Site Navigation

Date:      Fri, 30 Oct 2015 17:21:44 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-security@freebsd.org
Subject:   Re: segfault in ntpd
Message-ID:  <5633A728.7000904@FreeBSD.org>
In-Reply-To: <86bnbgbqa6.fsf@desk.des.no>
References:  <86bnbgbqa6.fsf@desk.des.no>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote:
> Can those of you who are experiencing this bug on 10 please try to buil=
d
> and run a kernel from head@287591 or newer (with your 10 userland) and
> report back?
>=20
> # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head
> # cd /tmp/head
> # make buildkernel KERNCONF=3DGENERIC
> # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head
> # nextboot -k head
> # shutdown -r now
>=20
> DES
>=20

Hi, Dag-Erling,

I'm not able to reboot machines where I've seen this crash right now,
but I can report:

   * Can't reproduce the problem in a VirtualBox VM running
10.2-RELEASE-p6 amd64.

   * But I can get a back trace after compiling the 10.2-RELEASE-p6
sources and a core dump from one of the machines where the problem happen=
s:

(gdb) bt full
#0  mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at
atomic.h:143
No locals.
#1  0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:14=
8
	n =3D <value optimized out>
	fp =3D <value optimized out>
	g =3D <value optimized out>
#2  0x00000008012470ab in _BIG5_mbrtowc (pwc=3D<value optimized out>,
    s=3D<value optimized out>, n=3DCannot access memory at address 0x1
) at /usr/src/lib/libc/locale/big5.c:113
	wc =3D <value optimized out>
#3  0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "",
    buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95,
    cache_mdata=3D<value optimized out>)
    at /usr/src/lib/libc/net/getservent.c:1071
	serv =3D (struct servent *) 0x0
	orig_buf =3D 0x802031040 "0aL\001\b"
	orig_buf_size =3D <value optimized out>
	ret_errno =3D <value optimized out>
	p =3D <value optimized out>
	alias =3D <value optimized out>
#4  0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70,
    disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\n"=
,
    method_name=3D0x80126de24 ".conf", defaults=3D0x2)
    at /usr/src/lib/libc/net/nsdispatch.c:541
	ap =3D {{gp_offset =3D 48, fp_offset =3D 48,
    overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc87=
0}}
	mdata =3D (void *) 0x80126ddfc
	cache_data =3D {key =3D 0x17d0 <Address 0x17d0 out of bounds>,
  key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0}
	isthreaded =3D 1
	serrno =3D 22
	result =3D <value optimized out>
	st =3D <value optimized out>
	fb_method =3D <value optimized out>
	srclist =3D <value optimized out>
	srclistsize =3D <value optimized out>
	cache_flag =3D <value optimized out>
	method =3D <value optimized out>
	saved_depth =3D <value optimized out>
#5  0x0000000801213121 in nis_setservent (result=3D0x801c33100,
    mdata=3D<value optimized out>, ap=3D0x0)
    at /usr/src/lib/libc/net/getservent.c:812
	st =3D (struct nis_state *) 0x0
	st =3D (struct nis_state *) 0x0
	st =3D (struct nis_state *) 0x0
	st =3D (struct nis_state *) 0x0
	rv =3D <value optimized out>
#6  0x0000000801213029 in files_setservent (retval=3D0x801c33100,
    mdata=3D<value optimized out>, ap=3D<value optimized out>)
    at /usr/src/lib/libc/net/getservent.c:451
	st =3D (struct files_state *) 0x1
	st =3D (struct files_state *) 0x1
	st =3D (struct files_state *) 0x1
	st =3D (struct files_state *) 0x1
	st =3D (struct files_state *) 0x1
	st =3D (struct files_state *) 0x1
	st =3D (struct files_state *) 0x1
	rv =3D <value optimized out>
	f =3D 0
#7  0x000000080120f373 in _dns_getaddrinfo (rv=3D<value optimized out>,
---Type <return> to continue, or q <return> to quit---
    cb_data=3D<value optimized out>, ap=3D<value optimized out>)
    at /usr/src/lib/libc/net/getaddrinfo.c:2266
	sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 21716848,=

  ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c613=
0 "",
  ai_addr =3D 0x802031040, ai_next =3D 0x2}
	q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\2135y=
j!",
  qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\21=
3\001",
  anslen =3D 11616604, n =3D 8}
	q2 =3D {next =3D 0x8014b5f80,
  name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D
-538982832,
  qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, n =
=3D 0}
	cur =3D (struct addrinfo *) 0x3
	pai =3D <value optimized out>
	hostname =3D <value optimized out>
	res =3D <value optimized out>
	ai =3D <value optimized out>
#8  0x000000080120ca61 in strcspn (s=3D0x801c33100 "",
    charset=3D<value optimized out>) at /usr/src/lib/libc/string/strcspn.=
c:59
	tbl =3D {34393355264, 34389385984, 34389386167, 34389386056}
	bit =3D <value optimized out>
	s1 =3D <value optimized out>
#9  0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700,
req=3D0x801c46300)
    at
/usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:352=

	ai_res =3D (struct addrinfo *) 0x0
	node =3D 0x7fffdfdfcbe8 "\002"
	service =3D 0xc <Address 0xc out of bounds>
	worker_ctx =3D (dnsworker_ctx *) 0x80200e060
	resp_octets =3D Cannot access memory at address 0x600
(gdb)

	Cheers,

	Matthew



--3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJWM6dwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnzRcP/i7bptsQ844SBaqjSqbzuh3f
jbSm+1C8vRX5yH/UDfTr7q+eFmNxN1+hYBAcDP123OrPTG8ScmMZTM3ZBfau3r2E
XtZxxrc0Vw6K4Utlqtf2vQQuDPVrt3RQe2T8Et/U4LrqPU5pxDF/LuOk7KnmiKct
NFljZegm2Wng/mU+JGgCmn6Tn2SzG8Zf9LVyOxucQKRIq1g9K/6nagL2TfC3CnsO
nBvrw/KMhdsqdyc9o5OUGwc+JldEnVOgvXO4DNOwg2MPgPnZA3vpMOAzvpOYDJZv
++aXz+Cw2XtUQ0NmBJovpk4O5FJPnGcUNS+R4vWumnHONBl9ZrPHDkC9NcApdZSB
zjgKFQ5kiTBXhKVcJMZVjAm96dZgMRh2hFx3V29WdcrFwc87sQmI6h7IAqQpMF8G
ql0B0oR2T0iBMMmvOFQwCPAYn6EYJfE/84BG66DhnOOdHoCIluJf5Rg0pfk//UZl
1HNl5Lh/d+D2MWp94c5vHDsNCzDFo/pasyVrR8nNNsNviyF1JxFkB6DSOcBRmijg
WYyvptjx2Bcqi3LuMBlhU27ZGlz0QnHmZs86KMflLgql9+yD+n+ESuM2Zl7x7qed
44Otlbp75zFmD/DxxpS0LSlVhdiVFnacQAE4+/sHa1JXZWDIiiZYTAfyJhtkbp0J
m45s4JzAIUgbFkrCG82R
=8ZWf
-----END PGP SIGNATURE-----

--3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5633A728.7000904>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact