• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/usr/bin/python
2#
3# Copyright 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# ----------------------------------------------------------------------
18
19# This triggers a kernel panic on 4.9.114+ which is fixed in 4.9.136
20#
21# Crash was introduced by ad8b1ffc3efae2f65080bdb11145c87d299b8f9a
22# and reverted in 2edec22d18758c9b29301ded2291f051d65422e9
23
24# ----------------------------------------------------------------------
25
26# Modules linked in:
27# Pid: 305, comm: python Not tainted 4.9.114
28# RIP: 0033:[<0000000060272d73>]
29# RSP: 000000007fd09a10  EFLAGS: 00010246
30# RAX: 0000000060492fa8 RBX: 0000000060272b18 RCX: 000000007ff412a8
31# RDX: 000000007ff41288 RSI: 000000007fd09a98 RDI: 000000007ff14a00
32# RBP: 000000007fd09a40 R08: 0000000000000001 R09: 0100000000000000
33# R10: 0000000000000000 R11: 000000007ff412a8 R12: 0000000000010002
34# R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000
35# Kernel panic - not syncing: Kernel mode fault at addr 0x48, ip 0x60272d73
36# CPU: 0 PID: 305 Comm: python Not tainted 4.9.114 #7
37# Stack:
38#  7fcd5000 7ff411e0 7ff14a00 7ff41000
39#  00000000 00000000 7fd09b00 6031acd9
40#  00000000 7ff41288 7ff4100c 100000003
41# Call Trace:
42#  [<6031acd9>] ip6t_do_table+0x2a3/0x3d4
43#  [<6026d300>] ? netfilter_net_init+0xd5/0x14f
44#  [<6026d37a>] ? nf_iterate+0x0/0x5c
45#  [<6031c99d>] ip6table_filter_hook+0x21/0x23
46#  [<6026d3b2>] nf_iterate+0x38/0x5c
47#  [<6026d40a>] nf_hook_slow+0x34/0xa2
48#  [<6003166c>] ? set_signals+0x0/0x3f
49#  [<6003165d>] ? get_signals+0x0/0xf
50#  [<603045d4>] rawv6_sendmsg+0x842/0xc4b
51#  [<60033d15>] ? wait_stub_done+0x40/0x10a
52#  [<60021176>] ? copy_chunk_from_user+0x23/0x2e
53#  [<60021153>] ? copy_chunk_from_user+0x0/0x2e
54#  [<60302da3>] ? dst_output+0x0/0x11
55#  [<602b063a>] inet_sendmsg+0x1e/0x5c
56#  [<600fe142>] ? __fdget+0x15/0x17
57#  [<6022636c>] sock_sendmsg+0xf/0x62
58#  [<6022785d>] SyS_sendto+0x108/0x140
59#  [<600389c2>] ? arch_switch_to+0x2b/0x2e
60#  [<60367ce4>] ? __schedule+0x428/0x44f
61#  [<603678bc>] ? __schedule+0x0/0x44f
62#  [<60021125>] handle_syscall+0x79/0xa7
63#  [<6003445c>] userspace+0x3bb/0x453
64#  [<6001dd92>] ? interrupt_end+0x0/0x94
65#  [<6001dc42>] fork_handler+0x85/0x87
66#
67# /android/kernel/tests/net/test/run_net_test.sh: line 397: 50828 Aborted
68# $KERNEL_BINARY umid=net_test mem=512M $blockdevice=$SCRIPT_DIR/$ROOTFS $netconfig $consolemode $cmdline 1>&2
69# Returning exit code 134.
70
71# ----------------------------------------------------------------------
72
73import os
74import socket
75import unittest
76
77import net_test
78
79class RemovedFeatureTest(net_test.NetworkTest):
80
81  def setUp(self):
82    net_test.RunIptablesCommand(6, "-I OUTPUT 1 -m policy --dir out --pol ipsec")
83
84  def tearDown(self):
85    net_test.RunIptablesCommand(6, "-D OUTPUT -m policy --dir out --pol ipsec")
86
87  def testPolicyNetfilterFragPanic(self):
88    ipv6_min_mtu = 1280
89    ipv6_header_size = 40
90    ipv6_frag_header_size = 8
91
92    pkt1_frag_len = ipv6_min_mtu - ipv6_header_size - ipv6_frag_header_size
93    pkt2_frag_len = 1
94
95    ip6loopback = '00000000000000000000000000000001'   # ::1
96
97    # 40 byte IPv6 header
98    ver6 = '6'
99    tclass = '00'
100    flowlbl = '00000'
101    # (uint16) payload length - of rest of packets in octets
102    pkt1_plen = '%04x' % (ipv6_frag_header_size + pkt1_frag_len)
103    pkt2_plen = '%04x' % (ipv6_frag_header_size + pkt2_frag_len)
104    nexthdr = '2c'   # = 44 IPv6-Frag
105    hoplimit = '00'
106    src = ip6loopback
107    dst = ip6loopback
108
109    # 8 byte IPv6 fragmentation header
110    frag_nexthdr = '00'
111    frag_reserved = '00'
112    # 13-bit offset, 2-bit reserved, 1-bit M[ore] flag
113    pkt1_frag_offset = '0001'
114    pkt2_frag_offset = '%04x' % pkt1_frag_len
115    frag_identification = '00000000'
116
117    # Fragmentation payload
118    pkt1_frag_payload = '00' * pkt1_frag_len
119    pkt2_frag_payload = '00' * pkt2_frag_len
120
121    pkt1 = (ver6 + tclass + flowlbl + pkt1_plen + nexthdr + hoplimit + src + dst
122         + frag_nexthdr + frag_reserved + pkt1_frag_offset + frag_identification
123         + pkt1_frag_payload)
124    pkt2 = (ver6 + tclass + flowlbl + pkt2_plen + nexthdr + hoplimit + src + dst
125         + frag_nexthdr + frag_reserved + pkt2_frag_offset + frag_identification
126         + pkt2_frag_payload)
127
128    s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW)
129    s.sendto(pkt1.decode('hex'), ('::1', 0))
130    s.sendto(pkt2.decode('hex'), ('::1', 0))
131    s.close()
132
133
134if __name__ == "__main__":
135  unittest.main()
136