| 1 |
On 25 Apr 2006 at 7:27, pageexec@××××××××.hu wrote: |
| 2 |
>> I'll try this afternoon to add various other patches from the |
| 3 |
>> hardened-patches-2.6.14-7.extras.tar.bz2 series to see which one is |
| 4 |
>> responsible. |
| 5 |
>> |
| 6 |
> |
| 7 |
> i decoded the oops stack trace and it seems that the code where the |
| 8 |
> problem triggered (not necessarily the culprit) has something to do |
| 9 |
> with netfilter/bridging/ipv6. are there known problems in that area? |
| 10 |
|
| 11 |
I encountered a problem like this that I resolved a few weeks ago |
| 12 |
when I decided to get 2.6.14-hardened-r7 to work (r6 had the same |
| 13 |
problem, but I stuck to r5 until r7 came out). I have a bridge set up |
| 14 |
for use with openvpn. |
| 15 |
|
| 16 |
One of the patches (1431_15.4_bridge-netfilter-race.patch) that r6 |
| 17 |
and r7 apply to the vanilla 2.6.14 modifies the function |
| 18 |
br_nf_pre_routing_finish_ipv6() in net/bridge/br_netfilter.c in a way |
| 19 |
that made my hardened server crash whenever I attempted to ssh to it |
| 20 |
(over IPv6). Looking at the upstream source for the kernel (2.6.16.9 |
| 21 |
from kernel.org), the patch appears to have been reverted back or |
| 22 |
never applied. |
| 23 |
I changed the patched part to look like the upstream sources (which |
| 24 |
also looks like 2.6.14-hardened-r5), and that stopped the kernel |
| 25 |
panic. The patch calls skb_pull() rather than skb_push(), which I |
| 26 |
suspect filled up a buffer rather than empty it. |
| 27 |
|
| 28 |
The following diff shows how I reverted the patch, and my server |
| 29 |
hasn't panicked since then. |
| 30 |
|
| 31 |
-B.J. Orvis |
| 32 |
|
| 33 |
diff -urd linux-2.6.14-hardened-r7/net/bridge/br_netfilter.c |
| 34 |
linux-2.6.14-hardened-r7-bridgemod/net/bridge/br_netfilter.c |
| 35 |
--- linux-2.6.14-hardened-r7/net/bridge/br_netfilter.c 2006-05-01 |
| 36 |
16:25:54.000000000 -0700 |
| 37 |
+++ linux-2.6.14-hardened-r7-bridgemod/net/bridge/ |
| 38 |
br_netfilter.c 2006-05-01 16:35:07.000000000 -0700 |
| 39 |
@@ -116,17 +116,30 @@ |
| 40 |
dst_hold(skb->dst); |
| 41 |
skb->dev = nf_bridge->physindev; |
| 42 |
- if (!skb->dev) |
| 43 |
- kfree_skb(skb); |
| 44 |
- else { |
| 45 |
- if (skb->protocol == __constant_htons(ETH_P_8021Q)) { |
| 46 |
- skb_pull(skb, VLAN_HLEN); |
| 47 |
- skb->nh.raw += VLAN_HLEN; |
| 48 |
- } |
| 49 |
- skb->dst->output(skb); |
| 50 |
+ /* the following has been shifted back to how it is in |
| 51 |
hardened-sources |
| 52 |
+ * 2.6.14-r5. r6 and r7 cause a crash that i think happens |
| 53 |
here. In the |
| 54 |
+ * 2.6.16.9 official linux kernel, this part is switched |
| 55 |
back, and the |
| 56 |
+ * patch that applied the change is supposed to fix a race |
| 57 |
condition |
| 58 |
+ * that doesnt quite look like this. maybe the if (!skb-dev) |
| 59 |
check is |
| 60 |
+ * ok, but i'm trying out looking like upstream first. |
| 61 |
+ * 1431_15.4_bridge-netfilter-race.patch |
| 62 |
+ */ |
| 63 |
+/* if (!skb->dev) |
| 64 |
+ * kfree_skb(skb); |
| 65 |
+ * else { |
| 66 |
+ * if (skb->protocol == __constant_htons(ETH_P_8021Q)) { |
| 67 |
+ * skb_pull(skb, VLAN_HLEN); |
| 68 |
+ * skb->nh.raw += VLAN_HLEN; |
| 69 |
+ * } |
| 70 |
+ * skb->dst->output(skb); |
| 71 |
+ */ |
| 72 |
+ if (skb->protocol == __constant_htons(ETH_P_8021Q)) { |
| 73 |
+ skb_push(skb, VLAN_HLEN); |
| 74 |
+ skb->nh.raw -= VLAN_HLEN; |
| 75 |
+ /* end of change */ |
| 76 |
} |
| 77 |
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, |
| 78 |
NULL, |
| 79 |
- br_handle_frame_finish, 1); |
| 80 |
+ br_handle_frame_finish, 1); |
| 81 |
return 0; |
| 82 |
} |
| 83 |
|
| 84 |
-- |
| 85 |
gentoo-hardened@g.o mailing list |
Archives