Bug 126021 - Kernel crash by user with traceroute6
Kernel crash by user with traceroute6
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
2
i686 Linux
medium Severity high
: ---
: ---
Assigned To: David Miller
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-15 08:18 EDT by Per Steinar Iversen
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-07-22 17:17:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Syslog output when using traceroute6 (2.74 KB, text/plain)
2004-06-15 08:22 EDT, Per Steinar Iversen
no flags Details
Fix for traceroute6 kernel crash (1.44 KB, patch)
2004-06-17 16:45 EDT, David Miller
no flags Details | Diff
Excerpt from logs for IPv6 bug on 2.6.6-1.435.2.1 (3.08 KB, text/plain)
2004-07-01 14:39 EDT, Nick Lamb
no flags Details

  None (edit)
Description Per Steinar Iversen 2004-06-15 08:18:45 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040116

Description of problem:
If a machine has IPv6 connectivity through a tunnel then any user can
crash the kernel by issuing a traceroute6 with a packet size equal to
or larger than the MTU of the tunnel device. The actual behaviour
seems to depend a bit on the selected packet size, some sizes produce
at least some syslog output before freezing.

Version-Release number of selected component (if applicable):
2.6.6-1.435

How reproducible:
Always

Steps to Reproduce:
1. Add IPv6 by opening a tunnel (sit device)
2. Use traceroute6 with large packets as ordinary user. The packets
must be equal to or larger than the MTU of the tunnel device. Example:
traceroute6 www.kame.net 1500
3. Kernel crashes
    

Actual Results:  Machine freezes, some debug output on the console.

Expected Results:  At most an error message.

Additional info:
Comment 1 David Woodhouse 2004-06-15 08:21:46 EDT
Bug report useless unless 'some debug output' is actually present in
the bug report.
Comment 2 Per Steinar Iversen 2004-06-15 08:22:00 EDT
Created attachment 101144 [details]
Syslog output when using traceroute6
Comment 3 David Miller 2004-06-16 14:29:28 EDT
I've asked Yoshifuji Hideaki of the USAGI project to take
a  look at this.
Comment 4 Per Steinar Iversen 2004-06-17 03:34:08 EDT
Possibly bug 125958 is related to this one.
Comment 5 David Miller 2004-06-17 16:45:32 EDT
Created attachment 101228 [details]
Fix for traceroute6 kernel crash

This will definitely fix the problem.
Comment 6 Nick Lamb 2004-07-01 14:39:38 EDT
Created attachment 101567 [details]
Excerpt from logs for IPv6 bug on 2.6.6-1.435.2.1

I see a very similar bug with 2.6.6-1.435 and 2.6.6.-1.435.2.1 when doing IPv6
SSM transmissions (Hi again David). The crashlog attachment is for 435.2.1, and
the flute binary is MAD-FLUTE v1.0 which you can Google for if necessary.

Is it impolite to ask for an ETA on Fedora kernel updates?

For anyone watching at home, reverting to the 2.6.5 FC2 release kernel fixes
this
Comment 7 David Miller 2004-07-01 16:40:45 EDT
The current Fedora2 kernel should have this fix in it.
Comment 8 Nick Lamb 2004-07-02 09:21:57 EDT
My IPv6 SSM crash still happens with .435-2.3, so it must be a
different problem.

I've created bug 127131 to cover that, I'm guessing you'll need to
take a look Dave.
Comment 9 David Miller 2004-07-22 17:17:55 EDT
So let's close this one and address the multicast ipv6 issue
in your bz#127131

Note You need to log in before you can comment on or make changes to this bug.