NetBSD Problem Report #44052

From hash@abox3.so-net.ne.jp  Sat Nov  6 00:56:16 2010
Return-Path: <hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id E5BC563BAB2
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  6 Nov 2010 00:56:15 +0000 (UTC)
Message-Id: <20101106082858.9171.17947C80@abox3.so-net.ne.jp>
Date: Sat, 06 Nov 2010 08:29:44 +0900
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Cc: hash@abox3.so-net.ne.jp
Subject: chrooted ntpd refers freed memory

>Number:         44052
>Category:       bin
>Synopsis:       chrooted ntpd refers freed memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 06 01:00:00 +0000 2010
>Closed-Date:    Sun Nov 07 09:07:08 +0000 2010
>Last-Modified:  Sun Nov 07 09:07:08 +0000 2010
>Originator:     Takahiro HAYASHI
>Release:        NetBSD-current 5.99.39 checked out on 2010-11-04 22:02:24 UTC
>Organization:
>Environment:
System: NetBSD halt 5.99.39 NetBSD 5.99.39 (HALT) #1: Fri Nov 5 21:35:09 JST 2010 root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/HALT i386
Architecture: i386
Machine: i386
>Description:
	ntpd(8) can drop privileges by specifying chrootdir or running as
	an unprivileged user. In that case (disable_dynamic_updates != 0)
	ntpd will close routing socket and free its handler structure
	itself in function process_routing_msgs(), then refers the freed
	memory as next handler in function input_handler().
	This causes SIGSEGV if /etc/malloc.conf -> J.
>How-To-Repeat:
	start ntpd in chrooted jail or under unprivileged user
>Fix:
	Please apply this patch.

Index: external/bsd/ntp/dist/ntpd/ntp_io.c
===================================================================
RCS file: /cvsroot/src/external/bsd/ntp/dist/ntpd/ntp_io.c,v
retrieving revision 1.2
diff -u -r1.2 ntp_io.c
--- external/bsd/ntp/dist/ntpd/ntp_io.c	14 Dec 2009 00:43:58 -0000	1.2
+++ external/bsd/ntp/dist/ntpd/ntp_io.c	5 Nov 2010 22:10:49 -0000
@@ -3355,11 +3355,13 @@
 	asyncio_reader = asyncio_reader_list;

 	while (asyncio_reader != NULL) {
+		struct asyncio_reader *next = asyncio_reader->link;
+
 		if (FD_ISSET(asyncio_reader->fd, &fds)) {
 			++select_count;
 			(asyncio_reader->receiver)(asyncio_reader);
 		}
-		asyncio_reader = asyncio_reader->link;
+		asyncio_reader = next;
 	}
 #endif /* HAS_ROUTING_SOCKET */


-- 
Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/44052 CVS commit: src/external/bsd/ntp/dist/ntpd
Date: Sat, 6 Nov 2010 16:40:12 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Sat Nov  6 20:40:12 UTC 2010

 Modified Files:
 	src/external/bsd/ntp/dist/ntpd: ntp_io.c

 Log Message:
 PR/44052: Takahiro HAYASHI: chrooted ntpd refers freed memory
 As mentioned in the pr, process_routing_msgs can delete the current reader,
 so cache the next element before calling it.


 To generate a diff of this commit:
 cvs rdiff -u -r1.2 -r1.3 src/external/bsd/ntp/dist/ntpd/ntp_io.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sun, 07 Nov 2010 00:17:05 +0000
State-Changed-Why:
Committed by christos, ok to close?


From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, wiz@NetBSD.org,
        hash@abox3.so-net.ne.jp
Subject: Re: bin/44052 (chrooted ntpd refers freed memory)
Date: Sun, 07 Nov 2010 11:55:50 +0900

 It works fine.
 Thank you.

 -- 
 Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>

State-Changed-From-To: feedback->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sun, 07 Nov 2010 09:07:08 +0000
State-Changed-Why:
Confirmed fixed, thanks.


>Unformatted:

Home	PR Database Search