrf vrf9

# Setup pseduo-vm on host2:
ip netns delete host2_1
ip netns add host2_1
ip netns exec host2 ip link add vm1 type veth peer eth0 netns host2_1
ip netns exec host2 ip link set vm1 master vrf9
ip netns exec host2 ip link set vm1 up
ip netns exec host2_1 ip link set eth0 up
ip netns exec host2 sysctl net.ipv4.conf.vm1.proxy_arp=1
ip netns exec host2_1 ip addr add dev eth0 192.168.2.1/16
ip netns exec host2 ip route add 192.168.2.1/32 dev vm1 vrf vrf9
ip netns exec host1_1 ip a add 192.168.254.254 dev eth0

# Setup routes between host1 and host2:
ip netns exec host1 ip -6 route add fc00:0:0:2::/64 dev frr0 nexthop via fe80::2
ip netns exec host1 ip neigh add fe80::2 lladdr 00:00:01:00:00:02 dev frr0
ip netns exec host2 ip -6 route add fc00:0:0:1::/64 dev frr0 nexthop via fe80::1
ip netns exec host2 ip neigh add fe80::1 lladdr 00:00:01:00:00:01 dev frr0

# And ping
ip netns exec host1_1 ping 192.168.2.1


Best

Christian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ