Subject: kern/17203: playing with ipsec keys panics kernel
To: None <>
From: Brett Lymn (Master of the Siren) <>
List: netbsd-bugs
Date: 06/10/2002 23:08:30
>Number:         17203
>Category:       kern
>Synopsis:       playing with ipsec keys panics kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 10 06:39:00 PDT 2002
>Originator:     Brett Lymn (Master of the Siren)
>Release:        NetBSD 1.5ZC checked out 29/3/2002
Brett Lymn
System: NetBSD siren 1.5ZC NetBSD 1.5ZC (SIREN) #2: Thu Jun 6 23:02:04 CST 2002 toor@siren:/usr/src/sys/arch/i386/compile/SIREN i386
Architecture: i386
Machine: i386
	While loading and unloading ipsec keys of differing lengths I
was able to make the kernel panic with either an unaligned data access
or data modified on free list.  The panic did not always happen right 
away but after modifying the keys and displaying them with a setkey -D
the kernel would sometimes panic, sometimes it would take a little longer.

	Fiddle with the keys and examine the DAD using setkey -D, the panic
seems more likely if you change the length of the key being loaded.

	No fix to suggest, I suspect that pointers to freed memory are being
kept and used in the ipsec kernel code.  If it helps, I have some kernel
core dumps.