Kernel 6.1.89 and 6.6.29 cause DoS by Linux IPv6 "Route of Death" 0day

6.1.89

2024-05-02T05:01:45+08:00 r86s kernel: ------------[ cut here ]------------
2024-05-02T05:01:45+08:00 r86s kernel: Kernel BUG at skb_pull+0x2d/0x30 [verbose debug info unavailable]
2024-05-02T05:01:45+08:00 r86s kernel: invalid opcode: 0000 [#1] SMP NOPTI
2024-05-02T05:01:45+08:00 r86s kernel: CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.1.89 #0
2024-05-02T05:01:45+08:00 r86s kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
2024-05-02T05:01:45+08:00 r86s kernel: RIP: 0010:skb_pull+0x2d/0x30
2024-05-02T05:01:45+08:00 r86s kernel: Code: 39 f0 72 1f 29 f0 89 47 70 3b 47 74 72 1c 89 f0 48 03 87 c8 00 00 00 48 89 87 c8 00 00 00 c3 cc cc cc cc 31 c0 c3 cc cc cc cc <0f> 0b 90 48 8b 07 48 85 c0 74 1a 55 8b 57 08 48 89 e5 f0 48 29 50
2024-05-02T05:01:45+08:00 r86s kernel: RSP: 0018:ffffc90000124bf8 EFLAGS: 00010297
2024-05-02T05:01:45+08:00 r86s kernel: RAX: 00000000000005a8 RBX: ffff8881019c8800 RCX: 0000000000000000
2024-05-02T05:01:45+08:00 r86s kernel: RDX: ffff88810e867400 RSI: 0000000000000034 RDI: ffff8881019c8200
2024-05-02T05:01:45+08:00 r86s kernel: RBP: ffffc90000124c10 R08: ffff88810e867000 R09: 0000000000000001
2024-05-02T05:01:45+08:00 r86s kernel: R10: 0000000000007867 R11: ffffffff82113640 R12: ffff8881019c8200
2024-05-02T05:01:45+08:00 r86s kernel: R13: ffff8881019c8200 R14: 0000000099011080 R15: 00000000000005a8
2024-05-02T05:01:45+08:00 r86s kernel: FS:  0000000000000000(0000) GS:ffff88813bd80000(0000) knlGS:0000000000000000
2024-05-02T05:01:45+08:00 r86s kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
2024-05-02T05:01:45+08:00 r86s kernel: CR2: 00007f8530b7a4d0 CR3: 000000010ec18000 CR4: 0000000000350ee0
2024-05-02T05:01:45+08:00 r86s kernel: Call Trace:
2024-05-02T05:01:45+08:00 r86s kernel:  <IRQ>
2024-05-02T05:01:45+08:00 r86s kernel:  ? show_regs.part.0+0x1e/0x24
2024-05-02T05:01:45+08:00 r86s kernel:  ? __die+0x55/0x99
2024-05-02T05:01:45+08:00 r86s kernel:  ? die+0x2a/0x50
2024-05-02T05:01:45+08:00 r86s kernel:  ? do_trap+0x108/0x110
2024-05-02T05:01:45+08:00 r86s kernel:  ? do_error_trap+0x6c/0x90
2024-05-02T05:01:45+08:00 r86s kernel:  ? skb_pull+0x2d/0x30
2024-05-02T05:01:45+08:00 r86s kernel:  ? exc_invalid_op+0x4f/0x70
2024-05-02T05:01:45+08:00 r86s kernel:  ? skb_pull+0x2d/0x30
2024-05-02T05:01:45+08:00 r86s kernel: RSP: 0018:ffffc90000097eb8 EFLAGS: 00000242
2024-05-02T05:01:45+08:00 r86s kernel: RAX: 0000000000000001 RBX: ffff888100138000 RCX: 4000000000000000
2024-05-02T05:01:45+08:00 r86s kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000a0094
2024-05-02T05:01:45+08:00 r86s kernel: RBP: ffffc90000097ec0 R08: 0000000000000000 R09: 0000000000003800
2024-05-02T05:01:45+08:00 r86s kernel: R10: 0000000000000000 R11: 0000000000000e61 R12: 0000000000000003
2024-05-02T05:01:45+08:00 r86s kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
2024-05-02T05:01:45+08:00 r86s kernel:  ? ct_kernel_exit.constprop.0+0x7d/0x90
2024-05-02T05:01:45+08:00 r86s kernel:  ? default_idle+0x9/0x10
2024-05-02T05:01:45+08:00 r86s kernel:  arch_cpu_idle+0xd/0x20
2024-05-02T05:01:45+08:00 r86s kernel:  default_idle_call+0x2f/0x40
2024-05-02T05:01:45+08:00 r86s kernel:  do_idle+0x16d/0x180
2024-05-02T05:01:45+08:00 r86s kernel:  cpu_startup_entry+0x25/0x30
2024-05-02T05:01:45+08:00 r86s kernel:  start_secondary+0x107/0x110
2024-05-02T05:01:45+08:00 r86s kernel:  secondary_startup_64_no_verify+0xce/0xdb
2024-05-02T05:01:45+08:00 r86s kernel:  </TASK>

6.6.29

2024-05-02T06:40:11+08:00 r86s kernel: ------------[ cut here ]------------
2024-05-02T06:40:11+08:00 r86s kernel: Kernel BUG at skb_pull+0x2d/0x30 [verbose debug info unavailable]
2024-05-02T06:40:11+08:00 r86s kernel: invalid opcode: 0000 [#1] SMP NOPTI
2024-05-02T06:40:11+08:00 r86s kernel: CPU: 3 PID: 0 Comm: swapper/3 Tainted: G           O       6.6.29 #0
2024-05-02T06:40:11+08:00 r86s kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
2024-05-02T06:40:11+08:00 r86s kernel: RIP: 0010:skb_pull+0x2d/0x30
2024-05-02T06:40:11+08:00 r86s kernel: Code: 39 f0 72 1f 29 f0 89 47 70 3b 47 74 72 1c 89 f0 48 03 87 c8 00 00 00 48 89 87 c8 00 00 00 c3 cc cc cc cc 31 c0 c3 cc cc cc cc <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 8b 07
2024-05-02T06:40:11+08:00 r86s kernel: RSP: 0018:ffffc90000134c08 EFLAGS: 00010297
2024-05-02T06:40:11+08:00 r86s kernel: RAX: 0000000000000578 RBX: ffff88813a607200 RCX: 0000000000000000
2024-05-02T06:40:11+08:00 r86s kernel: RDX: ffff888139fa8400 RSI: 0000000000000034 RDI: ffff88813a607e00
2024-05-02T06:40:11+08:00 r86s kernel: RBP: ffffc90000134c20 R08: ffff888139fa8400 R09: 0000000000000001
2024-05-02T06:40:11+08:00 r86s kernel: R10: 00000000000000a6 R11: ffffffff8211cac0 R12: ffff88813a607e00
2024-05-02T06:40:11+08:00 r86s kernel: R13: ffff88813a607e00 R14: 0000000000201080 R15: 0000000000000578
2024-05-02T06:40:11+08:00 r86s kernel: FS:  0000000000000000(0000) GS:ffff88813bd80000(0000) knlGS:0000000000000000
2024-05-02T06:40:11+08:00 r86s kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
2024-05-02T06:40:11+08:00 r86s kernel: CR2: 00007fec67342000 CR3: 000000013a5ae000 CR4: 0000000000350ee0
2024-05-02T06:40:11+08:00 r86s kernel: Call Trace:
2024-05-02T06:40:11+08:00 r86s kernel:  <IRQ>
2024-05-02T06:40:11+08:00 r86s kernel:  ? show_regs+0x60/0x70
2024-05-02T06:40:11+08:00 r86s kernel:  ? die+0x32/0x90
2024-05-02T06:40:11+08:00 r86s kernel:  ? do_trap+0xf7/0x100
2024-05-02T06:40:11+08:00 r86s kernel:  ? do_error_trap+0x6c/0x90
2024-05-02T06:40:11+08:00 r86s kernel:  ? skb_pull+0x2d/0x30
2024-05-02T06:40:11+08:00 r86s kernel:  cpu_startup_entry+0x25/0x30
2024-05-02T06:40:11+08:00 r86s kernel:  start_secondary+0xfc/0x100
2024-05-02T06:40:11+08:00 r86s kernel:  secondary_startup_64_no_verify+0x178/0x17b
2024-05-02T06:40:11+08:00 r86s kernel:  </TASK>

OpenWrt SNAPSHOT, r26006-9bc08af753 does not have this regression security vulnerability.

And this may not cause by kernel version, but other changes in openwrt git tree after r26006. Becasue compile firmware with Kernel 6.1.86 after r26006 also have this DoS when BT downloading.

3 Likes

I opened a bug report the raspberry 4 is also affected by the bug.

1 Like

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=7116d2f2b093559516a59a8c5037d3580f04534c
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=45a8e962a591dfcac252b0de6324319abd080469

I will try delete those patch file and rebuild firmware.
target/linux/generic/pending-6.1/680*.patch
target/linux/generic/pending-6.1/681*.patch
target/linux/generic/pending-6.1/682*.patch

Update: after rebuild firmware, my OpenWrt gateway uptime 5 hours 50 min without crash reboot, with qBittorent download running inside.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.