From: Eric Sesterhenn <snakebyte@gmx.de>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, yoshfuji@linux-ipv6.org
Subject: [BUG] icmpv6fuzz creates bad paging request
Date: Thu, 1 Jan 2009 21:13:04 +0100 [thread overview]
Message-ID: <20090101201304.GA6698@alice> (raw)
Hi,
running "icmpv6fuzz -r 2187" gives me the following oops with current -git
[ 4320.851654] BUG: unable to handle kernel paging request at c9527000
[ 4320.851749] IP: [<c04e5668>] __copy_from_user_ll+0x8c/0xd8
[ 4320.851898] *pde = 0001f067 *pte = 09527160
[ 4320.851977] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
[ 4320.852011] last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/resource
[ 4320.852011] Modules linked in:
[ 4320.852011]
[ 4320.852011] Pid: 5065, comm: icmpv6fuzz Tainted: G W (2.6.28-04928-g6a94cb7 #152) System Name
[ 4320.852011] EIP: 0060:[<c04e5668>] EFLAGS: 00010202 CPU: 0
[ 4320.852011] EIP is at __copy_from_user_ll+0x8c/0xd8
[ 4320.852011] EAX: 00000000 EBX: 4b17b3d7 ECX: 4b1782d7 EDX: 00000000
[ 4320.852011] ESI: 097d5f24 EDI: c9526fc8 EBP: c9523da0 ESP: c9523d98
[ 4320.852011] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 4320.852011] Process icmpv6fuzz (pid: 5065, ti=c9523000 task=cee15b00 task.ti=c9523000)
[ 4320.852011] Stack:
[ 4320.852011] c9523ec8 097d2e24 c9523db4 c04e5907 00000000 c9523ec8 cee431fc c9523f1c
[ 4320.852011] c06fd4db 00000032 cee42f00 00000000 cee15b00 00000002 00000000 00000000
[ 4320.852011] c951ea64 cee15b00 00000002 00000000 00000000 c951ea64 cee15b00 00000246
[ 4320.852011] Call Trace:
[ 4320.852011] [<c04e5907>] ? copy_from_user+0x36/0x59
[ 4320.852011] [<c06fd4db>] ? ipv6_setsockopt+0x4ed/0xb8e
[ 4320.852011] [<c017c674>] ? might_fault+0x42/0x7e
[ 4320.852011] [<c04e5b25>] ? copy_to_user+0x38/0x43
[ 4320.852011] [<c01421d1>] ? print_lock_contention_bug+0x11/0xb2
[ 4320.852011] [<c0143f37>] ? trace_hardirqs_on+0xb/0xd
[ 4320.852011] Code: 1c 8b 46 20 8b 56 24 89 47 20 89 57 24 8b 46 28 8b 56 2c 89 47 28 89 57 2c 8b 46 30 8b 56 34 89 47 30 89 57 34 8b 46 38 8b 56 3c <89> 47 38 89 57 3c 83 c1 c0 83 c6 40 83 c7 40 83 f9 3f 77 88 89
[ 4320.852011] EIP: [<c04e5668>] __copy_from_user_ll+0x8c/0xd8 SS:ESP 0068:c9523d98
[ 4320.852011] ---[ end trace 4eaa2a86a8e2da22 ]---
[ 4320.868860] =============================================================================
[ 4320.868910] BUG fs_cache: Redzone overwritten
[ 4320.868938] -----------------------------------------------------------------------------
[ 4320.868943]
[ 4320.868991] INFO: 0xc9525138-0xc952513b. First byte 0x0 instead of 0xbb
[ 4320.869012] INFO: Slab 0xc12bd4a0 objects=32 used=4 fp=0xc9525100 flags=0x400000c3
[ 4320.869012] INFO: Object 0xc9525100 @offset=256 fp=0x00000000
[ 4320.869012]
[ 4320.869012] Bytes b4 0xc95250f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4320.869012] Object 0xc9525100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4320.869012] Object 0xc9525110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4320.869012] Object 0xc9525120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4320.869012] Object 0xc9525130: 00 00 00 00 00 00 00 00 ........
[ 4320.869012] Redzone 0xc9525138: 00 00 00 00 ....
[ 4320.869012] Padding 0xc9525160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4320.869012] Padding 0xc9525170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4320.869012] Pid: 4096, comm: syslogd Tainted: G D W 2.6.28-04928-g6a94cb7 #152
[ 4320.869012] Call Trace:
[ 4320.869012] [<c018ca58>] print_trailer+0xcd/0xd5
[ 4320.869012] [<c018cad8>] check_bytes_and_report+0x78/0x94
[ 4320.869012] [<c018ccf7>] check_object+0x49/0x191
[ 4320.869012] [<c018da8b>] __slab_alloc+0x446/0x508
[ 4320.869012] [<c079f416>] ? _spin_unlock+0x2c/0x41
[ 4320.869012] [<c018de1e>] ? kmem_cache_alloc+0x4a/0xea
[ 4320.869012] [<c018de50>] kmem_cache_alloc+0x7c/0xea
[ 4320.869012] [<c0124231>] ? __copy_fs_struct+0x1c/0x80
[ 4320.869012] [<c0124231>] ? __copy_fs_struct+0x1c/0x80
[ 4320.869012] [<c0124231>] __copy_fs_struct+0x1c/0x80
[ 4320.869012] [<c0124ed1>] copy_process+0x631/0xfe9
[ 4320.869012] [<c0143f37>] ? trace_hardirqs_on+0xb/0xd
[ 4320.869012] [<c01259e9>] do_fork+0x121/0x2b8
[ 4320.869012] [<c04e54f0>] ? trace_hardirqs_on_thunk+0xc/0x10
[ 4320.869012] [<c0102ecf>] ? sysenter_exit+0xf/0x16
[ 4320.869012] [<c01015c8>] sys_clone+0x24/0x26
[ 4320.869012] [<c0102ea1>] sysenter_do_call+0x12/0x31
[ 4320.869012] FIX fs_cache: Restoring 0xc9525138-0xc952513b=0xbb
[ 4320.869012]
[ 4320.869012] FIX fs_cache: Marking all objects used
[ 4328.729876] BUG: unable to handle kernel NULL pointer dereference at 0000002c
[ 4328.730066] IP: [<c01c5021>] dnotify_flush+0x16/0x79
[ 4328.730159] *pde = 00000000
[ 4328.730231] Oops: 0000 [#2] PREEMPT DEBUG_PAGEALLOC
[ 4328.730332] last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/resource
[ 4328.730434] Modules linked in:
[ 4328.730486]
[ 4328.730518] Pid: 5058, comm: kerneloops Tainted: G D W (2.6.28-04928-g6a94cb7 #152) System Name
[ 4328.730611] EIP: 0060:[<c01c5021>] EFLAGS: 00010282 CPU: 0
[ 4328.730644] EIP is at dnotify_flush+0x16/0x79
[ 4328.730675] EAX: 00000000 EBX: c9524300 ECX: c01902e4 EDX: cf89f600
[ 4328.730706] ESI: cf89f600 EDI: c9524300 EBP: c94f8f84 ESP: c94f8f70
[ 4328.730797] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 4328.730829] Process kerneloops (pid: 5058, ti=c94f8000 task=c9416800 task.ti=c94f8000)
[ 4328.730860] Stack:
[ 4328.730887] cf89f600 00000001 c9524300 cf89f600 00000000 c94f8f98 c0190267 cf89f600
[ 4328.731033] 00000003 c9524300 c94f8fb0 c01902ed cf89f624 00000003 00000003 ffffffff
[ 4328.731033] c94f8000 c0102ea1 00000003 b7ef6174 b801aff4 00000003 ffffffff bf8625a8
[ 4328.731033] Call Trace:
[ 4328.731033] [<c0190267>] ? filp_close+0x45/0x5f
[ 4328.731033] [<c01902ed>] ? sys_close+0x6c/0xa5
[ 4328.731033] [<c0102ea1>] ? sysenter_do_call+0x12/0x31
[ 4328.731033] Code: 89 d8 e8 e7 a6 fd ff eb 07 89 f0 e8 e4 a3 5d 00 5b 5e 5f 5d c3 55 89 e5 57 56 53 83 ec 08 0f 1f 44 00 00 89 55 ec 89 c7 8b 40 0c <8b> 70 2c 0f b7 46 6e 25 00 f0 00 00 3d 00 40 00 00 75 49 8d 46
[ 4328.731033] EIP: [<c01c5021>] dnotify_flush+0x16/0x79 SS:ESP 0068:c94f8f70
[ 4328.735123] ---[ end trace 4eaa2a86a8e2da22 ]---
[ 4328.735274] Bad page state in process 'kerneloops'
[ 4328.735278] page:c11b5f80 flags:0x40000400 mapping:00000000 mapcount:0 count:0
[ 4328.735348] Trying to fix it up, but a reboot is needed
[ 4328.735352] Backtrace:
[ 4328.735420] Pid: 5058, comm: kerneloops Tainted: G D W 2.6.28-04928-g6a94cb7 #152
[ 4328.735451] Call Trace:
[ 4328.735504] [<c0171ea8>] bad_page+0x4d/0x78
[ 4328.735541] [<c01725e5>] free_hot_cold_page+0xa3/0x20a
[ 4328.735592] [<c017279a>] free_hot_page+0xf/0x11
[ 4328.735632] [<c017568b>] put_page+0xc2/0xc7
[ 4328.735694] [<c0183fa2>] free_page_and_swap_cache+0x36/0x3c
[ 4328.735744] [<c011888f>] __pte_free_tlb+0x2d/0x2f
[ 4328.735805] [<c017c58d>] free_pgd_range+0x139/0x151
[ 4328.735849] [<c0400000>] ? ocfs2_merge_rec_left+0x19f/0xc29
[ 4328.735902] [<c017c963>] free_pgtables+0x8c/0x9a
[ 4328.735937] [<c017e407>] exit_mmap+0x9c/0x104
[ 4328.736002] [<c01244f8>] mmput+0x39/0x89
[ 4328.736075] [<c012791e>] exit_mm+0xc3/0xcb
[ 4328.736112] [<c0128bd9>] do_exit+0x199/0x6d5
[ 4328.736163] [<c0127102>] ? printk+0x1a/0x1c
[ 4328.736197] [<c01262e8>] ? print_oops_end_marker+0x23/0x28
[ 4328.736261] [<c07a01a1>] oops_end+0x95/0x9d
[ 4328.736302] [<c0104ffe>] die+0x58/0x5e
[ 4328.736356] [<c07a1447>] do_page_fault+0x538/0x601
[ 4328.736392] [<c07a0f0f>] ? do_page_fault+0x0/0x601
[ 4328.736443] [<c079f7ef>] error_code+0x6f/0x74
[ 4328.736481] [<c01902e4>] ? sys_close+0x63/0xa5
[ 4328.736533] [<c01c5021>] ? dnotify_flush+0x16/0x79
[ 4328.736569] [<c0190267>] filp_close+0x45/0x5f
[ 4328.736620] [<c01902ed>] sys_close+0x6c/0xa5
[ 4328.736655] [<c0102ea1>] sysenter_do_call+0x12/0x31
(gdb) l *(ipv6_setsockopt+0x4ed)
0xc06fd677 is in ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:407).
402 if (optlen == 0)
403 goto e_inval;
404 else if (optlen < sizeof(struct in6_pktinfo) || optval == NULL)
405 goto e_inval;
406
407 if (copy_from_user(&pkt, optval, optlen)) {
408 retv = -EFAULT;
409 break;
410 }
411 if (sk->sk_bound_dev_if && pkt.ipi6_ifindex != sk->sk_bound_dev_if)
I can reproduce this on another box:
[ 2139.689945] BUG: unable to handle kernel paging request at c7d78000
[ 2139.690390] IP: [<c05ad652>] iret_exc+0x7a6/0xb04
[ 2139.690707] Oops: 0002 [#1] DEBUG_PAGEALLOC
[ 2139.690914] last sysfs file: /sys/block/sda/size
[ 2139.691096] Modules linked in: nfsd exportfs nfs lockd nfs_acl auth_rpcgss sunrpc ipv6 fuse unix
[ 2139.691976]
[ 2139.692046] Pid: 4182, comm: icmpv6fuzz Not tainted (2.6.28 #77)
[ 2139.692046] EIP: 0060:[<c05ad652>] EFLAGS: 00010246 CPU: 0
[ 2139.692046] EIP is at iret_exc+0x7a6/0xb04
[ 2139.692046] EAX: 00000000 EBX: 4b17b3d7 ECX: 4b13f27b EDX: 00000000
[ 2139.692046] ESI: 09a8e000 EDI: c7d78000 EBP: c7d3bd78 ESP: c7d3bd64
[ 2139.692046] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 2139.692046] Process icmpv6fuzz (pid: 4182, ti=c7d3b000 task=c8f78710 task.ti=c7d3b000)
[ 2139.692046] Stack:
[ 2139.692046] 00000003 4b15e1f3 c7d3bea4 09a70e1c 00000032 c7d3bef8 d1893f7d c7d854a0
[ 2139.692046] c7d3bed4 c011afd9 c011afd9 c7b7ecb0 c8f7d2c7 c7b7ef70 00000000 00000000
[ 2139.692046] 00000002 00000316 000003be 00000000 c8f78728 c8f78acc c8f78710 00000001
[ 2139.692046] Call Trace:
[ 2139.692046] [<d1893f7d>] ? do_ipv6_setsockopt+0x95d/0xe90 [ipv6]
[ 2139.692046] [<c011afd9>] ? do_page_fault+0x249/0x7d0
[ 2139.692046] [<c011afd9>] ? do_page_fault+0x249/0x7d0
[ 2139.692046] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.692046] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.692046] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.692046] [<c014e321>] ? trace_hardirqs_on_caller+0x151/0x1c0
[ 2139.692046] Code: f3 aa 58 59 e9 2e 24 cf ff 01 c1 e9 81 24 cf ff 8d 0c 88 e9 79 24 cf ff 8d 0c 88 e9 27 25 cf ff 01 c1 eb 03 8d 0c 88 51 50 31 c0 <f3> aa 58 59 e9 81 25 cf ff 8d 0c 88 51 50 31 c0 f3 aa 58 59 e9
[ 2139.692046] EIP: [<c05ad652>] iret_exc+0x7a6/0xb04 SS:ESP 0068:c7d3bd64
[ 2139.692046] ---[ end trace 1503b93caf7b40a5 ]---
[ 2139.703551] BUG: unable to handle kernel NULL pointer dereference at 00000008
[ 2139.703841] IP: [<c029c346>] rb_insert_color+0x46/0x110
[ 2139.704079] *pde = 00000000
[ 2139.704224] Oops: 0000 [#2] DEBUG_PAGEALLOC
[ 2139.704479] last sysfs file: /sys/block/sda/size
[ 2139.704597] Modules linked in: nfsd exportfs nfs lockd nfs_acl auth_rpcgss sunrpc ipv6 fuse unix
[ 2139.705470]
[ 2139.705568] Pid: 4182, comm: icmpv6fuzz Tainted: G D (2.6.28 #77)
[ 2139.705764] EIP: 0060:[<c029c346>] EFLAGS: 00010046 CPU: 0
[ 2139.705894] EIP is at rb_insert_color+0x46/0x110
[ 2139.706018] EAX: 00000000 EBX: c7d4aaf8 ECX: 304bfe00 EDX: 00000000
[ 2139.706151] ESI: c7d4aafc EDI: 00000000 EBP: c0901f20 ESP: c0901f08
[ 2139.706341] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 2139.706469] Process icmpv6fuzz (pid: 4182, ti=c0901000 task=c8f78710 task.ti=c7d3b000)
[ 2139.706647] Stack:
[ 2139.706744] c0836e30 c09367a0 00000000 c09367a0 c7d4aafc 00000000 c0901f68 c0140950
[ 2139.707329] 00000000 00000002 00000001 c0836e30 00000000 c0836e28 c7d4aaf8 c09367a0
[ 2139.707530] c0836e28 c0901f68 c05ac55a 00000000 00000002 00000001 c09367a0 c0836e28
[ 2139.707530] Call Trace:
[ 2139.707530] [<c0140950>] ? enqueue_hrtimer+0x90/0x180
[ 2139.707530] [<c05ac55a>] ? _spin_lock+0x3a/0x40
[ 2139.707530] [<c0140ae1>] ? __run_hrtimer+0xa1/0xe0
[ 2139.707530] [<c0149a10>] ? tick_sched_timer+0x0/0xc0
[ 2139.707530] [<c014128d>] ? hrtimer_interrupt+0xed/0x190
[ 2139.707530] [<c01059cb>] ? timer_interrupt+0x3b/0x50
[ 2139.707530] [<c016a779>] ? handle_IRQ_event+0x29/0x60
[ 2139.707530] [<c016c505>] ? handle_level_irq+0x65/0xe0
[ 2139.707530] [<c016c4a0>] ? handle_level_irq+0x0/0xe0
[ 2139.707530] <IRQ> <0> [<c0103bac>] ? common_interrupt+0x2c/0x34
[ 2139.707530] [<c05ac3b4>] ? _spin_unlock_irq+0x24/0x30
[ 2139.707530] [<c015fa86>] ? acct_collect+0x126/0x170
[ 2139.707530] [<c012caf6>] ? do_exit+0x606/0x800
[ 2139.707530] [<c032e2f7>] ? set_cursor+0x57/0x80
[ 2139.707530] [<c05a99f6>] ? printk+0x18/0x1a
[ 2139.707530] [<c01294ff>] ? oops_exit+0x2f/0x40
[ 2139.707530] [<c0106432>] ? oops_end+0x92/0xa0
[ 2139.707530] [<c01065f0>] ? die+0x50/0x70
[ 2139.707530] [<c011b04a>] ? do_page_fault+0x2ba/0x7d0
[ 2139.707530] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.707530] [<c010d5ba>] ? save_stack_trace+0x2a/0x50
[ 2139.707530] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.707530] [<c011ad90>] ? do_page_fault+0x0/0x7d0
[ 2139.707530] [<c05ac9f7>] ? error_code+0x6f/0x74
[ 2139.707530] [<c0290000>] ? sg_io+0x2d0/0x360
[ 2139.707530] [<c05ad652>] ? iret_exc+0x7a6/0xb04
[ 2139.707530] [<d1893f7d>] ? do_ipv6_setsockopt+0x95d/0xe90 [ipv6]
[ 2139.707530] [<c011afd9>] ? do_page_fault+0x249/0x7d0
[ 2139.707530] [<c011afd9>] ? do_page_fault+0x249/0x7d0
[ 2139.707530] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.707530] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.707530] [<c014e82c>] ? __lock_acquire+0x26c/0x1110
[ 2139.707530] [<c014e321>] ? trace_hardirqs_on_caller+0x151/0x1c0
[ 2139.707530] Code: 89 06 83 0b 01 8b 55 f0 83 22 fe 89 d6 89 75 ec 8b 55 ec 8b 02 89 c3 83 e3 fc 74 71 8b 13 f6 c2 01 75 6a 89 d0 83 e0 fc 89 45 f0 <8b> 70 08 39 de 74 33 85 f6 74 06 8b 06 a8 01 74 c1 8b 7b 08 3b
[ 2139.707530] EIP: [<c029c346>] rb_insert_color+0x46/0x110 SS:ESP 0068:c0901f08
[ 2139.707530] ---[ end trace 1503b93caf7b40a5 ]---
[ 2139.707530] Kernel panic - not syncing: Fatal exception in interrupt
Here is the fuzzer, original website seems currently down
Greetings, Eric
-------------------------------8<-----------------------
/*
* ICMPv6 or ICMPv4 socket fuzzer.
*
* Copyright (c) 2006, Clément Lecigne
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <net/if.h>
//#include <net/if_var.h>
#include <sys/uio.h>
//#include <netinet6/ip6_mroute.h>
//#include <netinet6/in6_var.h>
#define SIOCGETMIFCNT_IN6 SIOCPROTOPRIVATE /* IP protocol privates */
#define SIOCGETSGCNT_IN6 (SIOCPROTOPRIVATE+1)
#define SIOCGETRPF (SIOCPROTOPRIVATE+2)
/* functions */
unsigned int randaddr(void);
void randsoopt(int);
void randgoopt(int);
void randioctl(int);
void usage(char *);
/*
* boucle until we hit a valid socket option
*/
void randsoopt(int sock)
{
unsigned int optval;
int optlen, optname, level, ret, on = rand() % 2;
do
{
switch (rand() % 5)
{
case 0:
level = IPPROTO_IPV6;
break;
case 1:
level = SOL_SOCKET;
break;
case 2:
level = IPPROTO_RAW;
break;
case 3:
level = rand() & 0xFF;
break;
case 4:
level = IPPROTO_IP;
break;
}
if (rand() % 6)
{
optlen = rand();
optval = (unsigned int)randaddr();
}
else
{
/*
* In some cases, kernel excepts that
* optlen == sizeof (int) and that's
* the first bound checking.
*/
optlen = sizeof (int);
on = rand();
optval = (unsigned int)&on;
}
if (rand() % 8)
optname = rand() % 255;
else
optname = rand();
#if 0
/*
* anti well know FreeBSD mbufs exhaustion.
*/
if (optname == 25 || optname == IPV6_IPSEC_POLICY ||
optname == IPV6_FW_ADD || optname == IPV6_FW_FLUSH
|| optname == IPV6_FW_DEL || optname == IPV6_FW_ZERO)
continue;
/*printf("level : %d - optname : %d - optlen : %d\n",
level, optname, optlen);*/
#endif
ret = setsockopt(sock, level, optname, (void *)optval, optlen);
}while(ret == -1);
return;
}
/*
* ioctl ipv6 socket fuzzer.
*/
void randioctl(int sock)
{
unsigned long reqs[] = { SIOCGETSGCNT_IN6, SIOCGETMIFCNT_IN6,
SIOCGETRPF};
/*
GSCOPE6DEF, SIOCGLIFADDR, SIOCSIFPHYADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCAIFADDR_IN6, SIOCGIFDSTADDR_IN6, SIOCSIFALIFETIME_IN6,
SIOCGIFADDR_IN6, SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6, SIOCGIFAFLAG_IN6,
SIOCGIFSTAT_IN6, SIOCGIFSTAT_ICMP6, SIOCGIFALIFETIME_IN6, SIOCSIFALIFETIME_IN6,
SIOCAIFADDR_IN6, SIOCDIFADDR_IN6 }; */
unsigned int arg;
int ret;
unsigned long request;
if (rand() % 8)
request = reqs[rand() % (sizeof (reqs) / sizeof (reqs[0]))];
else
request = rand() + rand();
if (rand() % 2)
{
arg = randaddr();
ret = ioctl(sock, request, (caddr_t)arg);
}
else
{
arg = rand();
ret = ioctl(sock, request, (int)arg);
}
}
/*
* return a random address
*/
unsigned int randaddr(void)
{
char *p = malloc(1);
unsigned int heap = (unsigned int)p;
free(p);
switch (rand() % 4)
{
case 0:
return (heap + (rand() & 0xFFF));
case 1:
return ((unsigned int)&heap + (rand() & 0xFFF));
case 2:
return (0xc0000000 + (rand() & 0xFFFF));
case 3:
return (rand());
}
return (0);
}
int main(int ac, char **av)
{
int32_t cc, s, occ, i, j, a, try, count, opts;
u_int32_t seed, maxsize;
u_int8_t ip6;
char c, *buf;
struct addrinfo *res, hints;
struct sockaddr_in6 from;
socklen_t fromlen;
struct msghdr msg;
struct cmsghdr *cmsg = NULL;
struct iovec iov;
/* default values */
seed = getpid();
count = 50;
occ = 10000;
maxsize = 4096;
opts = 50;
ip6 = 1;
fromlen = sizeof(from);
if (getuid())
{
fprintf(stderr, " - you must be root.\n");
exit(EXIT_FAILURE);
}
while ((c = getopt(ac, av, "r:n:c:m:o:46")) != EOF)
{
switch (c)
{
case '6':
ip6 = 1;
break;
case '4':
ip6 = 0;
break;
case 'r':
seed = atoi(optarg);
break;
case 'n':
occ = atoi(optarg);
break;
case 'c':
count = atoi(optarg);
break;
case 'm':
maxsize = atoi(optarg);
break;
case 'o':
opts = atoi(optarg);
break;
default:
usage(av[0]);
break;
}
}
printf("seeding with %u\n", seed);
srand(seed);
buf = malloc(maxsize);
if (buf == NULL)
{
printf("%s: out of memory.\n", av[0]);
exit(EXIT_FAILURE);
}
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_socktype = SOCK_RAW;
if(ip6)
{
hints.ai_family = AF_INET6;
hints.ai_protocol = IPPROTO_ICMPV6;
getaddrinfo("::1", NULL, &hints, &res);
}
else
{
hints.ai_family = AF_INET;
hints.ai_protocol = IPPROTO_ICMP;
getaddrinfo("127.0.0.1", NULL, &hints, &res);
}
for (i = 0; i < occ; i++)
{
printf(".\n");
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
//cc = bind(s, res->ai_addr, res->ai_addrlen);
for (j = 0; j < opts; j++)
{
randsoopt(s);
//randgoopt(s);
randioctl(s);
for (a = 0; a < 32; a++)
buf[a] = rand() % 255;
try = 0;
do
{
switch(rand() % 3)
{
case 0:
cc = sendto(s, buf, rand() % maxsize, 0,
(struct sockaddr *)res->ai_addr, res->ai_addrlen);
break;
case 1:
case 2:
msg.msg_controllen = (rand() % 2) ? rand() & maxsize : 0;
if (msg.msg_controllen)
{
if (msg.msg_controllen < sizeof (struct cmsghdr))
cmsg = (struct cmsghdr *)malloc(sizeof (struct cmsghdr));
else
cmsg = (struct cmsghdr *)malloc(msg.msg_controllen);
if (cmsg == NULL) goto nocmsghdr;
msg.msg_control = cmsg;
cmsg->cmsg_level = (rand() % 2) ? IPPROTO_IPV6 : rand();
cmsg->cmsg_type = (rand() % 2) ? rand() % 255 : rand();
cmsg->cmsg_len = (rand() % 2) ? msg.msg_controllen : rand();
}
else
{
nocmsghdr:
msg.msg_control = (rand() % 5) ? NULL : (void*)randaddr();
msg.msg_controllen = (rand() % 2) ? rand() : 0;
}
iov.iov_len = (rand() % 2) ? rand() : rand() & maxsize;
iov.iov_base = (rand() % 2) ? (void*)randaddr() : &buf;
msg.msg_iov = (rand() % 2) ? (void*)randaddr() : &iov;
if (rand() % 5)
{
msg.msg_name = res->ai_addr;
msg.msg_namelen = res->ai_addrlen;
}
else
{
msg.msg_name = (caddr_t)randaddr();
msg.msg_namelen = rand();
}
msg.msg_flags = rand();
cc = sendmsg (s, &msg, rand());
}
if (cmsg != NULL)
{
// free(cmsg);
// cmsg = NULL;
}
try++;
} while(cc == -1 && try != count);
recvmsg(s, &msg, MSG_DONTWAIT);
}
close(s);
}
free(buf);
freeaddrinfo(res);
exit(EXIT_SUCCESS);
}
/*
* usage
*/
void usage(char *prog)
{
printf("usage: %s [-4] [-6] [-r seed] [-c sendto-timeout]\n"
" [-m maxsize] [-o maxsetsockopt] [-n occ]\n", prog);
exit(EXIT_FAILURE);
}
next reply other threads:[~2009-01-01 20:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-01 20:13 Eric Sesterhenn [this message]
2009-01-02 8:53 ` [BUG] icmpv6fuzz creates bad paging request Ilpo Järvinen
2009-01-02 9:05 ` Herbert Xu
2009-01-05 1:28 ` David Miller
2009-01-02 10:28 ` Eric Sesterhenn
2009-01-02 8:59 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090101201304.GA6698@alice \
--to=snakebyte@gmx.de \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.