1 |
On 25 Apr 2006 at 7:27, pageexec@××××××××.hu wrote: |
2 |
>> I'll try this afternoon to add various other patches from the |
3 |
>> hardened-patches-2.6.14-7.extras.tar.bz2 series to see which one is |
4 |
>> responsible. |
5 |
>> |
6 |
> |
7 |
> i decoded the oops stack trace and it seems that the code where the |
8 |
> problem triggered (not necessarily the culprit) has something to do |
9 |
> with netfilter/bridging/ipv6. are there known problems in that area? |
10 |
|
11 |
I encountered a problem like this that I resolved a few weeks ago |
12 |
when I decided to get 2.6.14-hardened-r7 to work (r6 had the same |
13 |
problem, but I stuck to r5 until r7 came out). I have a bridge set up |
14 |
for use with openvpn. |
15 |
|
16 |
One of the patches (1431_15.4_bridge-netfilter-race.patch) that r6 |
17 |
and r7 apply to the vanilla 2.6.14 modifies the function |
18 |
br_nf_pre_routing_finish_ipv6() in net/bridge/br_netfilter.c in a way |
19 |
that made my hardened server crash whenever I attempted to ssh to it |
20 |
(over IPv6). Looking at the upstream source for the kernel (2.6.16.9 |
21 |
from kernel.org), the patch appears to have been reverted back or |
22 |
never applied. |
23 |
I changed the patched part to look like the upstream sources (which |
24 |
also looks like 2.6.14-hardened-r5), and that stopped the kernel |
25 |
panic. The patch calls skb_pull() rather than skb_push(), which I |
26 |
suspect filled up a buffer rather than empty it. |
27 |
|
28 |
The following diff shows how I reverted the patch, and my server |
29 |
hasn't panicked since then. |
30 |
|
31 |
-B.J. Orvis |
32 |
|
33 |
diff -urd linux-2.6.14-hardened-r7/net/bridge/br_netfilter.c |
34 |
linux-2.6.14-hardened-r7-bridgemod/net/bridge/br_netfilter.c |
35 |
--- linux-2.6.14-hardened-r7/net/bridge/br_netfilter.c 2006-05-01 |
36 |
16:25:54.000000000 -0700 |
37 |
+++ linux-2.6.14-hardened-r7-bridgemod/net/bridge/ |
38 |
br_netfilter.c 2006-05-01 16:35:07.000000000 -0700 |
39 |
@@ -116,17 +116,30 @@ |
40 |
dst_hold(skb->dst); |
41 |
skb->dev = nf_bridge->physindev; |
42 |
- if (!skb->dev) |
43 |
- kfree_skb(skb); |
44 |
- else { |
45 |
- if (skb->protocol == __constant_htons(ETH_P_8021Q)) { |
46 |
- skb_pull(skb, VLAN_HLEN); |
47 |
- skb->nh.raw += VLAN_HLEN; |
48 |
- } |
49 |
- skb->dst->output(skb); |
50 |
+ /* the following has been shifted back to how it is in |
51 |
hardened-sources |
52 |
+ * 2.6.14-r5. r6 and r7 cause a crash that i think happens |
53 |
here. In the |
54 |
+ * 2.6.16.9 official linux kernel, this part is switched |
55 |
back, and the |
56 |
+ * patch that applied the change is supposed to fix a race |
57 |
condition |
58 |
+ * that doesnt quite look like this. maybe the if (!skb-dev) |
59 |
check is |
60 |
+ * ok, but i'm trying out looking like upstream first. |
61 |
+ * 1431_15.4_bridge-netfilter-race.patch |
62 |
+ */ |
63 |
+/* if (!skb->dev) |
64 |
+ * kfree_skb(skb); |
65 |
+ * else { |
66 |
+ * if (skb->protocol == __constant_htons(ETH_P_8021Q)) { |
67 |
+ * skb_pull(skb, VLAN_HLEN); |
68 |
+ * skb->nh.raw += VLAN_HLEN; |
69 |
+ * } |
70 |
+ * skb->dst->output(skb); |
71 |
+ */ |
72 |
+ if (skb->protocol == __constant_htons(ETH_P_8021Q)) { |
73 |
+ skb_push(skb, VLAN_HLEN); |
74 |
+ skb->nh.raw -= VLAN_HLEN; |
75 |
+ /* end of change */ |
76 |
} |
77 |
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, |
78 |
NULL, |
79 |
- br_handle_frame_finish, 1); |
80 |
+ br_handle_frame_finish, 1); |
81 |
return 0; |
82 |
} |
83 |
|
84 |
-- |
85 |
gentoo-hardened@g.o mailing list |