It looks like the fix is already committed to current ( https://marc.info/?l=openbsd-cvs&m=163758883200864&w=2). The bug is gone after upgrading from snapshots.
вт, 7 дек. 2021 г. в 01:16, Антон Касимов <[email protected]>: > I can confirm that large packets raise kernel panic. > I was able to raise a panic by doing: > doas nmap -6 -Pn -p22 --data-length 1400 <IPv6 address of the vpn client> > from another host. So potentially anyone can crash the router by sending > large packets. > Details of interfaces: > >> em0: >> flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4> >> mtu 1500 >> description: >> index 1 priority 0 llprio 3 >> groups: egress >> media: Ethernet autoselect (1000baseT full-duplex) >> status: active >> inet6 <deleted> prefixlen 64 scopeid 0x1 >> inet <deleted> >> em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 >> index 2 priority 0 llprio 3 >> media: Ethernet autoselect (none) >> status: no carrier >> em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> description: lan >> index 3 priority 0 llprio 3 >> media: Ethernet autoselect (1000baseT full-duplex) >> status: active >> inet <deleted> >> inet6 fe80::<deleted> >> inet6 <deleted> >> inet6 <deleted> >> em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 >> index 4 priority 0 llprio 3 >> media: Ethernet autoselect (none) >> status: no carrier >> enc0: flags=0<> >> index 5 priority 0 llprio 3 >> groups: enc >> status: active >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >> index 7 priority 0 llprio 3 >> encap: txprio payload rxprio payload >> groups: gif >> tunnel: inet 192.168.255.1 --> <deleted> ttl 64 nodf ecn >> inet6 fe80::<deleted>%gif0 --> prefixlen 64 scopeid 0x7 >> inet6 <deleted> --> <deleted> prefixlen 128 >> gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >> index 8 priority 0 llprio 3 >> encap: txprio payload rxprio payload >> groups: gif egress >> tunnel: inet <deleted> --> <deleted> ttl 64 nodf ecn >> inet6 fe80::<deleted>%gif1 --> prefixlen 64 scopeid 0x8 >> inet6 <deleted>::2 --> <deleted>::1 prefixlen 128 >> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 >> index 9 priority 0 llprio 3 >> wgport 51820 >> groups: wg >> inet6 <deleted>::1 prefixlen 64 >> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136 >> index 10 priority 0 llprio 3 >> groups: pflog >> > > пн, 6 дек. 2021 г. в 23:54, Антон Касимов <[email protected]>: > >> Hi, I've recorded traffic that was sent from the git server before >> crashes. >> Most likely panic is caused by sending a large packet (1514 bytes) by the >> git server to the remote vpn client. >> I can privately share the traffic dumps. >> >> пн, 29 нояб. 2021 г. в 18:30, <[email protected]>: >> >>> >Synopsis: Kernel panic triggered on a certain type of IPv6 traffic >>> >Category: kernel >>> >Environment: >>> System : OpenBSD 7.0 >>> Details : OpenBSD 7.0 (GENERIC.MP) #1: Fri Oct 29 12:04:07 >>> MDT 2021 >>> [email protected]: >>> /usr/src/sys/arch/amd64/compile/GENERIC.MP >>> >>> Architecture: OpenBSD.amd64 >>> Machine : amd64 >>> >Description: >>> I have an OpenBSD router that provides IPv6 connectivity for a >>> remote VPN client. >>> The router has a gif interface that holds IPv6 network (/48) and >>> passes all IPv6 traffic from and to an IPv6 provider through an IPv4 >>> connection (the default IPv6 route). >>> The router also routes iked VPN traffic from remote clients >>> through IPv4 connection. The remote VPN client has subnet /64 of IPv6 net >>> assigned to the gif interface. >>> The problem is that under some unknown conditions the router >>> crashes with the error below. >>> >>> panic: kernel diagnostic assertion "!ISSET(rt->rt_flags, RTF_UP)" >>> failed: file " >>> /usr/src/sys/net/route.c", line 506 >>> Starting stack trace... >>> panic(ffffffff81e5b027) at panic+0x12c >>> __assert(ffffffff81ec493e,ffffffff81e61332,1fa,ffffffff81ed0f05) at >>> __assert+0x25 >>> rtfree(fffffd810dc68698) at rtfree+0x298 >>> ip6_forward(fffffd80cf80ab00,fffffd810dc68698,0) at ip6_forward+0x118 >>> ip6_input_if(ffff8000225ce658,ffff8000225ce664,29,0,ffff800000679038) at >>> ip6_input_if+0x8d >>> ipv6_input(ffff800000679038,fffffd80cf80ab00) at ipv6_input+0x39 >>> gif_input(ffff8000225ce710,ffff8000225ce938,ffff8000225ce944,29,0,0) at >>> gif_input+0x231 >>> in_gif_input(ffff8000225ce938,ffff8000225ce944,29,2) at in_gif_input+0x5b >>> ip_deliver(ffff8000225ce938,ffff8000225ce944,29,2) at ip_deliver+0x103 >>> ip_ours(ffff8000225ce938,ffff8000225ce944,ac3,0) at ip_ours+0x31d >>> ip_input_if(ffff8000225ce938,ffff8000225ce944,4,0,ffff800000098048) at >>> ip_input_if+0x19d >>> ipv4_input(ffff800000098048,fffffd80cf80ab00) at ipv4_input+0x39 >>> ether_input(ffff800000098048,fffffd80cf80ab00) at ether_input+0x39f >>> if_input_process(ffff800000098048,ffff8000225cea28) at >>> if_input_process+0x6f >>> ifiq_process(ffff800000098458) at ifiq_process+0x69 >>> taskq_thread(ffff80000002b080) at taskq_thread+0x81 >>> end trace frame: 0x0, count: 241 >>> End of stack trace. >>> syncing disks...13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 >>> 13 giving up >>> >>> The problem exists since at least version 6.8. >>> >>> >How-To-Repeat: >>> The cause is unknown. I was unable to record the traffic dump. >>> But I ran into it the last time when trying to pull changes from a git >>> server (over ssh). I tried to pull changes five times, but each pull ended >>> in kernel panic. >>> >Fix: >>> unknown >>> >>> >>> dmesg: >>> OpenBSD 7.0 (GENERIC.MP) #1: Fri Oct 29 12:04:07 MDT 2021 >>> [email protected]:/usr/src/sys/arch/amd64/compile/ >>> GENERIC.MP >>> real mem = 4259840000 (4062MB) >>> avail mem = 4114706432 (3924MB) >>> random: good seed from bootblocks >>> mpath0 at root >>> scsibus0 at mpath0: 256 targets >>> mainbus0 at root >>> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xcfe83040 (13 entries) >>> bios0: vendor coreboot version "v4.14.0.3" date 08/10/2021 >>> bios0: PC Engines apu4 >>> acpi0 at bios0: ACPI 6.0 >>> acpi0: sleep states S0 S1 S4 S5 >>> acpi0: tables DSDT FACP SSDT MCFG TPM2 APIC HEST SSDT SSDT DRTM HPET >>> acpi0: wakeup devices PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) >>> UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4) >>> acpitimer0 at acpi0: 3579545 Hz, 32 bits >>> acpimcfg0 at acpi0 >>> acpimcfg0: addr 0xf8000000, bus 0-63 >>> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat >>> cpu0 at mainbus0: apid 0 (boot processor) >>> cpu0: AMD GX-412TC SOC, 998.26 MHz, 16-30-01 >>> cpu0: >>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >>> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >>> 64b/line 16-way L2 cache >>> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu0: smt 0, core 0, package 0 >>> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges >>> cpu0: apic clock running at 99MHz >>> cpu0: mwait min=64, max=64, IBE >>> cpu1 at mainbus0: apid 1 (application processor) >>> cpu1: AMD GX-412TC SOC, 998.14 MHz, 16-30-01 >>> cpu1: >>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >>> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >>> 64b/line 16-way L2 cache >>> cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu1: smt 0, core 1, package 0 >>> cpu2 at mainbus0: apid 2 (application processor) >>> cpu2: AMD GX-412TC SOC, 998.14 MHz, 16-30-01 >>> cpu2: >>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >>> cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >>> 64b/line 16-way L2 cache >>> cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu2: smt 0, core 2, package 0 >>> cpu3 at mainbus0: apid 3 (application processor) >>> cpu3: AMD GX-412TC SOC, 998.14 MHz, 16-30-01 >>> cpu3: >>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT >>> cpu3: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB >>> 64b/line 16-way L2 cache >>> cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu3: DTLB 40 4KB entries fully associative, 8 4MB entries fully >>> associative >>> cpu3: smt 0, core 3, package 0 >>> ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 21, 24 pins >>> ioapic1 at mainbus0: apid 5 pa 0xfec20000, version 21, 32 pins >>> acpihpet0 at acpi0: 14318180 Hz >>> acpiprt0 at acpi0: bus 0 (PCI0) >>> acpiprt1 at acpi0: bus 1 (PBR4) >>> acpiprt2 at acpi0: bus 2 (PBR5) >>> acpiprt3 at acpi0: bus 3 (PBR6) >>> acpiprt4 at acpi0: bus 4 (PBR7) >>> acpiprt5 at acpi0: bus -1 (PBR8) >>> acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001 >>> acpicmos0 at acpi0 >>> amdgpio0 at acpi0 GPIO uid 0 addr 0xfed81500/0x300 irq 7, 184 pins >>> "PRP0001" at acpi0 not configured >>> "PRP0001" at acpi0 not configured >>> "PRP0001" at acpi0 not configured >>> "PRP0001" at acpi0 not configured >>> "PRP0001" at acpi0 not configured >>> "PRP0001" at acpi0 not configured >>> "BOOT0000" at acpi0 not configured >>> acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >>> acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >>> acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >>> acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS >>> acpitz0 at acpi0: critical temperature is 115 degC >>> cpu0: 998 MHz: speeds: 1000 800 600 MHz >>> pci0 at mainbus0 bus 0 >>> pchb0 at pci0 dev 0 function 0 "AMD 16h Root Complex" rev 0x00 >>> vendor "AMD", unknown product 0x1567 (class system subclass IOMMU, rev >>> 0x00) at pci0 dev 0 function 2 not configured >>> pchb1 at pci0 dev 2 function 0 "AMD 16h Host" rev 0x00 >>> ppb0 at pci0 dev 2 function 1 "AMD 16h PCIE" rev 0x00: msi >>> pci1 at ppb0 bus 1 >>> em0 at pci1 dev 0 function 0 "Intel I211" rev 0x03: msi, address >>> 00:0d:b9:4e:a1:70 >>> ppb1 at pci0 dev 2 function 2 "AMD 16h PCIE" rev 0x00: msi >>> pci2 at ppb1 bus 2 >>> em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address >>> 00:0d:b9:4e:a1:71 >>> ppb2 at pci0 dev 2 function 3 "AMD 16h PCIE" rev 0x00: msi >>> pci3 at ppb2 bus 3 >>> em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address >>> 00:0d:b9:4e:a1:72 >>> ppb3 at pci0 dev 2 function 4 "AMD 16h PCIE" rev 0x00: msi >>> pci4 at ppb3 bus 4 >>> em3 at pci4 dev 0 function 0 "Intel I211" rev 0x03: msi, address >>> 00:0d:b9:4e:a1:73 >>> ccp0 at pci0 dev 8 function 0 "AMD 16h Crypto" rev 0x00 >>> xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi, xHCI 1.0 >>> usb0 at xhci0: USB revision 3.0 >>> uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev >>> 3.00/1.00 addr 1 >>> ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: apic 4 int >>> 19, AHCI 1.3 >>> ahci0: port 0: 6.0Gb/s >>> ahci0: port 1: 6.0Gb/s >>> scsibus1 at ahci0: 32 targets >>> sd0 at scsibus1 targ 0 lun 0: <ATA, MT-512, S050> >>> t10.ATA_MT-512_9100910803195_ >>> sd0: 488386MB, 512 bytes/sector, 1000215216 sectors, thin >>> sd1 at scsibus1 targ 1 lun 0: <ATA, WDC WD10JFCX-68N, 82.0> >>> naa.50014ee0af45033d >>> sd1: 953869MB, 512 bytes/sector, 1953525168 sectors >>> ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int >>> 18 >>> usb1 at ehci0: USB revision 2.0 >>> uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev >>> 2.00/1.00 addr 1 >>> piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMI >>> iic0 at piixpm0 >>> iic1 at piixpm0 >>> iic1: addr 0x4c 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=ffff >>> 01=ffff 02=ffff 03=ffff 04=ffff 05=ffff 06=ffff 07=ffff >>> pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11 >>> sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4 int >>> 16 >>> sdhc0: SDHC 2.0, 50 MHz base clock >>> sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma >>> pchb2 at pci0 dev 24 function 0 "AMD 16h Link Cfg" rev 0x00 >>> pchb3 at pci0 dev 24 function 1 "AMD 16h Address Map" rev 0x00 >>> pchb4 at pci0 dev 24 function 2 "AMD 16h DRAM Cfg" rev 0x00 >>> km0 at pci0 dev 24 function 3 "AMD 16h Misc Cfg" rev 0x00 >>> pchb5 at pci0 dev 24 function 4 "AMD 16h CPU Power" rev 0x00 >>> pchb6 at pci0 dev 24 function 5 "AMD 16h Misc Cfg" rev 0x00 >>> isa0 at pcib0 >>> isadma0 at isa0 >>> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo >>> com0: console >>> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo >>> com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo >>> pcppi0 at isa0 port 0x61 >>> spkr0 at pcppi0 >>> lpt0 at isa0 port 0x378/4 irq 7 >>> intr_establish: pic ioapic0 pin 7: can't share type 3 with 2 >>> wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x53 >>> vmm0 at mainbus0: SVM/RVI >>> dt: 445 probes >>> uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro >>> Devices Hub" rev 2.00/0.18 addr 2 >>> vscsi0 at root >>> scsibus2 at vscsi0: 256 targets >>> softraid0 at root >>> scsibus3 at softraid0: 256 targets >>> root on sd0a (01c1c2f37c512b1b.a) swap on sd0b dump on sd0b >>> WARNING: / was not properly unmounted >>> Process (pid 1) got signal 31 >>> >>> usbdevs: >>> Controller /dev/usb0: >>> addr 01: 1022:0000 AMD, xHCI root hub >>> super speed, self powered, config 1, rev 1.00 >>> driver: uhub0 >>> Controller /dev/usb1: >>> addr 01: 1022:0000 AMD, EHCI root hub >>> high speed, self powered, config 1, rev 1.00 >>> driver: uhub1 >>> addr 02: 0438:7900 Advanced Micro Devices, Hub >>> high speed, self powered, config 1, rev 0.18 >>> driver: uhub2 >>> >> >> >> -- >> Антон Касимов / Anton Kasimov >> > > > -- > Антон Касимов / Anton Kasimov > -- Антон Касимов / Anton Kasimov
