RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5

[Yanek Korff <yanek () cigital com>]

I have finally figured out some of the problem.  By default RH6.2 will load
the 3c59x module for my three 3c905C-TX-M network cards.  RH 6.2 does not
panic when UDP scanned when using this kernel module.

By default RH7.0 will load the 3c90x module for the same 3c905C-TX-M network
cards.  It does panic when UDP scanned.  If I specify "alias eth0 3c59x" in
modules.conf, the other module loads and the system no longer crashes.
Additionally, I have recompiled a much smaller custom kernel and built the
3c59x drivers directly into the kernel - again, stable.

What remains a mystery, to me at least, is what is causing UDP scans to give
rise to a kernel panic.  Regardless of which driver module I am using, the
kernel panics only when firewall-1 is running.

Thanks to all for your thoughts & testing.

-Yanek.

> -----Original Message-----
> From: Andy Magoon [mailto:Andy.Magoon () telethinking com]
> Sent: Monday, November 19, 2001 10:45 AM
> To: 'yanek () CIGITAL COM'
> Subject: RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
>
>
> Yanek,
>
> I am running ckpt-fw1-v41-sp5 without a problem on a similar 
> configuration. UDP port scans with nmap do not affect my server, 
> and it behaves much better than the two before it (NT and W2K) 
> which always rebooted or stopped passing packets.  
>
> Hardware:  Dell PowerEdge 2200 with 64MB of RAM, 3Com 
> EtherLink III 3c905-TX (x2) and 3Com 3c509B (x1)
>
> Operating System: Red Hat Linux 6.1, kernel 2.2.12-20
>
> I have had much better luck with Firewall-1 on Linux than on 
> Windows, and will probably never again consider using a Windows 
> box as a firewalled gateway.
>
> Have you considered the warnings in the README that say not to run
> Firewall-1 on a 2.4 kernel?
>
> Andy
>
>
>
> ---------------------
> Original Message:
>
> ------------------------------
>
> Date:    Tue, 13 Nov 2001 14:45:02 -0500
> From:    Yanek Korff <yanek () CIGITAL COM>
> Subject: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
>
> I'm testing out CP4.1 SP5 on Linux RH7.0.  I seem to have 
> gotten everything
> configured the way I want it and am starting to run some 
> scans to see what I
> can see.  Well, what I see is: nmap -sU -P0 ip_addr causes 
> the machine to
> instantly crash with a kernel panic, or in some cases, 
> reboot.  I'm not
> great at troubleshooting kernel/module troubles so any help 
> would be greatly
> appreciated.  IF you happen to have a Linux CP FW-1 box you 
> could run nmap
> against, I'd love to know your results (incl OS/kernel info). 
>  Might want to
> do this off-hours, though.
>
> Without CP-FW1 running (/etc/rc.d/init.d/firewall1 stop), I 
> cannot cause a
> kernel panic with a UDP scan.  Has anyone else noticed this behavior?
>
> Hardware:
> Dell Dimension XPSB800r
> 128MB RAM
> 3Com EtherLink III 3c905-TX (three of them)
>
> Have been able to reproduce this problem with kernels:
> 2.2.19-7 (CUSTOM)
> 2.2.16-20 (GENERIC  RH 7.0)
>
> Tail end of the error message (after register & stack dump):
> Code: 8b 41 08 3d 2b 2f c3 a5 0f 85 c6 00 00 00 8b 41 0c 85 c0 74
> Aiee, killing interrupt handler
> Kernel panic: Attempted to kill the idle task!
> In swapper task - not syncing
>
> -Yanek.