Can kill any 2.2.x kernel from outside (bug in address translation code)

Richard Bouska (risa@gsl.kralupy.cz)
Mon, 12 Jul 1999 15:01:50 +0200 (CEST)


Hello,

I've got kernel panic in kernels 2.2.4 - 2.2.10 (those I've tested) on
both gcc and egcs compiled kernels.
This is possible that it does not work in the older kernels but those I've
not tested.

I am using ip utility for seting up networking (NAT)

ip lin set lo up
ip lin set eth0 up
ip lin set eth1 up
ip lin set eth2 up
ip addr add 127.0.0.1/8 dev lo brd + scope host
ip addr add 10.0.0.1/16 dev eth0 brd +
ip addr add 10.1.0.1/24 dev eth1 brd +
ip addr add 192.168.0.20/24 dev eth2 brd +
ip route add 0.0.0.0/0 via 192.168.0.1 scope global

#This is the beast !!
ip route add nat 192.168.0.23/32 via 10.0.0.23
ip rule add prio 32 from 10.0.0.23 nat 192.168.0.23

The 192.168- simulates for me external netowrk and the 10.0 the
internal one.
Any ping -R through the NAT causes oops. Othervise the configuration works
well (traceroute , ping, ping -f tracepath - everithing work as it
should.) The only ping -R is the evil.

When I for example try to ping from 10.0.0.23 to some "outside" computer
(any from 192.168.0.x) then the kernel oopses like that:

Unable to handle kernel NULL pointer dereference at virtual address
0000008c
current->tss.cr3 = 00101000, %cr3 = 00101000
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c0166829>]
EFLAGS: 00010246
eax: 00000000 ebx: 00000000 ecx: 00000000 edx: c0ffb320
esi: 0300010a edi: 000000fe ebp: c2dcf834 esp: c01d5e74
ds: 0018 es: 0018 ss: 0018
Process swapper (pid: 0, process nr: 0, stackpage=c01d5000)
Stack: 00000002 c016955e 00000000 0300010a 000000fe c0152342 c01d5e9c
c3d99ecc
c3d99ecc 00000000 c3c5fd88 fe0aa920 c0ffb320 c01caaa0 c015664b
c2dcf847
c2c81140 c3d99ecc c2dcf820 00000002 c01d5f00 c0155630 c2dcf820
c2c81140
Call Trace: [<c016955e>] [<c0152342>] [<c015664b>] [<c0155630>]
[<c015577d>]
[<c0145fdd>] [<c0154abd>]
[<c01477ed>] [<c0115d41>] [<c0108c13>] [<c0107a70>] [<c0106281>]
[<c0106000>] [<c01062a4>] [<c01079b4>]
[<c0106000>] [<c010607b>] [<c0106000>] [<c0100176>]
Code: 8b 81 8c 00 00 00 85 c0 74 7d 8b 50 04 eb 1c 31 c0 8a 42 1c

>>EIP: c0166829 <inet_select_addr+11/a0>
Trace: c016955e <__fib_res_prefsrc+1a/20>
Trace: c0152342 <ip_rt_get_source+42/74>
Trace: c015664b <ip_forward_options+5b/178>
Trace: c0155630 <ip_forward+2e0/550>
Trace: c015577d <ip_forward+42d/550>
Trace: c0145fdd <__kfree_skb+a1/a8>
Trace: c01477ed <net_bh+179/1d4>
Trace: c0106000 <get_options+0/74>
Trace: c0106000 <get_options+0/74>
Code: c0166829 <inet_select_addr+11/a0> 00000000 <_EIP>: <===
Code: c0166829 <inet_select_addr+11/a0> 0: 8b 81 8c 00 00
movl 0x8c(%ecx),%eax <===
Code: c016682e <inet_select_addr+16/a0> 5: 00
Code: c016682f <inet_select_addr+17/a0> 6: 85 c0
testl %eax,%eax
Code: c0166831 <inet_select_addr+19/a0> 8: 74 7d je
c01668b0 <inet_select_addr+98/a0>
Code: c0166833 <inet_select_addr+1b/a0> a: 8b 50 04
movl 0x4(%eax),%edx
Code: c0166836 <inet_select_addr+1e/a0> d: eb 1c
jmp c0166854 <inet_select_addr+3c/a0>
Code: c0166838 <inet_select_addr+20/a0> f: 31 c0
xorl %eax,%eax
Code: c016683a <inet_select_addr+22/a0> 11: 8a 42 1c
movb 0x1c(%edx),%al

Aiee, killing interrupt handler
Kernel panic. Attempted to kill the idle task!
In swapper task - not syncing

Did anybody noticet the same behavior?
For completnes the computer is a celeron 300 /64M ram with 3com network
cards.

Richard Bouska
Richard@Bouska.cz
----------
I'll carry your books, I'll carry a tune, I'll carry on, carry over,
carry forward, Cary Grant, cash & carry, Carry Me Back To Old Virginia,
I'll even Hara Kari if you show me how, but I will *not* carry a gun.
-- Hawkeye, M*A*S*H

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/