David S. Miller wrote:
Yes. This backtrace is very strange. Let me take this
chance to get on my podium and re-express my distaste
for x86's inaccurate backtraces. They make debugging so
difficult. It's time for some dwarf2 unwind table support
the kernel x86 backtracer and a way to enable it during the
build.
My current guess is that this is some successful exploit
of some as-yet-unknown issue in netfilter's fragmentation
handling. But that's just a guess. If some code underruns
skb->data somehow while unfragging/refragging, that's a sure
fire way to corrupt things such as the skb->ip_summed field.
That's what I suspect too. There is still the possibility of skbs
"jumping" through the stack between ip_defrag callers, the same
problem that caused the crashes on conntrack module unload fixed
by Olaf Kirch some time ago. This could theoretically cause skbs
from PRE_ROUTING to show up in POST_ROUTING and continue from
there on if NAT is used. Perhaps we should add a "user"-argument
to ip_defrag and keep fragment queues private to a single user.
Regards
Patrick
|