[Bug 214169] Kernel panic using IPv6 and TCP-SIGNATURE (IPSEC)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Nov 3 17:35:48 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214169

            Bug ID: 214169
           Summary: Kernel panic using IPv6 and TCP-SIGNATURE (IPSEC)
           Product: Base System
           Version: 11.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: anderson.soares at embrapa.br
                CC: freebsd-amd64 at FreeBSD.org
                CC: freebsd-amd64 at FreeBSD.org

After migrate my gateway to FreeBSD 11 STABLE, the quagga bgpd daemon started
to cause kernel panics in my gateway every time quagga starts.
At first, I thought it was a quagga related problem and I tried to replace it
to OpenBGPD. But as soon as I started openbgpd, the system crashed again.
After that, I was able to trace the problem to some bgp peers using password
protected connections. A few more tests showed that the problem only happened
in IPv6 connections.
Since bgp protected connections use RFC 2385 TCP MD5 signatures option, I've
tried to simulate the problem in other environment using IPSEC and netcat (nc
-S).
As expected, every time I tried to connect two hosts with TCP-MD5 signatures,
the host opening the connection crashes. Nothing happens to the host listening
to connections.
I've forced to downgrade my gateway to FreeBSD 10.3, and since then, my gateway
has worked without any failure.

The kernel panics as follow:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x8
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80c6e0ea
stack pointer           = 0x28:0xfffffe00510da6b0
frame pointer           = 0x28:0xfffffe00510da790
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 743 (nc)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80a98d27 at kdb_backtrace+0x67
#1 0xffffffff80a4f6c2 at vpanic+0x182
#2 0xffffffff80a4f533 at panic+0x43
#3 0xffffffff80ef2e41 at trap_fatal+0x351
#4 0xffffffff80ef3033 at trap_pfault+0x1e3
#5 0xffffffff80ef25bc at trap+0x26c
#6 0xffffffff80ed5d11 at calltrap+0x8
#7 0xffffffff80c6801b at tcp_output+0x16ab
#8 0xffffffff80c78b11 at tcp6_usr_connect+0x271
#9 0xffffffff80aee5de at kern_connectat+0x12e
#10 0xffffffff80aee487 at sys_connect+0x77
#11 0xffffffff80ef37ee at amd64_syscall+0x51e
#12 0xffffffff80ed5ffb at Xfast_syscall+0xfb


How-To-Repeat:

- In a system with TCP_SIGNATURE kernel option enabled, enable IPSEC and add a
TCP-MD5 key in /etc/ipsec.conf for each side of connection.

- Run nc -6S <host ipv6> <port>


The system

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-amd64 mailing list