Description of problem: We find out that various kernel versions (2.6.18-xxx) does crash with IPSec. This situation occurs with special clients (netscreen firewall, Cisco PIX) and can repoduced on various platforms. We have an example stacktrace here. The bug is located in the kernel, not in the tools. We exchange the ipsec- tools, no change. Version-Release number of selected component (if applicable): 2.6.18-x (all versions) How reproducible: Very difficult, since it only occurs after some time (30min - 3 days) and only with netscreen firewalls or Cisco PIX. Steps to Reproduce: 1. Using ipsec-tools and configure tunnels 2. wait... 3. Actual results: Expected results: Additional info: I have also a compressed crashdump if anyone need (18 MB compressed...)
Created attachment 272881 [details] Example panic from a VM (happens also with physically machines!!!)
It turns out that this bug is a crasher FOR ALL 2.6.x kernel, including all RHEL, Fedora, and pristine kernels! Herbert was informed via security about this bug, it is a fragmentation problem (if the ESP header is fragmented before the iv ends, BUG() is called). Here is the fix: diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 1738113..0f307f1 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -165,7 +165,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) int padlen; int err; - if (!pskb_may_pull(skb, sizeof(*esph))) + if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) goto out; if (elen <= 0 || (elen & (blksize-1))) diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 4440532..d993fa0 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -155,7 +155,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) int nfrags; int ret = 0; - if (!pskb_may_pull(skb, sizeof(*esph))) { + if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) { ret = -EINVAL; goto out; } My collegue Andreas Ferber is currently writing a CVS, CVE-2007-6282.
Hi, any updates on this issue? Without this patch, every 2.6 kernel can crash with only one fragmented packet. Dirk
Hi Dirk, Sorry for the delay and thanks for the ping. I've just posted an updated patch to netdev again a few minutes ago and davem already merged it. It seems that the original patch posted earlier did not apply as the new aead interface changed how the ivsize is accessed. Somehow updating the patch to use the new interface got lost in the cracks. Muchas gracias again.
Created attachment 299408 [details] patch as merged upstream
http://marc.info/?l=linux-netdev&m=120372380411259&w=2 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=920fc941a9617f95ccb283037fe6f8a38d95bb69
I am hearing a report that this patch breaks ESP when used with openswan.
It seems the report was made on a kernel < 2.6.18-92.el5. This version reportedly works fine.
(In reply to comment #13) > I am hearing a report that this patch breaks ESP when used with openswan. This maybe true here. After upgraded to 2.6.18-53.1.21.el5, the AT&T Global Network Client (mtsconnect - version 0.4 2004/08/24) broke on my machine. It uses IPsec to set up a VPN to connect to corporate intranet. I've to rollback to 2.6.18-53.1.19.el5 for this. Hope this can be fixed. If there's anything I can help (testing or patch shooting, etc) please let me know. Thanks!
Same for us, we switched yesterday to the new version and our racoon IPsec- tunnels break! Currently we switched from .21 to .19, which works flawlessly.
Regression for Red Hat Enterprise Linux 5 was resolved in the RHEL 5.2 kernel packages kernel-2.6.18-92.el5 and later.
I can confirm that 2.6.18-92.el5 works.