From owner-freebsd-security@freebsd.org Mon Oct 26 18:11:06 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3622186DB for ; Mon, 26 Oct 2015 18:11:06 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E15041B34 for ; Mon, 26 Oct 2015 18:11:05 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: by qgad10 with SMTP id d10so126384729qga.3 for ; Mon, 26 Oct 2015 11:11:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifeofadishwasher.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=Y+hP0gPlfBYkjf2Rls11QrjpPW4jWu8NhBoe7jJMENE=; b=cvUZuCOuJtNmqlWLm7D/+y0Iy1cuJiedeRys5Cs98tNC/oY/uIAEBu+7XBsbHKXZy0 /4l+yYwVyz1xyQq+tdmj2xvxuqzCsWPwheh7/B3phgeDDMloEstuFdayURbU78sQD+bJ SywhKQDX+lWWXuM4hodL0x7b/BKx9SbCBDvbM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=Y+hP0gPlfBYkjf2Rls11QrjpPW4jWu8NhBoe7jJMENE=; b=gaH59ManFsS62i1vJ1pgaiiWh8lIQ7DYqoJ7FwuLRRBN8mCCA6CM9arGF3AUknE2uK 6ExnFrSru/NniiFUEnwDlkqHe9F+6f2Ph4R4hKZ1fuVb8y1AsE4L8y/aLMsLuy3skaWx SVbeK5kOMLTC/GxGT7Jlzo32L4w7Cl8zhu+0hdQTLSCxEYqmGs+RLT3AAt6tO6hTheTl PZ2bPMnefTgmRfAcAgalj56PTFyMfOyV08XdOFaRqE2M8zUkKbOfIy/6USmJ1eU7T1f/ Sz7hV3Hv2Evuc6GpHeN6LXIMtQ6WuX6uBNQQ7jLQVWZ79JUBp8uDFmHujFE9KCebZ/7Q O0HQ== X-Gm-Message-State: ALoCoQnXOLL+G6EYCHi7TKVrk27kjDCFMXXtxFYsg5LHVzovFu9E3GxKIB5OUWRoSqo7CwehJu+F X-Received: by 10.140.31.199 with SMTP id f65mr44036954qgf.22.1445883065051; Mon, 26 Oct 2015 11:11:05 -0700 (PDT) Received: from lifeofadishwasher.com (c-71-206-246-125.hsd1.pa.comcast.net. [71.206.246.125]) by smtp.gmail.com with ESMTPSA id v10sm13506453qgv.32.2015.10.26.11.11.03 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2015 11:11:04 -0700 (PDT) Received: by lifeofadishwasher.com (sSMTP sendmail emulation); Mon, 26 Oct 2015 14:11:02 -0400 Date: Mon, 26 Oct 2015 14:11:02 -0400 From: Derek Schrock To: "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026181102.GA1889@ircbsd> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> <562E6180.5060104@FreeBSD.org> <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 18:11:06 -0000 On Mon, Oct 26, 2015 at 01:52:12PM EDT, Christopher Schulte wrote: > > On Oct 26, 2015, at 12:23 PM, Matthew Seaman wrote: > > > > I'm seeing a SEGV on startup of ntpd on 10.2-RELEASE-p6: > > > > Oct 26 17:14:33 vhost-2 kernel: pid 35200 (ntpd), uid 0: exited on > > signal 11 (core dumped) > > > > This is from freebsd-update(8). I've a core dump available, but it's > > not very illuminating without any debug symbols. > > > > Cheers, > > > > Matthew > > I was seeing the same thing on multiple systems, after running freebsd-update and then bouncing ntpd. I rebooted one of the problematic boxes; ntpd then started cleanly. I haven’t tested this across the board yet, though. > > Config: > > # freebsd-version -uk > 10.2-RELEASE > 10.2-RELEASE-p6 > > # uname -a > FreeBSD mybox 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 I'm not having any issues with ntpd on either 10.2 and 9.3 however on 9.3 the ntp query utilities (ntpdc and ntpq) both crash with sig 6: ... Oct 26 11:37:48 host ntpd[49294]: ntpd 4.2.8p4-a (1): Starting ... However 9.3 ntpq and ntpdc: # ntpq /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed Abort trap (core dumped) # ntpdc /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed Abort trap (core dumped) # I don't know how much value you can get out of a stripped bt for ntpq: #0 0x000000080115004c in kill () from /lib/libc.so.7 #1 0x000000080114ec7b in abort () from /lib/libc.so.7 #2 0x0000000000418ad7 in ?? () #3 0x0000000000418b2f in ?? () #4 0x0000000000413039 in ?? () #5 0x0000000000411e43 in ?? () #6 0x000000000040767b in ?? () #7 0x0000000000403a61 in ?? () #8 0x0000000800658000 in ?? () #9 0x0000000000000000 in ?? () and ntpdc: #0 0x000000080139904c in kill () from /lib/libc.so.7 #1 0x0000000801397c7b in abort () from /lib/libc.so.7 #2 0x0000000000415f27 in ?? () #3 0x0000000000415f7f in ?? () #4 0x0000000000410489 in ?? () #5 0x000000000040f293 in ?? () #6 0x0000000000405f86 in ?? () #7 0x0000000000403991 in ?? () #8 0x0000000800653000 in ?? () #9 0x0000000000000000 in ?? ()