On 25 Apr 2006 at 7:27, [EMAIL PROTECTED] wrote:
I'll try this afternoon to add various other patches from the
hardened-patches-2.6.14-7.extras.tar.bz2 series to see which one is
responsible.
i decoded the oops stack trace and it seems that the code where the
problem triggered (not necessarily the culprit) has something to do
with netfilter/bridging/ipv6. are there known problems in that area?
I encountered a problem like this that I resolved a few weeks ago
when I decided to get 2.6.14-hardened-r7 to work (r6 had the same
problem, but I stuck to r5 until r7 came out). I have a bridge set up
for use with openvpn.
One of the patches (1431_15.4_bridge-netfilter-race.patch) that r6
and r7 apply to the vanilla 2.6.14 modifies the function
br_nf_pre_routing_finish_ipv6() in net/bridge/br_netfilter.c in a way
that made my hardened server crash whenever I attempted to ssh to it
(over IPv6). Looking at the upstream source for the kernel (2.6.16.9
from kernel.org), the patch appears to have been reverted back or
never applied.
I changed the patched part to look like the upstream sources (which
also looks like 2.6.14-hardened-r5), and that stopped the kernel
panic. The patch calls skb_pull() rather than skb_push(), which I
suspect filled up a buffer rather than empty it.
The following diff shows how I reverted the patch, and my server
hasn't panicked since then.
-B.J. Orvis
diff -urd linux-2.6.14-hardened-r7/net/bridge/br_netfilter.c
linux-2.6.14-hardened-r7-bridgemod/net/bridge/br_netfilter.c
--- linux-2.6.14-hardened-r7/net/bridge/br_netfilter.c 2006-05-01
16:25:54.000000000 -0700
+++ linux-2.6.14-hardened-r7-bridgemod/net/bridge/
br_netfilter.c 2006-05-01 16:35:07.000000000 -0700
@@ -116,17 +116,30 @@
dst_hold(skb->dst);
skb->dev = nf_bridge->physindev;
- if (!skb->dev)
- kfree_skb(skb);
- else {
- if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
- skb_pull(skb, VLAN_HLEN);
- skb->nh.raw += VLAN_HLEN;
- }
- skb->dst->output(skb);
+ /* the following has been shifted back to how it is in
hardened-sources
+ * 2.6.14-r5. r6 and r7 cause a crash that i think happens
here. In the
+ * 2.6.16.9 official linux kernel, this part is switched
back, and the
+ * patch that applied the change is supposed to fix a race
condition
+ * that doesnt quite look like this. maybe the if (!skb-dev)
check is
+ * ok, but i'm trying out looking like upstream first.
+ * 1431_15.4_bridge-netfilter-race.patch
+ */
+/* if (!skb->dev)
+ * kfree_skb(skb);
+ * else {
+ * if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+ * skb_pull(skb, VLAN_HLEN);
+ * skb->nh.raw += VLAN_HLEN;
+ * }
+ * skb->dst->output(skb);
+ */
+ if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+ skb_push(skb, VLAN_HLEN);
+ skb->nh.raw -= VLAN_HLEN;
+ /* end of change */
}
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev,
NULL,
- br_handle_frame_finish, 1);
+ br_handle_frame_finish, 1);
return 0;
}
--
[email protected] mailing list
