From: Dan Aloni <dan@kernelim.com>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Patrick McHardy <kaber@trash.net>,
kadlec@blackhole.kfki.hu, "David S. Miller" <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Dave Jones <davej@redhat.com>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: Re: net: pretty odd panic in netfilter
Date: Wed, 2 Jul 2014 10:20:39 +0300 [thread overview]
Message-ID: <20140702072039.GA15488@gmail.com> (raw)
In-Reply-To: <53B37B61.3020901@oracle.com>
On Tue, Jul 01, 2014 at 11:24:17PM -0400, Sasha Levin wrote:
> Hi all,
>
> While fuzzing with trinity inside a KVM tools guest running the latest -next
> kernel I've stumbled on a pretty odd corruption(?) in the code - a pretty odd
> one.
>
> Here's the issue I've hit:
>
> [ 3640.805823] BUG: unable to handle kernel paging request at ffffffffffffff84
>[..]
> [ 3640.840752] Code: 4c 89 65 e8 49 89 cc 0f 97 c1 83 fa 01 0f 95 c0 48 89 5d e0 31 db 83 fa 04 4c 89 6d f0 0f 95 c3 4c 89 75 f8 21 55 55 fb 01 48 19 <d2> 48 83 e2 f0 48 83 c2 20 48 89 d0 48 83 f0 30 84 c9 48 0f 45
> [ 3640.840752] RIP nf_nat_packet (net/netfilter/nf_nat_core.c:482)
> [ 3640.840752] RSP <ffff88014608b958>
> [ 3640.840752] CR2: ffffffffffffff84
>
> Two odd things here:
>
> 1. The code section seems to point mid-instruction:
>
> 19dc: 0f 95 c3 setne %bl
> 19df: 4c 89 75 f8 mov %r14,-0x8(%rbp)
> 19e3: 21 c3 and %eax,%ebx
> 19e5: 83 fb 01 cmp $0x1,%ebx
> 19e8: 48 19 d2 sbb %rdx,%rdx <=== The end of this (0xd2)
> 19eb: 48 83 e2 f0 and $0xfffffffffffffff0,%rdx
> 19ef: 48 83 c2 20 add $0x20,%rdx
> 19f3: 48 89 d0 mov %rdx,%rax
> 19f6: 48 83 f0 30 xor $0x30,%rax
>
> 2. There isn't anything in that area that dereferences memory:
>
> enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum);
>
> if (mtype == NF_NAT_MANIP_SRC)
> statusbit = IPS_SRC_NAT;
> else
> statusbit = IPS_DST_NAT;
Hi Sasha,
The fault registers are consistent with the 'rorb %cl,-0x7d(%rax)' starting
at the place where you have 0xd2. But the problem started earlier:
"75 f8 21 55 55 fb 01 48 19 <d2> 48 83 e2 f0"
What should have been according to objdump:
"75 f8 21 c3 83 fb 01 48 19 <d2> 48 83 e2 f0"
^^^^^
These instructions should not have been modified, even by relocation.
So we only need to figure out what overwrote with '0x5555'.
--
Dan Aloni
prev parent reply other threads:[~2014-07-02 7:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-02 3:24 net: pretty odd panic in netfilter Sasha Levin
2014-07-02 7:20 ` Dan Aloni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140702072039.GA15488@gmail.com \
--to=dan@kernelim.com \
--cc=coreteam@netfilter.org \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sasha.levin@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.