Bug 126021 - Kernel crash by user with traceroute6
Summary: Kernel crash by user with traceroute6
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 2
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: David Miller
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-15 12:18 UTC by Per Steinar Iversen
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-07-22 21:17:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Syslog output when using traceroute6 (2.74 KB, text/plain)
2004-06-15 12:22 UTC, Per Steinar Iversen 		no flags Details
Fix for traceroute6 kernel crash (1.44 KB, patch)
2004-06-17 20:45 UTC, David Miller 		no flags Details | Diff
Excerpt from logs for IPv6 bug on 2.6.6-1.435.2.1 (3.08 KB, text/plain)
2004-07-01 18:39 UTC, Nick Lamb 		no flags Details
View All

Description Per Steinar Iversen 2004-06-15 12:18:45 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040116

Description of problem:
If a machine has IPv6 connectivity through a tunnel then any user can
crash the kernel by issuing a traceroute6 with a packet size equal to
or larger than the MTU of the tunnel device. The actual behaviour
seems to depend a bit on the selected packet size, some sizes produce
at least some syslog output before freezing.

Version-Release number of selected component (if applicable):
2.6.6-1.435

How reproducible:
Always

Steps to Reproduce:
1. Add IPv6 by opening a tunnel (sit device)
2. Use traceroute6 with large packets as ordinary user. The packets
must be equal to or larger than the MTU of the tunnel device. Example:
traceroute6 www.kame.net 1500
3. Kernel crashes
    

Actual Results:  Machine freezes, some debug output on the console.

Expected Results:  At most an error message.

Additional info:
Comment 1 David Woodhouse 2004-06-15 12:21:46 UTC 
Bug report useless unless 'some debug output' is actually present in
the bug report.
Comment 2 Per Steinar Iversen 2004-06-15 12:22:00 UTC 
Created attachment 101144 [details]
Syslog output when using traceroute6
Comment 3 David Miller 2004-06-16 18:29:28 UTC 
I've asked Yoshifuji Hideaki of the USAGI project to take
a  look at this.
Comment 4 Per Steinar Iversen 2004-06-17 07:34:08 UTC 
Possibly bug 125958 is related to this one.
Comment 5 David Miller 2004-06-17 20:45:32 UTC 
Created attachment 101228 [details]
Fix for traceroute6 kernel crash

This will definitely fix the problem.
Comment 6 Nick Lamb 2004-07-01 18:39:38 UTC 
Created attachment 101567 [details]
Excerpt from logs for IPv6 bug on 2.6.6-1.435.2.1

I see a very similar bug with 2.6.6-1.435 and 2.6.6.-1.435.2.1 when doing IPv6
SSM transmissions (Hi again David). The crashlog attachment is for 435.2.1, and
the flute binary is MAD-FLUTE v1.0 which you can Google for if necessary.

Is it impolite to ask for an ETA on Fedora kernel updates?

For anyone watching at home, reverting to the 2.6.5 FC2 release kernel fixes
this
Comment 7 David Miller 2004-07-01 20:40:45 UTC 
The current Fedora2 kernel should have this fix in it.
Comment 8 Nick Lamb 2004-07-02 13:21:57 UTC 
My IPv6 SSM crash still happens with .435-2.3, so it must be a
different problem.

I've created bug 127131 to cover that, I'm guessing you'll need to
take a look Dave.
Comment 9 David Miller 2004-07-22 21:17:55 UTC 
So let's close this one and address the multicast ipv6 issue
in your bz#127131
Note You need to log in before you can comment on or make changes to this bug.