From owner-freebsd-bugs  Sun Jan 13 10:40:11 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id E168A37B416
	for <freebsd-bugs@hub.freebsd.org>; Sun, 13 Jan 2002 10:40:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0DIe1p59243;
	Sun, 13 Jan 2002 10:40:01 -0800 (PST)
	(envelope-from gnats)
Received: from D00015.dialonly.kemerovo.su (www2.svzserv.kemerovo.su [213.184.65.86])
	by hub.freebsd.org (Postfix) with ESMTP id CA7B237B419
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Jan 2002 10:32:07 -0800 (PST)
Received: (from eugen@localhost)
	by D00015.dialonly.kemerovo.su (8.11.6/8.11.6) id g0DIV4705875;
	Mon, 14 Jan 2002 01:31:04 +0700 (KRAT)
	(envelope-from eugen)
Message-Id: <200201131831.g0DIV4705875@D00015.dialonly.kemerovo.su>
Date: Mon, 14 Jan 2002 01:31:04 +0700 (KRAT)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/33846: 4.5RC1: ftpd dies with SIGSEGV after ABOR
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         33846
>Category:       bin
>Synopsis:       4.5RC1: ftpd dies with SIGSEGV after ABOR
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 13 10:40:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.5-RC i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD D00015.dialonly.kemerovo.su 4.5-RC FreeBSD 4.5-RC #1: Sun Jan 13 13:22:48 KRAT 2002 eu@D00015.dialonly.kemerovo.su:/usr/local/obj/mnt/old/usr/src/sys/DADV i386
Have CPUTYPE=i686 in /etc/make.conf and no other optimizations.

>Description:
	It is easy to make ftpd child to die with SIGSEGV.

>How-To-Repeat:
	
1. Have ftpd enabled in /etc/inetd.conf:

ftp    stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -llSd

   Note that flags '-llSd' are for debugging purpuses only.
   SIGSEGV is triggered with no flags too.

2. Create perl script for triggering this bug:

#!/usr/bin/perl -w

$|=1;

use strict;
use Net::FTP;

my $ftp;
my $data;
$ftp = Net::FTP->new("localhost");
$ftp->login("ftp",'');
$ftp->quot('TYPE I');
$ftp->pasv();
$ftp->retr('test');
$data=$ftp->_dataconn();
$data->reading();
$ftp->abort();

Note:
	a) you need ports/net/p5-Net to run this,
	b) hostname may not be localhost, it may be remote too,
	c) you can use anonymous or general login, it does not matter;
	   it can be chrooted or not,	
	d) name of the file does not matter too.

3. As an option:

   use sysctl kern.sugid_coredump=1;
   set sysctl kern.corefile to directory where ftpd will have write permissions
   to create core; use sysctl net.inet.tcp.log_in_vain=1, the script seldom
   fails to crash ftpd - in that case you will see 'in vain' connection
   from port 20 to randomly selected port. Just rerun script then.
   Rebuild ftpd with debug info.

Here is ftpd's example log:

Jan 14 01:23:19 D00015 ftpd[5831]: connection from localhost (127.0.0.1)
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 220 
Jan 14 01:23:19 D00015 ftpd[5831]: D00015.dialonly.kemerovo.su FTP server (Version 6.00LS) ready.
Jan 14 01:23:19 D00015 ftpd[5831]: command: user ftp
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 331 
Jan 14 01:23:19 D00015 ftpd[5831]: Guest login ok, send your email address as password.
Jan 14 01:23:19 D00015 ftpd[5831]: command: PASS 
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 230 
Jan 14 01:23:19 D00015 ftpd[5831]: Guest login ok, access restrictions apply.
Jan 14 01:23:19 D00015 ftpd[5831]: ANONYMOUS FTP LOGIN FROM localhost, 
Jan 14 01:23:19 D00015 ftpd[5831]: command: TYPE I
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 200 
Jan 14 01:23:19 D00015 ftpd[5831]: Type set to I.
Jan 14 01:23:19 D00015 ftpd[5831]: command: PASV
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 227 
Jan 14 01:23:19 D00015 ftpd[5831]: Entering Passive Mode (127,0,0,1,192,115)
Jan 14 01:23:19 D00015 ftpd[5831]: command: RETR test
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 150 
Jan 14 01:23:19 D00015 ftpd[5831]: Opening BINARY mode data connection for 'test' (2500 bytes).
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 226 
Jan 14 01:23:19 D00015 ftpd[5831]: Transfer complete.
Jan 14 01:23:19 D00015 ftpd[5831]: get test = 2500 bytes
Jan 14 01:23:19 D00015 ftpd[5831]: command: ABOR
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 426 
Jan 14 01:23:19 D00015 ftpd[5831]: Transfer aborted. Data connection closed.
Jan 14 01:23:19 D00015 ftpd[5831]: <--- 226 
Jan 14 01:23:19 D00015 ftpd[5831]: Abort successful

Here ftpd child died with SIGSEGV and we have corefile.

Here is gdb's output:

Script started on Mon Jan 14 01:11:16 2002
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `ftpd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libskey.so.2...done.
Reading symbols from /usr/lib/libmd.so.2...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libutil.so.3...done.
Reading symbols from /usr/lib/libpam.so.1...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x0 in ?? ()
(gdb) bt
#0  0x0 in ?? ()
#1  0x804ca4e in retrieve (cmd=0x0, 
    name=0xffff0000 <Address 0xffff0000 out of bounds>)
    at /mnt/old/usr/src/libexec/ftpd/ftpd.c:1481
#2  0x0 in ?? ()
(gdb) l 1481
1476		data = -1;
1477		pdata = -1;
1478	done:
1479		if (cmd == 0)
1480			LOGBYTES("get", name, byte_count);
1481		(*closefunc)(fin);
1482	}
1483	
1484	void
1485	store(name, mode, unique)
(gdb) q

Script done on Mon Jan 14 01:11:45 2002
 
This output is always the same for me.

>Fix:

	Unknown for me.

Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message