wifi triggered kernel panic

[ioerror]

I've found a reliable crash for Linux subgraph 4.4.2-grsec-amd64 #1 SMP Sun Feb 21 00:55:03 UTC 2016 x86_64 GNU/Linux - I have a bunch of photographs of kernel panics on tty0 and @special has some packet captures. It looks nice and like pax interferes.

I'll upload data after discussing with the rest of the subgraph security team...

[ioerror]

I'm at a hotel in Thailand with a network named NSAH - every attempt to join the network causes my sgos machine to hard lock with a kernel panic. I'm attaching a packet capture of a sgos machine attempting to join the NSAH network. The capture begins when NetworkManager attempts to join the network and it ends when the laptop panics. The packet capture was created with a second laptop in monitor mode.

[ioerror]

is a photograph of the screen at after a panic. I have a few of these - I was able to reproduce the crashes such that each panic started with something resembling PAX: size overflow detected in function skb_headers_offset_update net/core/skbuff.c:974

I have a few other pcaps and I've attached the cleanest with the fewest packets in total (seven packets, I think); the sgos machine has mac address 00:01:02:03:04:05: 0day-9.pcapng.zip

[ioerror]

Spender pointed me to https://forums.grsecurity.net/viewtopic.php?f=3&t=4350

[spender-sandbox]

Actually it's a little different from that post -- to debug it we'd need to see the following info:

prior to the skb_headers_offset_update call in skb_copy_expand, add a printk(KERN_ALERT "newheadroom: %08x oldheadroom: %08x\n", newheadroom, oldheadroom);

then in skb_headers_offset_update, just before the skb->network_header += off line: printk(KERN_ALERT "network_header: %04x\n", skb->network_header);

-Brad