Bug 126021 - Kernel crash by user with traceroute6
Summary: Kernel crash by user with traceroute6
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 2
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: David Miller
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-15 12:18 UTC by Per Steinar Iversen
Modified: 2007-11-30 22:10 UTC (History)
0 users

Clone Of:
Last Closed: 2004-07-22 21:17:55 UTC

Attachments (Terms of Use)
Syslog output when using traceroute6 (2.74 KB, text/plain)
2004-06-15 12:22 UTC, Per Steinar Iversen
no flags Details
Fix for traceroute6 kernel crash (1.44 KB, patch)
2004-06-17 20:45 UTC, David Miller
no flags Details | Diff
Excerpt from logs for IPv6 bug on 2.6.6-1.435.2.1 (3.08 KB, text/plain)
2004-07-01 18:39 UTC, Nick Lamb
no flags Details

Description Per Steinar Iversen 2004-06-15 12:18:45 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040116

Description of problem:
If a machine has IPv6 connectivity through a tunnel then any user can
crash the kernel by issuing a traceroute6 with a packet size equal to
or larger than the MTU of the tunnel device. The actual behaviour
seems to depend a bit on the selected packet size, some sizes produce
at least some syslog output before freezing.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add IPv6 by opening a tunnel (sit device)
2. Use traceroute6 with large packets as ordinary user. The packets
must be equal to or larger than the MTU of the tunnel device. Example:
traceroute6 www.kame.net 1500
3. Kernel crashes

Actual Results:  Machine freezes, some debug output on the console.

Expected Results:  At most an error message.

Additional info:

Comment 1 David Woodhouse 2004-06-15 12:21:46 UTC
Bug report useless unless 'some debug output' is actually present in
the bug report.

Comment 2 Per Steinar Iversen 2004-06-15 12:22:00 UTC
Created attachment 101144 [details]
Syslog output when using traceroute6

Comment 3 David Miller 2004-06-16 18:29:28 UTC
I've asked Yoshifuji Hideaki of the USAGI project to take
a  look at this.

Comment 4 Per Steinar Iversen 2004-06-17 07:34:08 UTC
Possibly bug 125958 is related to this one.

Comment 5 David Miller 2004-06-17 20:45:32 UTC
Created attachment 101228 [details]
Fix for traceroute6 kernel crash

This will definitely fix the problem.

Comment 6 Nick Lamb 2004-07-01 18:39:38 UTC
Created attachment 101567 [details]
Excerpt from logs for IPv6 bug on 2.6.6-1.435.2.1

I see a very similar bug with 2.6.6-1.435 and 2.6.6.-1.435.2.1 when doing IPv6
SSM transmissions (Hi again David). The crashlog attachment is for 435.2.1, and
the flute binary is MAD-FLUTE v1.0 which you can Google for if necessary.

Is it impolite to ask for an ETA on Fedora kernel updates?

For anyone watching at home, reverting to the 2.6.5 FC2 release kernel fixes

Comment 7 David Miller 2004-07-01 20:40:45 UTC
The current Fedora2 kernel should have this fix in it.

Comment 8 Nick Lamb 2004-07-02 13:21:57 UTC
My IPv6 SSM crash still happens with .435-2.3, so it must be a
different problem.

I've created bug 127131 to cover that, I'm guessing you'll need to
take a look Dave.

Comment 9 David Miller 2004-07-22 21:17:55 UTC
So let's close this one and address the multicast ipv6 issue
in your bz#127131

Note You need to log in before you can comment on or make changes to this bug.