Bug 46131 - 32-bit read from uninitialized memory in __ip_select_ident since 3.6-rc2
Summary: 32-bit read from uninitialized memory in __ip_select_ident since 3.6-rc2
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Stephen Hemminger
Depends on:
Reported: 2012-08-18 09:49 UTC by Christian Casteyde
Modified: 2012-08-29 13:24 UTC (History)
2 users (show)

See Also:
Kernel Version: 3.6-rc2
Tree: Mainline
Regression: Yes


Description Christian Casteyde 2012-08-18 09:49:44 UTC
Slacware64 current
Intel Core i7

Since 3.6-rc2 (this is a regression from 3.6-rc1), I get the following warning when I ping a host:

WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8801c3f79460)
 u u u u i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Pid: 5836, comm: udev-acl.ck Not tainted 3.6.0-rc2 #3 Acer Aspire 7750G/JE70_HR
RIP: 0010:[<ffffffff81697ed2>]  [<ffffffff81697ed2>] __ip_select_ident+0x22/0x120
RSP: 0000:ffff8801c7e035e0  EFLAGS: 00010282
RAX: ffff88018194ab00 RBX: ffff88018b454700 RCX: 0000000000000040
RDX: 0000000000000001 RSI: ffff8801c7e035ec RDI: ffff8801c3f79450
RBP: ffff8801c7e03620 R08: ffff8801c54a8238 R09: 0000000000000000
R10: ffff8801c7e03770 R11: 0000000000000050 R12: ffff8801c3f79450
R13: 0000000000000000 R14: ffff88018db74a80 R15: ffff8801c3f79450
FS:  00007f0692dfb740(0000) GS:ffff8801c7e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801c6b06a88 CR3: 00000001a9ae5000 CR4: 00000000000407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
 [<ffffffff816a2aa8>] __ip_make_skb+0x2f8/0x3c0
 [<ffffffff816a2bd7>] ip_push_pending_frames+0x17/0x30
 [<ffffffff816d16be>] icmp_push_reply+0xee/0x120
 [<ffffffff816d1b95>] icmp_send+0x4a5/0xb10
 [<ffffffff816ce5b8>] __udp4_lib_rcv+0x568/0x920
 [<ffffffff816ce985>] udp_rcv+0x15/0x20
 [<ffffffff8169b0d7>] ip_local_deliver_finish+0x107/0x460
 [<ffffffff8169b6f8>] ip_local_deliver+0x88/0x90
 [<ffffffff8169ab10>] ip_rcv_finish+0x120/0x5e0
 [<ffffffff8169b919>] ip_rcv+0x219/0x2b0
 [<ffffffff8164de82>] __netif_receive_skb+0x742/0x9b0
 [<ffffffff8164ef68>] netif_receive_skb+0x28/0x1e0
 [<ffffffff817a2de5>] ieee80211_deliver_skb.isra.28+0xa5/0x220
 [<ffffffff817a3e87>] ieee80211_rx_handlers+0xf27/0x2380
 [<ffffffff817a55e7>] ieee80211_prepare_and_rx_handle+0x307/0x8b0
 [<ffffffff817a620e>] ieee80211_rx+0x67e/0xce0
 [<ffffffff814b819c>] ath_rx_tasklet+0xc9c/0x1350
 [<ffffffff814b6024>] ath9k_tasklet+0xe4/0x140
 [<ffffffff810784ec>] tasklet_action+0x6c/0xe0
 [<ffffffff81078e5a>] __do_softirq+0xba/0x180
 [<ffffffff817e32dc>] call_softirq+0x1c/0x30
 [<ffffffff8103a4ed>] do_softirq+0x7d/0xb0
 [<ffffffff81079276>] irq_exit+0x96/0xc0
 [<ffffffff81039f8e>] do_IRQ+0x5e/0xd0
 [<ffffffff817e18ac>] ret_from_intr+0x0/0x13
 [<ffffffffffffffff>] 0xffffffffffffffff

This is a wireless network.
gdb gives the following:
(gdb) l *0xffffffff81697ed2
0xffffffff81697ed2 is in __ip_select_ident (include/net/inetpeer.h:145).
140                                                     __be32 v4daddr,
141                                                     int create)
142     {
143             struct inetpeer_addr daddr;
145             daddr.addr.a4 = v4daddr;
146             daddr.family = AF_INET;
147             return inet_getpeer(base, &daddr, create);
148     }

(gdb) l *0xffffffff816a2aa8
0xffffffff816a2aa8 is in __ip_make_skb (include/net/ip.h:264).
259                      * a TCP stream using header compression.
260                      */
261                     iph->id = (sk && inet_sk(sk)->inet_daddr) ?
262                                             htons(inet_sk(sk)->inet_id++) : 0;
263             } else
264                     __ip_select_ident(iph, dst, 0);
265     }
267     static inline void ip_select_ident_more(struct iphdr *iph, struct dst_entry *dst, struct sock *sk, int more)
268     {
Comment 1 Alan 2012-08-20 14:46:27 UTC
This is best reported to netdev@vger.kernel.org rather than just filed as a bug.
Comment 2 Florian Mickler 2012-08-26 10:49:35 UTC
A patch referencing this bug report has been merged in Linux v3.6-rc3:

commit a9915a1b52df52ad87f3b33422da95cf25372f09
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Aug 20 07:26:45 2012 +0000

    ipv4: fix ip header ident selection in __ip_make_skb()

Note You need to log in before you can comment on or make changes to this bug.