597134 – hardened-sources-4.7.7: null pointer dereference when using tproxy

Bug 597134 - hardened-sources-4.7.7: null pointer dereference when using tproxy

Summary: hardened-sources-4.7.7: null pointer dereference when using tproxy

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-14 20:31 UTC by Alexander Sergeyev
Modified:	2018-01-31 09:56 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
the working patch (for me) (tproxy-refcounter-bugfix.patch,877 bytes, patch) 2016-10-14 20:31 UTC, Alexander Sergeyev	Details \| Diff
emerge --info (emerge-info-1,3.38 KB, text/plain) 2016-10-20 10:30 UTC, Alexander Sergeyev	Details
kernel config (kernel-config,94.65 KB, text/plain) 2016-10-20 10:30 UTC, Alexander Sergeyev	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Sergeyev 2016-10-14 20:31:29 UTC

Created attachment 450226 [details, diff]
the working patch (for me)

Hello,
I'm testing a transparent proxying setup with squid web proxy (with tproxy). The first query, which is intercepted by the proxy, usually returns, but the second leads to problems. These problems include server hangs and reboots via watchdog (most probably kernel panic), kernel messages about "null pointer deference" and "Attempt to release TCP socket in state 10". An example is given at the end of the post.

Doing a little research, I found a mailing list with a similar problem: https://www.mail-archive.com/netdev@vger.kernel.org/msg123468.html

The proposed patch from the mailing list works for me (I attached it here). I'm not sure why it's not in the upstream yet though. 

kernel: IPv4: Attempt to release TCP socket in state 10 ffff8807f6e79680
<...>
kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
kernel: IP: [<ffffffff8135c764>] 0xffffffff8135c764
kernel: PGD 0·
kernel: Oops: 0000 [#1] SMP
kernel: CPU: 0 PID: 2983 Comm: squid Not tainted 4.7.7-hardened #2
kernel: Hardware name: Supermicro X10SLL-F/X10SLL-F, BIOS 2.0 04/24/2014
kernel: task: ffff8807f8b8f0c0 ti: ffff8807f8b8f750 task.ti: ffff8807f8b8f750
kernel: RIP: 0010:[<ffffffff8135c764>]  [<ffffffff8135c764>] 0xffffffff8135c764
kernel: RSP: 0018:ffffc90006713c20  EFLAGS: 00010246
kernel: RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
kernel: RDX: ffff8807f6ef7480 RSI: ffff8807f6e79680 RDI: ffffc90006713c78
kernel: RBP: ffffc90006713c98 R08: ffffc90006713c40 R09: 0000000000000000
kernel: R10: 0000000000000000 R11: 0000000000000246 R12: ffff8807f6e79680
kernel: R13: ffff8807f8b8f0c0 R14: ffffc90006713d28 R15: ffff8807fbc1d600
kernel: FS:  0000036289839740(0000) GS:ffff88081fc00000(0000) knlGS:0000000000000000 
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000010 CR3: 0000000001ea6000 CR4: 00000000001606f0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Stack:
kernel:  ffffffffffff4111 ffffffffffff4111 ffffffffffff4111 ffffffffffff4111
kernel:  0000000000000000 0000000000000000 0000000000000000 0000000000000000
kernel:  0000000000000000 0000000000000000 0000000000000000 80196bbcd37b205e
kernel: Call Trace:
kernel:  [<ffffffff8135c8ef>] 0xffffffff8135c8ef
kernel:  [<ffffffff813591e6>] 0xffffffff813591e6
kernel:  [<ffffffff81870073>] 0xffffffff81870073
kernel:  [<ffffffff81870151>] 0xffffffff81870151
kernel:  [<ffffffff8121a15b>] 0xffffffff8121a15b
kernel:  [<ffffffff8121a2b1>] 0xffffffff8121a2b1
kernel:  [<ffffffff8121a9d8>] 0xffffffff8121a9d8
kernel:  [<ffffffff81a194d9>] 0xffffffff81a194d9
kernel: Code: 25 28 00 00 00 48 89 45 e0 31 c0 4c 8d 45 a8 31 c0 b9 07 00 00 00 4d 8b 94 24 58 02 00 00 4c 89 c7 f3 48 ab 49 8b 95 c8 06 00 00 <41> 8b 72 10 83 fe 01 74 >
kernel: RIP  [<ffffffff8135c764>] 0xffffffff8135c764
kernel:  RSP <ffffc90006713c20> 
kernel: CR2: 0000000000000010
kernel: ---[ end trace 3167cad96581af32 ]---

Comment 1 Alexander Sergeyev 2016-10-20 10:30:01 UTC

Created attachment 450808 [details]
emerge --info

Comment 2 Alexander Sergeyev 2016-10-20 10:30:33 UTC

Created attachment 450810 [details]
kernel config

Comment 3 Alexander Sergeyev 2016-10-20 10:36:27 UTC

iptables rules to enable transparent proxying:

-t mangle -N tproxy_bypass
-t mangle -A tproxy_bypass -j MARK --set-xmark 0x10/0x10
-t mangle -A tproxy_bypass -j ACCEPT
-t mangle -A PREROUTING -p tcp -m socket --transparent -j tproxy_bypass
-t mangle -A PREROUTING ! -d $LOCAL_NET -i $INNER_IFACE -p tcp -m tcp --dport 80 -j TPROXY --on-port 50080 --on-ip 0.0.0.0 --tproxy-mark 0x10/0x0
-t mangle -A PREROUTING ! -d $LOCAL_NET -i $INNER_IFACE -p tcp -m tcp --dport 443 -j TPROXY --on-port 50443 --on-ip 0.0.0.0 --tproxy-mark 0x10/0x0

routing adjustments:

ip rule add fwmark 0x10/0x10 table 10
ip route add local default dev lo table 10

Comment 4 Alexander Sergeyev 2016-11-11 16:20:03 UTC

Good news, everyone! The request could be closed since the patch landed in sys-kernel/hardened-sources-4.8.6.