I can confirm that large packets raise kernel panic. I was able to raise a panic by doing: doas nmap -6 -Pn -p22 --data-length 1400 <IPv6 address of the vpn client> from another host. So potentially anyone can crash the router by sending large packets. Details of interfaces:
> em0: > flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4> > mtu 1500 > description: > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 <deleted> prefixlen 64 scopeid 0x1 > inet <deleted> > em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 > index 2 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > description: lan > index 3 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet <deleted> > inet6 fe80::<deleted> > inet6 <deleted> > inet6 <deleted> > em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 > index 4 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > enc0: flags=0<> > index 5 priority 0 llprio 3 > groups: enc > status: active > gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > index 7 priority 0 llprio 3 > encap: txprio payload rxprio payload > groups: gif > tunnel: inet 192.168.255.1 --> <deleted> ttl 64 nodf ecn > inet6 fe80::<deleted>%gif0 --> prefixlen 64 scopeid 0x7 > inet6 <deleted> --> <deleted> prefixlen 128 > gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > index 8 priority 0 llprio 3 > encap: txprio payload rxprio payload > groups: gif egress > tunnel: inet <deleted> --> <deleted> ttl 64 nodf ecn > inet6 fe80::<deleted>%gif1 --> prefixlen 64 scopeid 0x8 > inet6 <deleted>::2 --> <deleted>::1 prefixlen 128 > wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 > index 9 priority 0 llprio 3 > wgport 51820 > groups: wg > inet6 <deleted>::1 prefixlen 64 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136 > index 10 priority 0 llprio 3 > groups: pflog > пн, 6 дек. 2021 г. в 23:54, Антон Касимов <[email protected]>: > Hi, I've recorded traffic that was sent from the git server before crashes. > Most likely panic is caused by sending a large packet (1514 bytes) by the > git server to the remote vpn client. > I can privately share the traffic dumps. > > пн, 29 нояб. 2021 г. в 18:30, <[email protected]>: > >> >Synopsis: Kernel panic triggered on a certain type of IPv6 traffic >> >Category: kernel >> >Environment: >> System : OpenBSD 7.0 >> Details : OpenBSD 7.0 (GENERIC.MP) #1: Fri Oct 29 12:04:07 >> MDT 2021 >> [email protected]: >> /usr/src/sys/arch/amd64/compile/GENERIC.MP >> >> Architecture: OpenBSD.amd64 >> Machine : amd64 >> >Description: >> I have an OpenBSD router that provides IPv6 connectivity for a >> remote VPN client. >> The router has a gif interface that holds IPv6 network (/48) and >> passes all IPv6 traffic from and to an IPv6 provider through an IPv4 >> connection (the default IPv6 route). >> The router also routes iked VPN traffic from remote clients >> through IPv4 connection. The remote VPN client has subnet /64 of IPv6 net >> assigned to the gif interface. >> The problem is that under some unknown conditions the router >> crashes with the error below. >> >> panic: kernel diagnostic assertion "!ISSET(rt->rt_flags, RTF_UP)" failed: >> file " >> /usr/src/sys/net/route.c", line 506 >> Starting stack trace... >> panic(ffffffff81e5b027) at panic+0x12c >> __assert(ffffffff81ec493e,ffffffff81e61332,1fa,ffffffff81ed0f05) at >> __assert+0x25 >> rtfree(fffffd810dc68698) at rtfree+0x298 >> ip6_forward(fffffd80cf80ab00,fffffd810dc68698,0) at ip6_forward+0x118 >> ip6_input_if(ffff8000225ce658,ffff8000225ce664,29,0,ffff800000679038) at >> ip6_input_if+0x8d >> ipv6_input(ffff800000679038,fffffd80cf80ab00) at ipv6_input+0x39 >> gif_input(ffff8000225ce710,ffff8000225ce938,ffff8000225ce944,29,0,0) at >> gif_input+0x231 >> in_gif_input(ffff8000225ce938,ffff8000225ce944,29,2) at in_gif_input+0x5b >> ip_deliver(ffff8000225ce938,ffff8000225ce944,29,2) at ip_deliver+0x103 >> ip_ours(ffff8000225ce938,ffff8000225ce944,ac3,0) at ip_ours+0x31d >> ip_input_if(ffff8000225ce938,ffff8000225ce944,4,0,ffff800000098048) at >> ip_input_if+0x19d >> ipv4_input(ffff800000098048,fffffd80cf80ab00) at ipv4_input+0x39 >> ether_input(ffff800000098048,fffffd80cf80ab00) at ether_input+0x39f >> if_input_process(ffff800000098048,ffff8000225cea28) at >> if_input_process+0x6f >> ifiq_process(ffff800000098458) at ifiq_process+0x69 >> taskq_thread(ffff80000002b080) at taskq_thread+0x81 >> end trace frame: 0x0, count: 241 >> End of stack trace. >> syncing disks...13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 >> 13 giving up >> >> The problem exists since at least version 6.8. >> >> >How-To-Repeat: >> The cause is unknown. I was unable to record the traffic dump. >> But I ran into it the last time when trying to pull changes from a git >> server (over ssh). I tried to pull changes five times, but each pull ended >> in kernel panic. >> >Fix: >> unknown >> >> >> dmesg: >> OpenBSD 7.0 (GENERIC.MP) #1: Fri Oct 29 12:04:07 MDT 2021 >> [email protected]:/usr/src/sys/arch/amd64/compile/ >> GENERIC.MP >> real mem = 4259840000 (4062MB) >> avail mem = 4114706432 (3924MB) >> random: good seed from bootblocks >> mpath0 at root >> scsibus0 at mpath0: 256 targets >> mainbus0 at root >> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xcfe83040 (13 entries) >> bios0: vendor coreboot version "v4.14.0.3" date 08/10/2021 >> bios0: PC Engines apu4 >> acpi0 at bios0: ACPI 6.0 >> acpi0: sleep states S0 S1 S4 S5 >> acpi0: tables DSDT FACP SSDT MCFG TPM2 APIC HEST SSDT SSDT DRTM HPET >> acpi0: wakeup devices PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) >> UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4) >> acpitimer0 at acpi0: 3579545 Hz, 32 bits >> acpimcfg0 at acpi0 >> acpimcfg0: addr 0xf8000000, bus 0-63 >> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: AMD GX-412TC SOC, 998.26 MHz, 16-30-01 >> cpu0: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >> 64b/line 16-way L2 cache >> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu0: smt 0, core 0, package 0 >> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges >> cpu0: apic clock running at 99MHz >> cpu0: mwait min=64, max=64, IBE >> cpu1 at mainbus0: apid 1 (application processor) >> cpu1: AMD GX-412TC SOC, 998.14 MHz, 16-30-01 >> cpu1: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >> 64b/line 16-way L2 cache >> cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu1: smt 0, core 1, package 0 >> cpu2 at mainbus0: apid 2 (application processor) >> cpu2: AMD GX-412TC SOC, 998.14 MHz, 16-30-01 >> cpu2: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >> cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >> 64b/line 16-way L2 cache >> cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu2: smt 0, core 2, package 0 >> cpu3 at mainbus0: apid 3 (application processor) >> cpu3: AMD GX-412TC SOC, 998.14 MHz, 16-30-01 >> cpu3: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >> cpu3: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >> 64b/line 16-way L2 cache >> cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu3: DTLB 40 4KB entries fully associative, 8 4MB entries fully >> associative >> cpu3: smt 0, core 3, package 0 >> ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 21, 24 pins >> ioapic1 at mainbus0: apid 5 pa 0xfec20000, version 21, 32 pins >> acpihpet0 at acpi0: 14318180 Hz >> acpiprt0 at acpi0: bus 0 (PCI0) >> acpiprt1 at acpi0: bus 1 (PBR4) >> acpiprt2 at acpi0: bus 2 (PBR5) >> acpiprt3 at acpi0: bus 3 (PBR6) >> acpiprt4 at acpi0: bus 4 (PBR7) >> acpiprt5 at acpi0: bus -1 (PBR8) >> acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001 >> acpicmos0 at acpi0 >> amdgpio0 at acpi0 GPIO uid 0 addr 0xfed81500/0x300 irq 7, 184 pins >> "PRP0001" at acpi0 not configured >> "PRP0001" at acpi0 not configured >> "PRP0001" at acpi0 not configured >> "PRP0001" at acpi0 not configured >> "PRP0001" at acpi0 not configured >> "PRP0001" at acpi0 not configured >> "BOOT0000" at acpi0 not configured >> acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >> acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >> acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >> acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >> acpitz0 at acpi0: critical temperature is 115 degC >> cpu0: 998 MHz: speeds: 1000 800 600 MHz >> pci0 at mainbus0 bus 0 >> pchb0 at pci0 dev 0 function 0 "AMD 16h Root Complex" rev 0x00 >> vendor "AMD", unknown product 0x1567 (class system subclass IOMMU, rev >> 0x00) at pci0 dev 0 function 2 not configured >> pchb1 at pci0 dev 2 function 0 "AMD 16h Host" rev 0x00 >> ppb0 at pci0 dev 2 function 1 "AMD 16h PCIE" rev 0x00: msi >> pci1 at ppb0 bus 1 >> em0 at pci1 dev 0 function 0 "Intel I211" rev 0x03: msi, address >> 00:0d:b9:4e:a1:70 >> ppb1 at pci0 dev 2 function 2 "AMD 16h PCIE" rev 0x00: msi >> pci2 at ppb1 bus 2 >> em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address >> 00:0d:b9:4e:a1:71 >> ppb2 at pci0 dev 2 function 3 "AMD 16h PCIE" rev 0x00: msi >> pci3 at ppb2 bus 3 >> em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address >> 00:0d:b9:4e:a1:72 >> ppb3 at pci0 dev 2 function 4 "AMD 16h PCIE" rev 0x00: msi >> pci4 at ppb3 bus 4 >> em3 at pci4 dev 0 function 0 "Intel I211" rev 0x03: msi, address >> 00:0d:b9:4e:a1:73 >> ccp0 at pci0 dev 8 function 0 "AMD 16h Crypto" rev 0x00 >> xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi, xHCI 1.0 >> usb0 at xhci0: USB revision 3.0 >> uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev >> 3.00/1.00 addr 1 >> ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: apic 4 int >> 19, AHCI 1.3 >> ahci0: port 0: 6.0Gb/s >> ahci0: port 1: 6.0Gb/s >> scsibus1 at ahci0: 32 targets >> sd0 at scsibus1 targ 0 lun 0: <ATA, MT-512, S050> >> t10.ATA_MT-512_9100910803195_ >> sd0: 488386MB, 512 bytes/sector, 1000215216 sectors, thin >> sd1 at scsibus1 targ 1 lun 0: <ATA, WDC WD10JFCX-68N, 82.0> >> naa.50014ee0af45033d >> sd1: 953869MB, 512 bytes/sector, 1953525168 sectors >> ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int >> 18 >> usb1 at ehci0: USB revision 2.0 >> uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev >> 2.00/1.00 addr 1 >> piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMI >> iic0 at piixpm0 >> iic1 at piixpm0 >> iic1: addr 0x4c 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=ffff 01=ffff >> 02=ffff 03=ffff 04=ffff 05=ffff 06=ffff 07=ffff >> pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11 >> sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4 int >> 16 >> sdhc0: SDHC 2.0, 50 MHz base clock >> sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma >> pchb2 at pci0 dev 24 function 0 "AMD 16h Link Cfg" rev 0x00 >> pchb3 at pci0 dev 24 function 1 "AMD 16h Address Map" rev 0x00 >> pchb4 at pci0 dev 24 function 2 "AMD 16h DRAM Cfg" rev 0x00 >> km0 at pci0 dev 24 function 3 "AMD 16h Misc Cfg" rev 0x00 >> pchb5 at pci0 dev 24 function 4 "AMD 16h CPU Power" rev 0x00 >> pchb6 at pci0 dev 24 function 5 "AMD 16h Misc Cfg" rev 0x00 >> isa0 at pcib0 >> isadma0 at isa0 >> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo >> com0: console >> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo >> com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo >> pcppi0 at isa0 port 0x61 >> spkr0 at pcppi0 >> lpt0 at isa0 port 0x378/4 irq 7 >> intr_establish: pic ioapic0 pin 7: can't share type 3 with 2 >> wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x53 >> vmm0 at mainbus0: SVM/RVI >> dt: 445 probes >> uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro Devices >> Hub" rev 2.00/0.18 addr 2 >> vscsi0 at root >> scsibus2 at vscsi0: 256 targets >> softraid0 at root >> scsibus3 at softraid0: 256 targets >> root on sd0a (01c1c2f37c512b1b.a) swap on sd0b dump on sd0b >> WARNING: / was not properly unmounted >> Process (pid 1) got signal 31 >> >> usbdevs: >> Controller /dev/usb0: >> addr 01: 1022:0000 AMD, xHCI root hub >> super speed, self powered, config 1, rev 1.00 >> driver: uhub0 >> Controller /dev/usb1: >> addr 01: 1022:0000 AMD, EHCI root hub >> high speed, self powered, config 1, rev 1.00 >> driver: uhub1 >> addr 02: 0438:7900 Advanced Micro Devices, Hub >> high speed, self powered, config 1, rev 0.18 >> driver: uhub2 >> > > > -- > Антон Касимов / Anton Kasimov > -- Антон Касимов / Anton Kasimov
