Site Navigation

Date:      Mon, 2 Nov 2015 11:49:59 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-security@freebsd.org
Subject:   Re: segfault in ntpd
Message-ID:  <56374DE7.7030909@infracaninophile.co.uk>
In-Reply-To: <5633A728.7000904@FreeBSD.org>
References:  <86bnbgbqa6.fsf@desk.des.no> <5633A728.7000904@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 10/30/15 17:21, Matthew Seaman wrote:
> On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote:
>> Can those of you who are experiencing this bug on 10 please try to bui=
ld
>> and run a kernel from head@287591 or newer (with your 10 userland) and=

>> report back?
>>
>> # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head
>> # cd /tmp/head
>> # make buildkernel KERNCONF=3DGENERIC
>> # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head
>> # nextboot -k head
>> # shutdown -r now
>>
>> DES
>>
>=20
> Hi, Dag-Erling,
>=20
> I'm not able to reboot machines where I've seen this crash right now,
> but I can report:
>=20
>    * Can't reproduce the problem in a VirtualBox VM running
> 10.2-RELEASE-p6 amd64.
>=20
>    * But I can get a back trace after compiling the 10.2-RELEASE-p6
> sources and a core dump from one of the machines where the problem happ=
ens:
>=20
> (gdb) bt full
> #0  mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at=

> atomic.h:143
> No locals.
> #1  0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:=
148
> 	n =3D <value optimized out>
> 	fp =3D <value optimized out>
> 	g =3D <value optimized out>
> #2  0x00000008012470ab in _BIG5_mbrtowc (pwc=3D<value optimized out>,
>     s=3D<value optimized out>, n=3DCannot access memory at address 0x1
> ) at /usr/src/lib/libc/locale/big5.c:113
> 	wc =3D <value optimized out>
> #3  0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "",=

>     buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95,
>     cache_mdata=3D<value optimized out>)
>     at /usr/src/lib/libc/net/getservent.c:1071
> 	serv =3D (struct servent *) 0x0
> 	orig_buf =3D 0x802031040 "0aL\001\b"
> 	orig_buf_size =3D <value optimized out>
> 	ret_errno =3D <value optimized out>
> 	p =3D <value optimized out>
> 	alias =3D <value optimized out>
> #4  0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70,
>     disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\=
n",
>     method_name=3D0x80126de24 ".conf", defaults=3D0x2)
>     at /usr/src/lib/libc/net/nsdispatch.c:541
> 	ap =3D {{gp_offset =3D 48, fp_offset =3D 48,
>     overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc=
870}}
> 	mdata =3D (void *) 0x80126ddfc
> 	cache_data =3D {key =3D 0x17d0 <Address 0x17d0 out of bounds>,
>   key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0}
> 	isthreaded =3D 1
> 	serrno =3D 22
> 	result =3D <value optimized out>
> 	st =3D <value optimized out>
> 	fb_method =3D <value optimized out>
> 	srclist =3D <value optimized out>
> 	srclistsize =3D <value optimized out>
> 	cache_flag =3D <value optimized out>
> 	method =3D <value optimized out>
> 	saved_depth =3D <value optimized out>
> #5  0x0000000801213121 in nis_setservent (result=3D0x801c33100,
>     mdata=3D<value optimized out>, ap=3D0x0)
>     at /usr/src/lib/libc/net/getservent.c:812
> 	st =3D (struct nis_state *) 0x0
> 	st =3D (struct nis_state *) 0x0
> 	st =3D (struct nis_state *) 0x0
> 	st =3D (struct nis_state *) 0x0
> 	rv =3D <value optimized out>
> #6  0x0000000801213029 in files_setservent (retval=3D0x801c33100,
>     mdata=3D<value optimized out>, ap=3D<value optimized out>)
>     at /usr/src/lib/libc/net/getservent.c:451
> 	st =3D (struct files_state *) 0x1
> 	st =3D (struct files_state *) 0x1
> 	st =3D (struct files_state *) 0x1
> 	st =3D (struct files_state *) 0x1
> 	st =3D (struct files_state *) 0x1
> 	st =3D (struct files_state *) 0x1
> 	st =3D (struct files_state *) 0x1
> 	rv =3D <value optimized out>
> 	f =3D 0
> #7  0x000000080120f373 in _dns_getaddrinfo (rv=3D<value optimized out>,=

> ---Type <return> to continue, or q <return> to quit---
>     cb_data=3D<value optimized out>, ap=3D<value optimized out>)
>     at /usr/src/lib/libc/net/getaddrinfo.c:2266
> 	sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 2171684=
8,
>   ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c6=
130 "",
>   ai_addr =3D 0x802031040, ai_next =3D 0x2}
> 	q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\213=
5yj!",
>   qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\=
213\001",
>   anslen =3D 11616604, n =3D 8}
> 	q2 =3D {next =3D 0x8014b5f80,
>   name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D
> -538982832,
>   qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, =
n =3D 0}
> 	cur =3D (struct addrinfo *) 0x3
> 	pai =3D <value optimized out>
> 	hostname =3D <value optimized out>
> 	res =3D <value optimized out>
> 	ai =3D <value optimized out>
> #8  0x000000080120ca61 in strcspn (s=3D0x801c33100 "",
>     charset=3D<value optimized out>) at /usr/src/lib/libc/string/strcsp=
n.c:59
> 	tbl =3D {34393355264, 34389385984, 34389386167, 34389386056}
> 	bit =3D <value optimized out>
> 	s1 =3D <value optimized out>
> #9  0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700,
> req=3D0x801c46300)
>     at
> /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:3=
52
> 	ai_res =3D (struct addrinfo *) 0x0
> 	node =3D 0x7fffdfdfcbe8 "\002"
> 	service =3D 0xc <Address 0xc out of bounds>
> 	worker_ctx =3D (dnsworker_ctx *) 0x80200e060
> 	resp_octets =3D Cannot access memory at address 0x600
> (gdb)
>=20
> 	Cheers,
>=20
> 	Matthew
>=20
>

Thanks to Andre Albsmeier a work-around seems to be turning off memlock
in ntp.conf:

> I have just posted my observations to the freebsd-stable list:
>=20
> http://lists.freebsd.org/pipermail/freebsd-stable/2015-November/083574.=
html
>=20
> What happens if you add "rlimit memlock -1" to ntp.conf?

	Cheers,

	Matthew




--rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWN03nAAoJEABRPxDgqeTnHUsQAI53qKrjkXhDvqXp0JUKEt/n
HtFQu6xssv06MXXXFvNHUQsa3Zb+NtBGVF6OAzc/ZacHmlsT+dbSfOhh3v9OKC87
xbHeVVh5mutW2O4L8J7vdrIKVng4YRHFWyQYD1uaJn4SwPFokrNImXVGgYNygnjI
AjFZtGSujC4moREoMLYwU9XTJGZCbWbSPD8UonItzzuLIf/W0mLCPeuWbIvrz/4w
Q59veTJ57jPC2/rfxDCYqL8Q3m05iJ/zcfMh1Sps+XWxPTA6iKO5u66XjSm62zu1
ADlyQRR2lWHmpLni+ZVUKQviPo+r6wSH6HUDLkeyWx1VcS6XkrNkl9ATdCeEeZ7R
2W6vTOmwrED475y++5PZ/+ViFsaMybkW5CrgaeLq81PGt8wpgIW6kPrcOvoabajW
hYV1dJqmzX6EliI5tRNqzhLAmfsPIZepEzom4BXJgwFYrXf/GphElMUBYNFIpOr3
ZDRrSv7EvulU2zBr0u6m2VM9k1fN/C2OaitZw4Z117Z4kAm3WNTE1Kezwfsv0V77
ofBTp9+3Kwy80nNqJuoD00dFR6wNvsiW2hIlaTEcMtOPMc50A7D4H0Mimo1jSRXj
Rg8AxCoq5GEDltRvljSRQqQoV65SDtzZxCjKiLQsOKDQbgD6l/C2lLyVl2XRR6Ge
e9nVh8KxaVFpdJA+8JtF
=068m
-----END PGP SIGNATURE-----

--rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56374DE7.7030909>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact