Skip to main content

Browse the archive

https://github.com/torvalds/linux
27 March 2024, 02:37:15 UTC
Revision 661697f728d75302e1f661a58db2fcba71d5cbc9 authored by Joy Latten on 13 April 2007, 23:14:35 UTC, committed by David S. Miller on 13 April 2007, 23:14:35 UTC 
[IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIRE
 
When sending a security context of 50+ characters in an ACQUIRE 
message, following kernel panic occurred.

kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0]
    pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8
    lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8
    sp: c0000000421bb560
   msr: 8000000000029032
  current = 0xc00000000fce8f00
  paca    = 0xc000000000464b00
    pid   = 2303, comm = ping
kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
enter ? for help
3:mon> t
[c0000000421bb650] c00000000033538c .km_query+0x6c/0xec
[c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88
[c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c
[c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0
[c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4
[c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374
[c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4
[c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120
[c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214
[c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40
--- Exception: c00 (System Call) at 0000000007f0ca9c
SP (fc0ef8f0) is in userspace

We are using size of security context from xfrm_policy to determine
how much space to alloc skb and then putting security context from
xfrm_state into skb. Should have been using size of security context 
from xfrm_state to alloc skb. Following fix does that

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 279e172
History
Tip revision: 661697f728d75302e1f661a58db2fcba71d5cbc9 authored by Joy Latten on 13 April 2007, 23:14:35 UTC
[IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIRE
Tip revision: 661697f
File Mode Size
irq
power
time
.gitignore -rw-r--r-- 51 bytes
Kconfig.hz -rw-r--r-- 1.6 KB
Kconfig.preempt -rw-r--r-- 2.3 KB
Makefile -rw-r--r-- 2.9 KB
acct.c -rw-r--r-- 15.9 KB
audit.c -rw-r--r-- 34.3 KB
audit.h -rw-r--r-- 4.6 KB
auditfilter.c -rw-r--r-- 42.9 KB
auditsc.c -rw-r--r-- 49.1 KB
capability.c -rw-r--r-- 6.7 KB
compat.c -rw-r--r-- 27.7 KB
configs.c -rw-r--r-- 3.2 KB
cpu.c -rw-r--r-- 7.2 KB
cpuset.c -rw-r--r-- 77.9 KB
delayacct.c -rw-r--r-- 4.3 KB
dma.c -rw-r--r-- 3.7 KB
exec_domain.c -rw-r--r-- 4.3 KB
exit.c -rw-r--r-- 41.7 KB
extable.c -rw-r--r-- 2.0 KB
fork.c -rw-r--r-- 42.2 KB
futex.c -rw-r--r-- 43.9 KB
futex_compat.c -rw-r--r-- 3.7 KB
hrtimer.c -rw-r--r-- 35.0 KB
itimer.c -rw-r--r-- 9.2 KB
kallsyms.c -rw-r--r-- 11.0 KB
kexec.c -rw-r--r-- 28.9 KB
kfifo.c -rw-r--r-- 5.1 KB
kmod.c -rw-r--r-- 9.6 KB
kprobes.c -rw-r--r-- 23.4 KB
ksysfs.c -rw-r--r-- 2.3 KB
kthread.c -rw-r--r-- 6.8 KB
latency.c -rw-r--r-- 8.4 KB
lockdep.c -rw-r--r-- 69.5 KB
lockdep_internals.h -rw-r--r-- 2.4 KB
lockdep_proc.c -rw-r--r-- 10.3 KB
module.c -rw-r--r-- 62.9 KB
mutex-debug.c -rw-r--r-- 3.1 KB
mutex-debug.h -rw-r--r-- 1.7 KB
mutex.c -rw-r--r-- 9.4 KB
mutex.h -rw-r--r-- 1.1 KB
nsproxy.c -rw-r--r-- 2.9 KB
panic.c -rw-r--r-- 6.7 KB
params.c -rw-r--r-- 17.3 KB
pid.c -rw-r--r-- 10.2 KB
posix-cpu-timers.c -rw-r--r-- 42.5 KB
posix-timers.c -rw-r--r-- 28.0 KB
printk.c -rw-r--r-- 28.1 KB
profile.c -rw-r--r-- 15.7 KB
ptrace.c -rw-r--r-- 11.0 KB
rcupdate.c -rw-r--r-- 17.4 KB
rcutorture.c -rw-r--r-- 26.9 KB
relay.c -rw-r--r-- 26.2 KB
resource.c -rw-r--r-- 15.9 KB
rtmutex-debug.c -rw-r--r-- 5.7 KB
rtmutex-debug.h -rw-r--r-- 1.4 KB
rtmutex-tester.c -rw-r--r-- 9.0 KB
rtmutex.c -rw-r--r-- 25.3 KB
rtmutex.h -rw-r--r-- 1.1 KB
rtmutex_common.h -rw-r--r-- 3.2 KB
rwsem.c -rw-r--r-- 2.4 KB
sched.c -rw-r--r-- 173.0 KB
seccomp.c -rw-r--r-- 1.1 KB
signal.c -rw-r--r-- 67.6 KB
softirq.c -rw-r--r-- 14.4 KB
softlockup.c -rw-r--r-- 4.0 KB
spinlock.c -rw-r--r-- 10.6 KB
srcu.c -rw-r--r-- 8.5 KB
stacktrace.c -rw-r--r-- 462 bytes
stop_machine.c -rw-r--r-- 4.8 KB
sys.c -rw-r--r-- 53.5 KB
sys_ni.c -rw-r--r-- 3.9 KB
sysctl.c -rw-r--r-- 54.7 KB
taskstats.c -rw-r--r-- 12.1 KB
time.c -rw-r--r-- 18.7 KB
timer.c -rw-r--r-- 50.3 KB
tsacct.c -rw-r--r-- 3.8 KB
uid16.c -rw-r--r-- 5.1 KB
user.c -rw-r--r-- 5.4 KB
utsname.c -rw-r--r-- 2.0 KB
utsname_sysctl.c -rw-r--r-- 3.4 KB
wait.c -rw-r--r-- 7.3 KB
workqueue.c -rw-r--r-- 20.9 KB
back to top