Bug#309308: kernel-image-2.6.8-2-686-smp: null pointer oops on udp packets

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#309308: kernel-image-2.6.8-2-686-smp: null pointer oops on udp packets
From: Peter Sandstrom <peter.sandstrom@jajja.com>
Date: Mon, 16 May 2005 11:26:56 +0200
Message-id: <[🔎] E1DXbsW-0003eV-00@master.debian.org>
Reply-to: Peter Sandstrom <peter.sandstrom@jajja.com>, 309308@bugs.debian.org

Package: kernel-image-2.6.8-2-686-smp
Version: 2.6.8-13
Severity: critical
Tags: security
Justification: breaks the whole system


kernel oops while trying to do a snmpwalk from a remote host. the entire
udp stack becomes unresponsive and reboot fails when trying to bring
down network interfaces. unsure if this is exploitable for a DoS attack,
will investigate further when i have time if this not a know issue.

0000:01:01.0 Ethernet controller: Intel Corp. 82547GI Gigabit Ethernet
Controller
0000:03:02.0 Ethernet controller: Intel Corp. 82541GI/PI Gigabit
Ethernet Controller

vlan tagging is in use on the interface that recieves the udp packet
that causes the oops.

Unable to handle kernel NULL pointer dereference at virtual address
00000000
 printing eip:
f89f64f2
*pde = 00000000
Oops: 0000 [#1]
PREEMPT SMP
Modules linked in: deflate zlib_deflate twofish serpent aes_i586
blowfish des sha256 sha1 crypto_null af_key tun ipv6 8021q dm_mod
capability commoncap e1000 genrtc ext3 jbd mbcache sd_mod ata_piix
libata scsi_mod unix font vesafb cfbcopyarea cfbimgblt cfbfillrect
CPU:    1
EIP:    0060:[<f89f64f2>]    Not tainted
EFLAGS: 00010a86   (2.6.8-2-686-smp)
EIP is at e1000_shift_out_mdi_bits+0x22/0xa0 [e1000]
eax: ffffffff   ebx: 80000000   ecx: 0000001f   edx: 00000000
esi: f77f3c10   edi: f74bbe6c   ebp: ffffffff   esp: f74bbe64
ds: 007b   es: 007b   ss: 0068
Process snmpd (pid: 793, threadinfo=f74ba000 task=f505b410)
Stack: c038b124 c01163e7 00000000 00001820 f77f3c10 f74bbee2 f74bbf30
f89f674b
       f77f3c10 ffffffff 00000020 f74bbecc f77f3a20 f74bbedc f89f3b3b
f77f3c10
       00000000 f74bbee2 f74bbecc f89f3950 f74bbedc f8880ab1 f77f3800
f74bbecc
Call Trace:
 [<c01163e7>] smp_apic_timer_interrupt+0xe7/0x160
 [<f89f674b>] e1000_read_phy_reg_ex+0xab/0xd0 [e1000]
 [<f89f3b3b>] e1000_mii_ioctl+0x1cb/0x1d0 [e1000]
 [<f89f3950>] e1000_ioctl+0x0/0x20 [e1000]
 [<f8880ab1>] vlan_dev_ioctl+0xc1/0x110 [8021q]
 [<c0236944>] dev_ifsioc+0x374/0x3e0
 [<c0236b46>] dev_ioctl+0x196/0x320
 [<c027f59c>] inet_ioctl+0x9c/0xb0
 [<c022b9d9>] sock_ioctl+0x139/0x300
 [<c0174d78>] sys_ioctl+0x148/0x2d0
 [<c01061fb>] syscall_call+0x7/0xb
Code: 8b 02 0d 00 00 00 03 89 44 24 08 85 db 74 56 eb 0d 90 90 90


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages kernel-image-2.6.8-2-686-smp depends on:
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 
ii  initrd-tools                  0.1.78     tools to create initrd image for p
ii  module-init-tools             3.2-pre1-2 tools for managing Linux kernel mo

-- no debconf information

Reply to:

Follow-Ups:
- Bug#309308: kernel-image-2.6.8-2-686-smp: null pointer oops on udp packets
  - From: maximilian attems <debian@sternwelten.at>

Prev by Date: Bug#309307: kernel-image-2.4.27-sparc in sarge lacks security fixes from kernel-source-2.4.27 2.4.27-9
Next by Date: Processed: tagging 309307
Previous by thread: Bug#309307: marked as done (kernel-image-2.4.27-sparc in sarge lacks security fixes from kernel-source-2.4.27 2.4.27-9)
Next by thread: Bug#309308: kernel-image-2.6.8-2-686-smp: null pointer oops on udp packets
Index(es):
- Date
- Thread