Hi,
A ping6 with a too large packet immediately crashes the kernel when the
packet doesn't fit into the IPSEC tunnel:
leto:/root # ping -s 1500 server6
PING server6(xxx) 1500 data bytes
Unable to handle kernel NULL pointer dereference at virtual address 000000f0
printing eip:
c044ff56
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: ipt_REJECT ipt_state twofish serpent blowfish sha256
iptable_filter ip_tables snd_pcm_oss snc_mixer_oss snd_seq_dummy snd_seq_oss
snd_seq_midi snd_seq_midi_event snd_seq snd_seq_device snd_intel8x0
snd_ac97_codec snd_pcm snd_timer snd snd_page_alloc ext3 jbd ehci_hcd
uhci_hcd ip_conntrack_irc ip_conntrack_ftp aes_i586 airo eepro100
CPU: 0
EIP: 0060:[<c044ff56>] Not tainted VLI
EFLAGS: 00010202 (2.6.12-rc4-cs1)
EIP is at icmpv6_send+0x346/0x560
eax: 00000000 ebx: c6511c10 ecx: c6460cc0 edx: c6510000
esi: 000004d0 edi: 000000ff ebp: c6511c24 esp: c6511b80
ds: 007b es: 007b ss: 0068
Process ping6 (pid: 10700, threadinfo=c6510000 task=c99b0580)
Stack: 00000000 c61097c0 c6511b98 c03ae08f ce1cad9c ce1cadd0 c6511c00 00000000
00000002 c6460cc0 00020001 cfd9ccc0 cfd9cea0 00000000 00000000 00000000
f8060120 0110b113 ff500702 c664d5fe f8060120 0110b113 ff500702 c664d5fe
Call Trace:
[<c0103fb6>] show_stack+0xa6/0xe0
[<c010416b>] show_registers+0x15b/0x1f0
[<c010437d>] die+0xdd/0x170
[<c0118a83>] do_page_fault+0x233/0x6e6
[<c0103baf>] error_code+0x4f/0x54
[<c0460991>] xfrm6_tunnel_check_size+0x41/0x50
[<c04609d1>] xfrm6_output+0x31/0x1d0
[<c0439fe3>] ip6_push_pending_frames+0x253/0x3f0
[<c044e468>] rawv6_push_pending_frames+0x178/0x1e0
[<c044edb5>] rawv6_sendmsg+0x595/0x7a0
[<c0411957>] inet_sendmsg+0x37/0x60
[<c03c50d2>] sock_sendmsg+0xb2/0xe0
[<c03c6445>] sys_sendto+0xa5/0xc0
[<c03c6c44>] sys_socketcall+0x184/0x260
[<c01030ab>] sysenter_past_esp+0x54/0x75
The oops occurs in line 391 in net/ipv6/icmp.c:
> idev = in6_dev_get(skb->dev);
It seems skb->dev is NULL here, so that in6_dev_get
(include/net/addrconf.h) crashes when trying to dereference
dev->ip6_ptr.
disassembled icmp.o, crash at 0x5e6:
> net/ipv6/icmp.c:391
> 5c3: 29 c6 sub %eax,%esi
> 5c5: 81 fe d0 04 00 00 cmp $0x4d0,%esi
> 5cb: 0f 86 ff 00 00 00 jbe 6d0 <icmpv6_send+0x430>
> 5d1: be d0 04 00 00 mov $0x4d0,%esi
> net/ipv6/icmp.c:398
> 5d6: 8b 4d 80 mov 0xffffff80(%ebp),%ecx
> current_thread_info():
> include/asm/thread_info.h:91
> 5d9: ba 00 e0 ff ff mov $0xffffe000,%edx
> 5de: 21 e2 and %esp,%edx
> icmpv6_send():
> net/ipv6/icmp.c:398
> 5e0: 8b 41 18 mov 0x18(%ecx),%eax
> include/net/addrconf.h:138
> 5e3: ff 42 14 incl 0x14(%edx)
> include/net/addrconf.h:139
> 5e6: 8b 98 f0 00 00 00 mov 0xf0(%eax),%ebx
> include/net/addrconf.h:140
> 5ec: 85 db test %ebx,%ebx
> 5ee: 74 03 je 5f3 <icmpv6_send+0x353>
> atomic_inc():
icmpv6_send ist called by xfrm6_tunnel_check_size:
> icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
The kernel is compiled with the latest gcc 4.0 snapshot, so there's
still the possibility that a miscompilation is involved though
everything else works fine.
Attachment:
signature.asc
Description: This is a digitally signed message part
