Date: Mon, 2 Nov 2015 11:49:59 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-security@freebsd.org Subject: Re: segfault in ntpd Message-ID: <56374DE7.7030909@infracaninophile.co.uk> In-Reply-To: <5633A728.7000904@FreeBSD.org> References: <86bnbgbqa6.fsf@desk.des.no> <5633A728.7000904@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 10/30/15 17:21, Matthew Seaman wrote: > On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote: >> Can those of you who are experiencing this bug on 10 please try to bui= ld >> and run a kernel from head@287591 or newer (with your 10 userland) and= >> report back? >> >> # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head >> # cd /tmp/head >> # make buildkernel KERNCONF=3DGENERIC >> # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head >> # nextboot -k head >> # shutdown -r now >> >> DES >> >=20 > Hi, Dag-Erling, >=20 > I'm not able to reboot machines where I've seen this crash right now, > but I can report: >=20 > * Can't reproduce the problem in a VirtualBox VM running > 10.2-RELEASE-p6 amd64. >=20 > * But I can get a back trace after compiling the 10.2-RELEASE-p6 > sources and a core dump from one of the machines where the problem happ= ens: >=20 > (gdb) bt full > #0 mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at= > atomic.h:143 > No locals. > #1 0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:= 148 > n =3D <value optimized out> > fp =3D <value optimized out> > g =3D <value optimized out> > #2 0x00000008012470ab in _BIG5_mbrtowc (pwc=3D<value optimized out>, > s=3D<value optimized out>, n=3DCannot access memory at address 0x1 > ) at /usr/src/lib/libc/locale/big5.c:113 > wc =3D <value optimized out> > #3 0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "",= > buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95, > cache_mdata=3D<value optimized out>) > at /usr/src/lib/libc/net/getservent.c:1071 > serv =3D (struct servent *) 0x0 > orig_buf =3D 0x802031040 "0aL\001\b" > orig_buf_size =3D <value optimized out> > ret_errno =3D <value optimized out> > p =3D <value optimized out> > alias =3D <value optimized out> > #4 0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70, > disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\= n", > method_name=3D0x80126de24 ".conf", defaults=3D0x2) > at /usr/src/lib/libc/net/nsdispatch.c:541 > ap =3D {{gp_offset =3D 48, fp_offset =3D 48, > overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc= 870}} > mdata =3D (void *) 0x80126ddfc > cache_data =3D {key =3D 0x17d0 <Address 0x17d0 out of bounds>, > key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0} > isthreaded =3D 1 > serrno =3D 22 > result =3D <value optimized out> > st =3D <value optimized out> > fb_method =3D <value optimized out> > srclist =3D <value optimized out> > srclistsize =3D <value optimized out> > cache_flag =3D <value optimized out> > method =3D <value optimized out> > saved_depth =3D <value optimized out> > #5 0x0000000801213121 in nis_setservent (result=3D0x801c33100, > mdata=3D<value optimized out>, ap=3D0x0) > at /usr/src/lib/libc/net/getservent.c:812 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > rv =3D <value optimized out> > #6 0x0000000801213029 in files_setservent (retval=3D0x801c33100, > mdata=3D<value optimized out>, ap=3D<value optimized out>) > at /usr/src/lib/libc/net/getservent.c:451 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > rv =3D <value optimized out> > f =3D 0 > #7 0x000000080120f373 in _dns_getaddrinfo (rv=3D<value optimized out>,= > ---Type <return> to continue, or q <return> to quit--- > cb_data=3D<value optimized out>, ap=3D<value optimized out>) > at /usr/src/lib/libc/net/getaddrinfo.c:2266 > sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 2171684= 8, > ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c6= 130 "", > ai_addr =3D 0x802031040, ai_next =3D 0x2} > q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\213= 5yj!", > qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\= 213\001", > anslen =3D 11616604, n =3D 8} > q2 =3D {next =3D 0x8014b5f80, > name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D > -538982832, > qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, = n =3D 0} > cur =3D (struct addrinfo *) 0x3 > pai =3D <value optimized out> > hostname =3D <value optimized out> > res =3D <value optimized out> > ai =3D <value optimized out> > #8 0x000000080120ca61 in strcspn (s=3D0x801c33100 "", > charset=3D<value optimized out>) at /usr/src/lib/libc/string/strcsp= n.c:59 > tbl =3D {34393355264, 34389385984, 34389386167, 34389386056} > bit =3D <value optimized out> > s1 =3D <value optimized out> > #9 0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700, > req=3D0x801c46300) > at > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:3= 52 > ai_res =3D (struct addrinfo *) 0x0 > node =3D 0x7fffdfdfcbe8 "\002" > service =3D 0xc <Address 0xc out of bounds> > worker_ctx =3D (dnsworker_ctx *) 0x80200e060 > resp_octets =3D Cannot access memory at address 0x600 > (gdb) >=20 > Cheers, >=20 > Matthew >=20 > Thanks to Andre Albsmeier a work-around seems to be turning off memlock in ntp.conf: > I have just posted my observations to the freebsd-stable list: >=20 > http://lists.freebsd.org/pipermail/freebsd-stable/2015-November/083574.= html >=20 > What happens if you add "rlimit memlock -1" to ntp.conf? Cheers, Matthew --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWN03nAAoJEABRPxDgqeTnHUsQAI53qKrjkXhDvqXp0JUKEt/n HtFQu6xssv06MXXXFvNHUQsa3Zb+NtBGVF6OAzc/ZacHmlsT+dbSfOhh3v9OKC87 xbHeVVh5mutW2O4L8J7vdrIKVng4YRHFWyQYD1uaJn4SwPFokrNImXVGgYNygnjI AjFZtGSujC4moREoMLYwU9XTJGZCbWbSPD8UonItzzuLIf/W0mLCPeuWbIvrz/4w Q59veTJ57jPC2/rfxDCYqL8Q3m05iJ/zcfMh1Sps+XWxPTA6iKO5u66XjSm62zu1 ADlyQRR2lWHmpLni+ZVUKQviPo+r6wSH6HUDLkeyWx1VcS6XkrNkl9ATdCeEeZ7R 2W6vTOmwrED475y++5PZ/+ViFsaMybkW5CrgaeLq81PGt8wpgIW6kPrcOvoabajW hYV1dJqmzX6EliI5tRNqzhLAmfsPIZepEzom4BXJgwFYrXf/GphElMUBYNFIpOr3 ZDRrSv7EvulU2zBr0u6m2VM9k1fN/C2OaitZw4Z117Z4kAm3WNTE1Kezwfsv0V77 ofBTp9+3Kwy80nNqJuoD00dFR6wNvsiW2hIlaTEcMtOPMc50A7D4H0Mimo1jSRXj Rg8AxCoq5GEDltRvljSRQqQoV65SDtzZxCjKiLQsOKDQbgD6l/C2lLyVl2XRR6Ge e9nVh8KxaVFpdJA+8JtF =068m -----END PGP SIGNATURE----- --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56374DE7.7030909>