• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/usr/bin/python3
2#
3# Copyright 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# ----------------------------------------------------------------------
18
19# This triggers a kernel panic on 4.9.114+ which is fixed in 4.9.136
20#
21# Crash was introduced by ad8b1ffc3efae2f65080bdb11145c87d299b8f9a
22# and reverted in 2edec22d18758c9b29301ded2291f051d65422e9
23
24# ----------------------------------------------------------------------
25
26# Modules linked in:
27# Pid: 305, comm: python Not tainted 4.9.114
28# RIP: 0033:[<0000000060272d73>]
29# RSP: 000000007fd09a10  EFLAGS: 00010246
30# RAX: 0000000060492fa8 RBX: 0000000060272b18 RCX: 000000007ff412a8
31# RDX: 000000007ff41288 RSI: 000000007fd09a98 RDI: 000000007ff14a00
32# RBP: 000000007fd09a40 R08: 0000000000000001 R09: 0100000000000000
33# R10: 0000000000000000 R11: 000000007ff412a8 R12: 0000000000010002
34# R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000
35# Kernel panic - not syncing: Kernel mode fault at addr 0x48, ip 0x60272d73
36# CPU: 0 PID: 305 Comm: python Not tainted 4.9.114 #7
37# Stack:
38#  7fcd5000 7ff411e0 7ff14a00 7ff41000
39#  00000000 00000000 7fd09b00 6031acd9
40#  00000000 7ff41288 7ff4100c 100000003
41# Call Trace:
42#  [<6031acd9>] ip6t_do_table+0x2a3/0x3d4
43#  [<6026d300>] ? netfilter_net_init+0xd5/0x14f
44#  [<6026d37a>] ? nf_iterate+0x0/0x5c
45#  [<6031c99d>] ip6table_filter_hook+0x21/0x23
46#  [<6026d3b2>] nf_iterate+0x38/0x5c
47#  [<6026d40a>] nf_hook_slow+0x34/0xa2
48#  [<6003166c>] ? set_signals+0x0/0x3f
49#  [<6003165d>] ? get_signals+0x0/0xf
50#  [<603045d4>] rawv6_sendmsg+0x842/0xc4b
51#  [<60033d15>] ? wait_stub_done+0x40/0x10a
52#  [<60021176>] ? copy_chunk_from_user+0x23/0x2e
53#  [<60021153>] ? copy_chunk_from_user+0x0/0x2e
54#  [<60302da3>] ? dst_output+0x0/0x11
55#  [<602b063a>] inet_sendmsg+0x1e/0x5c
56#  [<600fe142>] ? __fdget+0x15/0x17
57#  [<6022636c>] sock_sendmsg+0xf/0x62
58#  [<6022785d>] SyS_sendto+0x108/0x140
59#  [<600389c2>] ? arch_switch_to+0x2b/0x2e
60#  [<60367ce4>] ? __schedule+0x428/0x44f
61#  [<603678bc>] ? __schedule+0x0/0x44f
62#  [<60021125>] handle_syscall+0x79/0xa7
63#  [<6003445c>] userspace+0x3bb/0x453
64#  [<6001dd92>] ? interrupt_end+0x0/0x94
65#  [<6001dc42>] fork_handler+0x85/0x87
66#
67# /android/kernel/tests/net/test/run_net_test.sh: line 397: 50828 Aborted
68# $KERNEL_BINARY umid=net_test mem=512M $blockdevice=$SCRIPT_DIR/$ROOTFS $netconfig $consolemode $cmdline 1>&2
69# Returning exit code 134.
70
71# ----------------------------------------------------------------------
72
73import binascii
74import os
75import socket
76import unittest
77
78import net_test
79
80class RemovedFeatureTest(net_test.NetworkTest):
81
82  def setUp(self):
83    net_test.RunIptablesCommand(6, "-I OUTPUT 1 -m policy --dir out --pol ipsec")
84
85  def tearDown(self):
86    net_test.RunIptablesCommand(6, "-D OUTPUT -m policy --dir out --pol ipsec")
87
88  def testPolicyNetfilterFragPanic(self):
89    ipv6_min_mtu = 1280
90    ipv6_header_size = 40
91    ipv6_frag_header_size = 8
92
93    pkt1_frag_len = ipv6_min_mtu - ipv6_header_size - ipv6_frag_header_size
94    pkt2_frag_len = 1
95
96    ip6loopback = '00000000000000000000000000000001'   # ::1
97
98    # 40 byte IPv6 header
99    ver6 = '6'
100    tclass = '00'
101    flowlbl = '00000'
102    # (uint16) payload length - of rest of packets in octets
103    pkt1_plen = '%04x' % (ipv6_frag_header_size + pkt1_frag_len)
104    pkt2_plen = '%04x' % (ipv6_frag_header_size + pkt2_frag_len)
105    nexthdr = '2c'   # = 44 IPv6-Frag
106    hoplimit = '00'
107    src = ip6loopback
108    dst = ip6loopback
109
110    # 8 byte IPv6 fragmentation header
111    frag_nexthdr = '3b'
112    frag_reserved = '00'
113    # 13-bit offset, 2-bit reserved, 1-bit M[ore] flag
114    pkt1_frag_offset = '0001'
115    pkt2_frag_offset = '%04x' % pkt1_frag_len
116    frag_identification = '00000000'
117
118    # Fragmentation payload
119    pkt1_frag_payload = '00' * pkt1_frag_len
120    pkt2_frag_payload = '00' * pkt2_frag_len
121
122    pkt1 = (ver6 + tclass + flowlbl + pkt1_plen + nexthdr + hoplimit + src + dst
123         + frag_nexthdr + frag_reserved + pkt1_frag_offset + frag_identification
124         + pkt1_frag_payload)
125    pkt2 = (ver6 + tclass + flowlbl + pkt2_plen + nexthdr + hoplimit + src + dst
126         + frag_nexthdr + frag_reserved + pkt2_frag_offset + frag_identification
127         + pkt2_frag_payload)
128
129    s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW)
130    s.sendto(binascii.unhexlify(pkt1), ('::1', 0))
131    s.sendto(binascii.unhexlify(pkt2), ('::1', 0))
132    s.close()
133
134
135if __name__ == "__main__":
136  unittest.main()
137