NetBSD Problem Report #44052
From hash@abox3.so-net.ne.jp Sat Nov 6 00:56:16 2010
Return-Path: <hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id E5BC563BAB2
for <gnats-bugs@gnats.NetBSD.org>; Sat, 6 Nov 2010 00:56:15 +0000 (UTC)
Message-Id: <20101106082858.9171.17947C80@abox3.so-net.ne.jp>
Date: Sat, 06 Nov 2010 08:29:44 +0900
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Cc: hash@abox3.so-net.ne.jp
Subject: chrooted ntpd refers freed memory
>Number: 44052
>Category: bin
>Synopsis: chrooted ntpd refers freed memory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Nov 06 01:00:00 +0000 2010
>Closed-Date: Sun Nov 07 09:07:08 +0000 2010
>Last-Modified: Sun Nov 07 09:07:08 +0000 2010
>Originator: Takahiro HAYASHI
>Release: NetBSD-current 5.99.39 checked out on 2010-11-04 22:02:24 UTC
>Organization:
>Environment:
System: NetBSD halt 5.99.39 NetBSD 5.99.39 (HALT) #1: Fri Nov 5 21:35:09 JST 2010 root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/HALT i386
Architecture: i386
Machine: i386
>Description:
ntpd(8) can drop privileges by specifying chrootdir or running as
an unprivileged user. In that case (disable_dynamic_updates != 0)
ntpd will close routing socket and free its handler structure
itself in function process_routing_msgs(), then refers the freed
memory as next handler in function input_handler().
This causes SIGSEGV if /etc/malloc.conf -> J.
>How-To-Repeat:
start ntpd in chrooted jail or under unprivileged user
>Fix:
Please apply this patch.
Index: external/bsd/ntp/dist/ntpd/ntp_io.c
===================================================================
RCS file: /cvsroot/src/external/bsd/ntp/dist/ntpd/ntp_io.c,v
retrieving revision 1.2
diff -u -r1.2 ntp_io.c
--- external/bsd/ntp/dist/ntpd/ntp_io.c 14 Dec 2009 00:43:58 -0000 1.2
+++ external/bsd/ntp/dist/ntpd/ntp_io.c 5 Nov 2010 22:10:49 -0000
@@ -3355,11 +3355,13 @@
asyncio_reader = asyncio_reader_list;
while (asyncio_reader != NULL) {
+ struct asyncio_reader *next = asyncio_reader->link;
+
if (FD_ISSET(asyncio_reader->fd, &fds)) {
++select_count;
(asyncio_reader->receiver)(asyncio_reader);
}
- asyncio_reader = asyncio_reader->link;
+ asyncio_reader = next;
}
#endif /* HAS_ROUTING_SOCKET */
--
Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44052 CVS commit: src/external/bsd/ntp/dist/ntpd
Date: Sat, 6 Nov 2010 16:40:12 -0400
Module Name: src
Committed By: christos
Date: Sat Nov 6 20:40:12 UTC 2010
Modified Files:
src/external/bsd/ntp/dist/ntpd: ntp_io.c
Log Message:
PR/44052: Takahiro HAYASHI: chrooted ntpd refers freed memory
As mentioned in the pr, process_routing_msgs can delete the current reader,
so cache the next element before calling it.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/external/bsd/ntp/dist/ntpd/ntp_io.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sun, 07 Nov 2010 00:17:05 +0000
State-Changed-Why:
Committed by christos, ok to close?
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, wiz@NetBSD.org,
hash@abox3.so-net.ne.jp
Subject: Re: bin/44052 (chrooted ntpd refers freed memory)
Date: Sun, 07 Nov 2010 11:55:50 +0900
It works fine.
Thank you.
--
Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>
State-Changed-From-To: feedback->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sun, 07 Nov 2010 09:07:08 +0000
State-Changed-Why:
Confirmed fixed, thanks.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.