From owner-freebsd-security@freebsd.org Mon Nov 2 11:50:06 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F4FBA23540 for ; Mon, 2 Nov 2015 11:50:06 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E53FA19A1 for ; Mon, 2 Nov 2015 11:50:05 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id tA2Bo0uG088859 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 2 Nov 2015 11:50:00 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk tA2Bo0uG088859 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1446465000; bh=n940zhXCQHr2+sMEWIfZE66sKrGxae3kgEwd21olCvM=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20segfault=20in=20ntpd|To:=20freebsd-security@free bsd.org|References:=20<86bnbgbqa6.fsf@desk.des.no>=20<5633A728.700 0904@FreeBSD.org>|From:=20Matthew=20Seaman=20|Date:=20Mon,=202=20Nov=202015=2011:49:59=20+0000|In-R eply-To:=20<5633A728.7000904@FreeBSD.org>; b=iJ1Op3TOIS+SwKdj+Qeu7XyKxc/uz9MkneW3tNtshJKHxTNsHUPoV4JDHmsvZUVyM h916g0qJ9j5bjbrp2PdrEod69Dp45JYlxBzlkU853PGyon/W5QRkw7eFvoE6WGD3/W Uz0FnA+B6cBC1TNrm4Otdx5u9+CadCDCuUHzxvNo= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: segfault in ntpd To: freebsd-security@freebsd.org References: <86bnbgbqa6.fsf@desk.des.no> <5633A728.7000904@FreeBSD.org> From: Matthew Seaman Message-ID: <56374DE7.7030909@infracaninophile.co.uk> Date: Mon, 2 Nov 2015 11:49:59 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5633A728.7000904@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 11:50:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 10/30/15 17:21, Matthew Seaman wrote: > On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote: >> Can those of you who are experiencing this bug on 10 please try to bui= ld >> and run a kernel from head@287591 or newer (with your 10 userland) and= >> report back? >> >> # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head >> # cd /tmp/head >> # make buildkernel KERNCONF=3DGENERIC >> # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head >> # nextboot -k head >> # shutdown -r now >> >> DES >> >=20 > Hi, Dag-Erling, >=20 > I'm not able to reboot machines where I've seen this crash right now, > but I can report: >=20 > * Can't reproduce the problem in a VirtualBox VM running > 10.2-RELEASE-p6 amd64. >=20 > * But I can get a back trace after compiling the 10.2-RELEASE-p6 > sources and a core dump from one of the machines where the problem happ= ens: >=20 > (gdb) bt full > #0 mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at= > atomic.h:143 > No locals. > #1 0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:= 148 > n =3D > fp =3D > g =3D > #2 0x00000008012470ab in _BIG5_mbrtowc (pwc=3D, > s=3D, n=3DCannot access memory at address 0x1 > ) at /usr/src/lib/libc/locale/big5.c:113 > wc =3D > #3 0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "",= > buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95, > cache_mdata=3D) > at /usr/src/lib/libc/net/getservent.c:1071 > serv =3D (struct servent *) 0x0 > orig_buf =3D 0x802031040 "0aL\001\b" > orig_buf_size =3D > ret_errno =3D > p =3D > alias =3D > #4 0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70, > disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\= n", > method_name=3D0x80126de24 ".conf", defaults=3D0x2) > at /usr/src/lib/libc/net/nsdispatch.c:541 > ap =3D {{gp_offset =3D 48, fp_offset =3D 48, > overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc= 870}} > mdata =3D (void *) 0x80126ddfc > cache_data =3D {key =3D 0x17d0
, > key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0} > isthreaded =3D 1 > serrno =3D 22 > result =3D > st =3D > fb_method =3D > srclist =3D > srclistsize =3D > cache_flag =3D > method =3D > saved_depth =3D > #5 0x0000000801213121 in nis_setservent (result=3D0x801c33100, > mdata=3D, ap=3D0x0) > at /usr/src/lib/libc/net/getservent.c:812 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > rv =3D > #6 0x0000000801213029 in files_setservent (retval=3D0x801c33100, > mdata=3D, ap=3D) > at /usr/src/lib/libc/net/getservent.c:451 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > rv =3D > f =3D 0 > #7 0x000000080120f373 in _dns_getaddrinfo (rv=3D,= > ---Type to continue, or q to quit--- > cb_data=3D, ap=3D) > at /usr/src/lib/libc/net/getaddrinfo.c:2266 > sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 2171684= 8, > ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c6= 130 "", > ai_addr =3D 0x802031040, ai_next =3D 0x2} > q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\213= 5yj!", > qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\= 213\001", > anslen =3D 11616604, n =3D 8} > q2 =3D {next =3D 0x8014b5f80, > name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D > -538982832, > qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, = n =3D 0} > cur =3D (struct addrinfo *) 0x3 > pai =3D > hostname =3D > res =3D > ai =3D > #8 0x000000080120ca61 in strcspn (s=3D0x801c33100 "", > charset=3D) at /usr/src/lib/libc/string/strcsp= n.c:59 > tbl =3D {34393355264, 34389385984, 34389386167, 34389386056} > bit =3D > s1 =3D > #9 0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700, > req=3D0x801c46300) > at > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:3= 52 > ai_res =3D (struct addrinfo *) 0x0 > node =3D 0x7fffdfdfcbe8 "\002" > service =3D 0xc
> worker_ctx =3D (dnsworker_ctx *) 0x80200e060 > resp_octets =3D Cannot access memory at address 0x600 > (gdb) >=20 > Cheers, >=20 > Matthew >=20 > Thanks to Andre Albsmeier a work-around seems to be turning off memlock in ntp.conf: > I have just posted my observations to the freebsd-stable list: >=20 > http://lists.freebsd.org/pipermail/freebsd-stable/2015-November/083574.= html >=20 > What happens if you add "rlimit memlock -1" to ntp.conf? Cheers, Matthew --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWN03nAAoJEABRPxDgqeTnHUsQAI53qKrjkXhDvqXp0JUKEt/n HtFQu6xssv06MXXXFvNHUQsa3Zb+NtBGVF6OAzc/ZacHmlsT+dbSfOhh3v9OKC87 xbHeVVh5mutW2O4L8J7vdrIKVng4YRHFWyQYD1uaJn4SwPFokrNImXVGgYNygnjI AjFZtGSujC4moREoMLYwU9XTJGZCbWbSPD8UonItzzuLIf/W0mLCPeuWbIvrz/4w Q59veTJ57jPC2/rfxDCYqL8Q3m05iJ/zcfMh1Sps+XWxPTA6iKO5u66XjSm62zu1 ADlyQRR2lWHmpLni+ZVUKQviPo+r6wSH6HUDLkeyWx1VcS6XkrNkl9ATdCeEeZ7R 2W6vTOmwrED475y++5PZ/+ViFsaMybkW5CrgaeLq81PGt8wpgIW6kPrcOvoabajW hYV1dJqmzX6EliI5tRNqzhLAmfsPIZepEzom4BXJgwFYrXf/GphElMUBYNFIpOr3 ZDRrSv7EvulU2zBr0u6m2VM9k1fN/C2OaitZw4Z117Z4kAm3WNTE1Kezwfsv0V77 ofBTp9+3Kwy80nNqJuoD00dFR6wNvsiW2hIlaTEcMtOPMc50A7D4H0Mimo1jSRXj Rg8AxCoq5GEDltRvljSRQqQoV65SDtzZxCjKiLQsOKDQbgD6l/C2lLyVl2XRR6Ge e9nVh8KxaVFpdJA+8JtF =068m -----END PGP SIGNATURE----- --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8--