segfault in ntpd

Matthew Seaman matthew at FreeBSD.org
Fri Oct 30 17:23:09 UTC 2015 

On 2015/10/30 10:32, Dag-Erling Smørgrav wrote:
> Can those of you who are experiencing this bug on 10 please try to build
> and run a kernel from head at 287591 or newer (with your 10 userland) and
> report back?
> 
> # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head
> # cd /tmp/head
> # make buildkernel KERNCONF=GENERIC
> # make installkernel KERNCONF=GENERIC KODIR=/boot/head
> # nextboot -k head
> # shutdown -r now
> 
> DES
> 

Hi, Dag-Erling,

I'm not able to reboot machines where I've seen this crash right now,
but I can report:

   * Can't reproduce the problem in a VirtualBox VM running
10.2-RELEASE-p6 amd64.

   * But I can get a back trace after compiling the 10.2-RELEASE-p6
sources and a core dump from one of the machines where the problem happens:

(gdb) bt full
#0  mutex_lock_common (m=0x801c33100, abstime=0x0, cvattach=0) at
atomic.h:143
No locals.
#1  0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:148
	n = <value optimized out>
	fp = <value optimized out>
	g = <value optimized out>
#2  0x00000008012470ab in _BIG5_mbrtowc (pwc=<value optimized out>,
    s=<value optimized out>, n=Cannot access memory at address 0x1
) at /usr/src/lib/libc/locale/big5.c:113
	wc = <value optimized out>
#3  0x0000000801211cc0 in serv_unmarshal_func (buffer=0x801c33100 "",
    buffer_size=0, retval=0x8014c6130, ap=0x18b95,
    cache_mdata=<value optimized out>)
    at /usr/src/lib/libc/net/getservent.c:1071
	serv = (struct servent *) 0x0
	orig_buf = 0x802031040 "0aL\001\b"
	orig_buf_size = <value optimized out>
	ret_errno = <value optimized out>
	p = <value optimized out>
	alias = <value optimized out>
#4  0x0000000801234cff in _nsdispatch (retval=0x7fffdfdfca70,
    disp_tab=0x801498680, database=0x80126de7c "\"%s\", \"%s\")...\n",
    method_name=0x80126de24 ".conf", defaults=0x2)
    at /usr/src/lib/libc/net/nsdispatch.c:541
	ap = {{gp_offset = 48, fp_offset = 48,
    overflow_arg_area = 0x7fffdfdfca38, reg_save_area = 0x7fffdfdfc870}}
	mdata = (void *) 0x80126ddfc
	cache_data = {key = 0x17d0 <Address 0x17d0 out of bounds>,
  key_size = 34369025376, info = 0x7fffdfdfc9e0}
	isthreaded = 1
	serrno = 22
	result = <value optimized out>
	st = <value optimized out>
	fb_method = <value optimized out>
	srclist = <value optimized out>
	srclistsize = <value optimized out>
	cache_flag = <value optimized out>
	method = <value optimized out>
	saved_depth = <value optimized out>
#5  0x0000000801213121 in nis_setservent (result=0x801c33100,
    mdata=<value optimized out>, ap=0x0)
    at /usr/src/lib/libc/net/getservent.c:812
	st = (struct nis_state *) 0x0
	st = (struct nis_state *) 0x0
	st = (struct nis_state *) 0x0
	st = (struct nis_state *) 0x0
	rv = <value optimized out>
#6  0x0000000801213029 in files_setservent (retval=0x801c33100,
    mdata=<value optimized out>, ap=<value optimized out>)
    at /usr/src/lib/libc/net/getservent.c:451
	st = (struct files_state *) 0x1
	st = (struct files_state *) 0x1
	st = (struct files_state *) 0x1
	st = (struct files_state *) 0x1
	st = (struct files_state *) 0x1
	st = (struct files_state *) 0x1
	st = (struct files_state *) 0x1
	rv = <value optimized out>
	f = 0
#7  0x000000080120f373 in _dns_getaddrinfo (rv=<value optimized out>,
---Type <return> to continue, or q <return> to quit---
    cb_data=<value optimized out>, ap=<value optimized out>)
    at /usr/src/lib/libc/net/getaddrinfo.c:2266
	sentinel = {ai_flags = 3, ai_family = 0, ai_socktype = 21716848,
  ai_protocol = 8, ai_addrlen = 21795400, ai_canonname = 0x8014c6130 "",
  ai_addr = 0x802031040, ai_next = 0x2}
	q = {next = 0x7fffdfdfc690, name = 0x800b11e08 "E\211.1??P1?\2135yj!",
  qclass = -538982744, qtype = 32767, answer = 0x801c06c00 "\225\213\001",
  anslen = 11616604, n = 8}
	q2 = {next = 0x8014b5f80,
  name = 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =
-538982832,
  qtype = 32767, answer = 0x800b12a85 "\203??", anslen = 101269, n = 0}
	cur = (struct addrinfo *) 0x3
	pai = <value optimized out>
	hostname = <value optimized out>
	res = <value optimized out>
	ai = <value optimized out>
#8  0x000000080120ca61 in strcspn (s=0x801c33100 "",
    charset=<value optimized out>) at /usr/src/lib/libc/string/strcspn.c:59
	tbl = {34393355264, 34389385984, 34389386167, 34389386056}
	bit = <value optimized out>
	s1 = <value optimized out>
#9  0x0000000000478a86 in blocking_getaddrinfo (c=0x801c66700,
req=0x801c46300)
    at
/usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:352
	ai_res = (struct addrinfo *) 0x0
	node = 0x7fffdfdfcbe8 "\002"
	service = 0xc <Address 0xc out of bounds>
	worker_ctx = (dnsworker_ctx *) 0x80200e060
	resp_octets = Cannot access memory at address 0x600
(gdb)

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151030/d3a46ace/attachment.bin>

More information about the freebsd-security mailing list