Date: Mon, 26 Oct 2015 20:46:42 +0000 From: Gary Palmer <gpalmer@freebsd.org> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026204642.GB39073@in-addr.com> In-Reply-To: <20151026181102.GA1889@ircbsd> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> <562E6180.5060104@FreeBSD.org> <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> <20151026181102.GA1889@ircbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 26, 2015 at 02:11:02PM -0400, Derek Schrock wrote: > On Mon, Oct 26, 2015 at 01:52:12PM EDT, Christopher Schulte wrote: > > > On Oct 26, 2015, at 12:23 PM, Matthew Seaman <matthew@FreeBSD.org> wrote: > > > > > > I'm seeing a SEGV on startup of ntpd on 10.2-RELEASE-p6: > > > > > > Oct 26 17:14:33 vhost-2 kernel: pid 35200 (ntpd), uid 0: exited on > > > signal 11 (core dumped) > > > > > > This is from freebsd-update(8). I've a core dump available, but it's > > > not very illuminating without any debug symbols. > > > > > > Cheers, > > > > > > Matthew > > > > I was seeing the same thing on multiple systems, after running freebsd-update and then bouncing ntpd. I rebooted one of the problematic boxes; ntpd then started cleanly. I haven???t tested this across the board yet, though. > > > > Config: > > > > # freebsd-version -uk > > 10.2-RELEASE > > 10.2-RELEASE-p6 > > > > # uname -a > > FreeBSD mybox 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > I'm not having any issues with ntpd on either 10.2 and 9.3 however on > 9.3 the ntp query utilities (ntpdc and ntpq) both crash with sig 6: > > ... > Oct 26 11:37:48 <ntp.notice> host ntpd[49294]: ntpd 4.2.8p4-a (1): Starting > ... > > > However 9.3 ntpq and ntpdc: > > # ntpq > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed > Abort trap (core dumped) > # ntpdc > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed > Abort trap (core dumped) > # > > I don't know how much value you can get out of a stripped bt for ntpq: > > #0 0x000000080115004c in kill () from /lib/libc.so.7 > #1 0x000000080114ec7b in abort () from /lib/libc.so.7 > #2 0x0000000000418ad7 in ?? () > #3 0x0000000000418b2f in ?? () > #4 0x0000000000413039 in ?? () > #5 0x0000000000411e43 in ?? () > #6 0x000000000040767b in ?? () > #7 0x0000000000403a61 in ?? () > #8 0x0000000800658000 in ?? () > #9 0x0000000000000000 in ?? () > > and ntpdc: > #0 0x000000080139904c in kill () from /lib/libc.so.7 > #1 0x0000000801397c7b in abort () from /lib/libc.so.7 > #2 0x0000000000415f27 in ?? () > #3 0x0000000000415f7f in ?? () > #4 0x0000000000410489 in ?? () > #5 0x000000000040f293 in ?? () > #6 0x0000000000405f86 in ?? () > #7 0x0000000000403991 in ?? () > #8 0x0000000800653000 in ?? () > #9 0x0000000000000000 in ?? () Here's my backtrace from 9.3 ntpq on amd64 % gdb /usr/obj/usr/src/usr.sbin/ntp/ntpq/ntpq ntpq.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)... Core was generated by `ntpq'. Program terminated with signal 6, Aborted. Reading symbols from /lib/libedit.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libedit.so.7 Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.5 Reading symbols from /lib/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypto.so.6 Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.7 Reading symbols from /lib/libncurses.so.8...(no debugging symbols found)...done. Loaded symbols for /lib/libncurses.so.8 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x0000000801147f1c in kill () from /lib/libc.so.7 (gdb) bt #0 0x0000000801147f1c in kill () from /lib/libc.so.7 #1 0x0000000801146b4b in abort () from /lib/libc.so.7 #2 0x0000000000418ad7 in isc_error_fatal () #3 0x0000000000418b2f in isc_error_runtimecheck () #4 0x0000000000413039 in isc_net_probeipv4 () #5 0x0000000000411e43 in init_lib () #6 0x000000000040767b in ntpqmain () #7 0x0000000000403a61 in _start () #8 0x0000000800658000 in ?? () #9 0x0000000000000000 in ?? () (gdb) ntpd is starting OK on the same box, but I have to use a pre-update copy of ntpq to make sure it's synchronised OK. For some reason, a pre-update copy of ntpdc doesn't work, just times out. Regards, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151026204642.GB39073>