From owner-freebsd-security@freebsd.org Fri Oct 30 17:23:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 345A4A22104 for ; Fri, 30 Oct 2015 17:23:09 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C6E56131F for ; Fri, 30 Oct 2015 17:23:08 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t9UHMvJX094189 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 30 Oct 2015 17:22:57 GMT (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t9UHMvJX094189 Authentication-Results: smtp.infracaninophile.co.uk/t9UHMvJX094189; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be zero-gravitas.local Subject: Re: segfault in ntpd To: freebsd-security@freebsd.org References: <86bnbgbqa6.fsf@desk.des.no> From: Matthew Seaman Message-ID: <5633A728.7000904@FreeBSD.org> Date: Fri, 30 Oct 2015 17:21:44 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <86bnbgbqa6.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 17:23:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote: > Can those of you who are experiencing this bug on 10 please try to buil= d > and run a kernel from head@287591 or newer (with your 10 userland) and > report back? >=20 > # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head > # cd /tmp/head > # make buildkernel KERNCONF=3DGENERIC > # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head > # nextboot -k head > # shutdown -r now >=20 > DES >=20 Hi, Dag-Erling, I'm not able to reboot machines where I've seen this crash right now, but I can report: * Can't reproduce the problem in a VirtualBox VM running 10.2-RELEASE-p6 amd64. * But I can get a back trace after compiling the 10.2-RELEASE-p6 sources and a core dump from one of the machines where the problem happen= s: (gdb) bt full #0 mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at atomic.h:143 No locals. #1 0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:14= 8 n =3D fp =3D g =3D #2 0x00000008012470ab in _BIG5_mbrtowc (pwc=3D, s=3D, n=3DCannot access memory at address 0x1 ) at /usr/src/lib/libc/locale/big5.c:113 wc =3D #3 0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "", buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95, cache_mdata=3D) at /usr/src/lib/libc/net/getservent.c:1071 serv =3D (struct servent *) 0x0 orig_buf =3D 0x802031040 "0aL\001\b" orig_buf_size =3D ret_errno =3D p =3D alias =3D #4 0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70, disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\n"= , method_name=3D0x80126de24 ".conf", defaults=3D0x2) at /usr/src/lib/libc/net/nsdispatch.c:541 ap =3D {{gp_offset =3D 48, fp_offset =3D 48, overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc87= 0}} mdata =3D (void *) 0x80126ddfc cache_data =3D {key =3D 0x17d0
, key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0} isthreaded =3D 1 serrno =3D 22 result =3D st =3D fb_method =3D srclist =3D srclistsize =3D cache_flag =3D method =3D saved_depth =3D #5 0x0000000801213121 in nis_setservent (result=3D0x801c33100, mdata=3D, ap=3D0x0) at /usr/src/lib/libc/net/getservent.c:812 st =3D (struct nis_state *) 0x0 st =3D (struct nis_state *) 0x0 st =3D (struct nis_state *) 0x0 st =3D (struct nis_state *) 0x0 rv =3D #6 0x0000000801213029 in files_setservent (retval=3D0x801c33100, mdata=3D, ap=3D) at /usr/src/lib/libc/net/getservent.c:451 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 rv =3D f =3D 0 #7 0x000000080120f373 in _dns_getaddrinfo (rv=3D, ---Type to continue, or q to quit--- cb_data=3D, ap=3D) at /usr/src/lib/libc/net/getaddrinfo.c:2266 sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 21716848,= ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c613= 0 "", ai_addr =3D 0x802031040, ai_next =3D 0x2} q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\2135y= j!", qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\21= 3\001", anslen =3D 11616604, n =3D 8} q2 =3D {next =3D 0x8014b5f80, name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D -538982832, qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, n = =3D 0} cur =3D (struct addrinfo *) 0x3 pai =3D hostname =3D res =3D ai =3D #8 0x000000080120ca61 in strcspn (s=3D0x801c33100 "", charset=3D) at /usr/src/lib/libc/string/strcspn.= c:59 tbl =3D {34393355264, 34389385984, 34389386167, 34389386056} bit =3D s1 =3D #9 0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700, req=3D0x801c46300) at /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:352= ai_res =3D (struct addrinfo *) 0x0 node =3D 0x7fffdfdfcbe8 "\002" service =3D 0xc
worker_ctx =3D (dnsworker_ctx *) 0x80200e060 resp_octets =3D Cannot access memory at address 0x600 (gdb) Cheers, Matthew --3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWM6dwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnzRcP/i7bptsQ844SBaqjSqbzuh3f jbSm+1C8vRX5yH/UDfTr7q+eFmNxN1+hYBAcDP123OrPTG8ScmMZTM3ZBfau3r2E XtZxxrc0Vw6K4Utlqtf2vQQuDPVrt3RQe2T8Et/U4LrqPU5pxDF/LuOk7KnmiKct NFljZegm2Wng/mU+JGgCmn6Tn2SzG8Zf9LVyOxucQKRIq1g9K/6nagL2TfC3CnsO nBvrw/KMhdsqdyc9o5OUGwc+JldEnVOgvXO4DNOwg2MPgPnZA3vpMOAzvpOYDJZv ++aXz+Cw2XtUQ0NmBJovpk4O5FJPnGcUNS+R4vWumnHONBl9ZrPHDkC9NcApdZSB zjgKFQ5kiTBXhKVcJMZVjAm96dZgMRh2hFx3V29WdcrFwc87sQmI6h7IAqQpMF8G ql0B0oR2T0iBMMmvOFQwCPAYn6EYJfE/84BG66DhnOOdHoCIluJf5Rg0pfk//UZl 1HNl5Lh/d+D2MWp94c5vHDsNCzDFo/pasyVrR8nNNsNviyF1JxFkB6DSOcBRmijg WYyvptjx2Bcqi3LuMBlhU27ZGlz0QnHmZs86KMflLgql9+yD+n+ESuM2Zl7x7qed 44Otlbp75zFmD/DxxpS0LSlVhdiVFnacQAE4+/sHa1JXZWDIiiZYTAfyJhtkbp0J m45s4JzAIUgbFkrCG82R =8ZWf -----END PGP SIGNATURE----- --3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU--