[grsec] 2.4.31-grsec: kernel assertion in ipv4/tcp

Tom Rune Flo lists at x86.no
Fri Aug 12 17:16:10 EDT 2005 

I'm currently experiencing a bug in the TCP part of the ipv4 implementation
on a 2.4.31 kernel, patched with grsecurity.

All inbound TCP connections stall and eventually die after having 
transmitted a relatively small amount of data, and the following BUG_TRAPs
/ assertions are reported by the kernel:

Aug 12 21:55:14 srv kernel: KERNEL: assertion (sk->forward_alloc == 0) failed
  at tcp.c(1863)
Aug 12 21:55:14 srv kernel: KERNEL: assertion (atomic_read(&sk->rmem_alloc) 
  == 0) failed at af_inet.c(173)
Aug 12 21:55:14 srv kernel: KERNEL: assertion (sk->forward_alloc == 0) failed
  at af_inet.c(176)

Outbound connections does not seem to suffer from this problem.  UDP 
connections are not affected.  Idle TCP connections does not seem to be
affected, meaning that data has to be submitted before the assertions happen.

EXAMPLE:

(on the affected server): 
root at srv:~# nc -l -p 999

(remote workstation):
tom at laptop:~$ ./stest 10.0.0.2 999 1024
connecting to 10.0.0.2 999 ..
connection established, sending data..
packet size: 1024 bytes
sent 65536 bytes in 64 packets  
--connection stalled for ~10 minutes--

netstat(1) reports:
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0  12184 10.0.0.4:60590          10.0.0.2:1024           ESTABLISHED
----

So, as you can see, the connection is kept open (endlessly) by the server,
but no more data is allowed to pass in either direction of the socket pipe.

I am unable to reproduce the problem using a vanilla 2.4.31 kernel, so the
problem seems to be grsec specific.

I will be able to research the problem further, if necessary.  Let me know
what additional information could be useful in order to solve this.

The kernel .config used can be found at http://forkbomb.org/srv-config


-- 
Tom Rune Flo <tom at x86.no>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050812/1c412bf3/attachment.pgp

More information about the grsecurity mailing list