linux 2.3.18, 2.3.18ac10 meltdown

Lennert Buytenhek (lbuijten@cs.leidenuniv.nl)
Fri, 1 Oct 1999 10:29:06 +0200 (CEST)

Hi all,

How to crash linux 2.3.18*: Basically, listen on a TCPv6 socket and
then connect to that socket via a v6 site local address assigned to
one of your interfaces.

How to reproduce:
1. ifconfig lo 127.0.0.1
2. ifconfig eth0 inet6 add fec0::1/96
3. ./listen_crash & (listen_crash.c included below)
4. ./connect_crash (connect_crash.c included below)

On my box, this gives a spectacular series of oopses, eventually
resulting in a 'killing the interrupt handler' and 'in interrupt
handler - not syncing' type of stuff. Very spectacular. Even Magic SysRq
gives even more oopses (For example: the unmount command gives about 50
oopses in a row and then starts to write random gibberish to the console).

Anyone any clues?

Greetings,
Lennert Buytenhek

PS you'll probably need glibc2.1 for the example programs below

begin listen_crash.c
--------------------
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/ip6.h>
#include <sys/socket.h>
#include <unistd.h>

int main()
{
struct sockaddr_in6 ad;
int len;
int sock;

sock = socket(AF_INET6, SOCK_STREAM, 0);
perror("socket");

ad.sin6_family = AF_INET6;
ad.sin6_port = htons(80);
ad.sin6_addr = in6addr_any;
ad.sin6_flowinfo = 0;
if (bind(sock, &ad, sizeof(ad)) < 0)
{
perror("bind");
return 1;
}

listen(sock, 1);

len = sizeof (struct sockaddr_in6);
accept(sock, &ad, &len);

sleep(60);

return 0;
}

begin connect_crash.c
---------------------
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/ip6.h>
#include <sys/socket.h>
#include <unistd.h>

int main()
{
struct sockaddr_in6 ad;
int sock;

sock = socket(AF_INET6, SOCK_STREAM, 0);
perror("socket");

ad.sin6_family = AF_INET6;
ad.sin6_port = htons(80);
ad.sin6_flowinfo = 0;
ad.sin6_addr.s6_addr[0] = 0xfe;
ad.sin6_addr.s6_addr[1] = 0xc0;
ad.sin6_addr.s6_addr[2] = 0x00;
ad.sin6_addr.s6_addr[3] = 0x00;
ad.sin6_addr.s6_addr[4] = 0x00;
ad.sin6_addr.s6_addr[5] = 0x00;
ad.sin6_addr.s6_addr[6] = 0x00;
ad.sin6_addr.s6_addr[7] = 0x00;
ad.sin6_addr.s6_addr[8] = 0x00;
ad.sin6_addr.s6_addr[9] = 0x00;
ad.sin6_addr.s6_addr[10] = 0x00;
ad.sin6_addr.s6_addr[11] = 0x00;
ad.sin6_addr.s6_addr[12] = 0x00;
ad.sin6_addr.s6_addr[13] = 0x00;
ad.sin6_addr.s6_addr[14] = 0x00;
ad.sin6_addr.s6_addr[15] = 0x00;
ad.sin6_addr.s6_addr[16] = 0x01;
connect(sock, &ad, sizeof(ad));
perror("connect");

write(sock, "tst", 4);
perror("write");

return 0;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/