NetBSD Problem Report #51267

From www@NetBSD.org  Fri Jun 24 06:54:20 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id CBBB17AABF
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 24 Jun 2016 06:54:20 +0000 (UTC)
Message-Id: <20160624065420.008AE7AAC0@mollari.NetBSD.org>
Date: Fri, 24 Jun 2016 06:54:19 +0000 (UTC)
From: divyadv2010@gmail.com
Reply-To: divyadv2010@gmail.com
To: gnats-bugs@NetBSD.org
Subject: NETBSD 3.1 crashes on continuous ping
X-Send-Pr-Version: www-1.0

>Number:         51267
>Category:       bin
>Synopsis:       NETBSD 3.1 crashes on continuous ping
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 24 06:55:00 +0000 2016
>Closed-Date:    Sun Jul 31 18:19:53 +0000 2016
>Last-Modified:  Sun Jul 31 18:19:53 +0000 2016
>Originator:     Divya
>Release:        3.1
>Organization:
Quest
>Environment:
>Description:
NetBsd crashes on continuous ping. As per crash log the suspected line is a printf below.

(void)printf(" time=%.3f ms", triptime*1000.0); 
in pr_pack_sub() function

Seems like the %.3f is causing the crash. Please help if anybody faced this issue before.
>How-To-Repeat:
ping to any ip continuously for more than 12 hours
>Fix:
none

>Release-Note:

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/51267: NETBSD 3.1 crashes on continuous ping
Date: Fri, 24 Jun 2016 09:54:59 +0200

 On Fri, Jun 24, 2016 at 06:55:00AM +0000, divyadv2010@gmail.com wrote:
 > >Release:        3.1

 3.1 is a typo?

 Also what architecture are you on and what value of "crash" do you see?
 Kernel panic? Ping program dies with a core?

 Martin

State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 24 Jun 2016 15:44:46 +0000
State-Changed-Why:
some questions were asked


From: "Greg A. Woods" <woods@planix.ca>
To: NetBSD GNATS <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: bin/51267 (NETBSD 3.1 crashes on continuous ping)
Date: Thu, 30 Jun 2016 13:32:17 -0700

 --pgp-sign-Multipart_Thu_Jun_30_13:32:17_2016-1
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable

 Turns out this is almost certainly due to the signal handlers in ping
 calling non-reentrant functions (stdio, and malloc via stdio).

 See the related question, which has been updated with additional
 information, along with my answer here:

   http://stackoverflow.com/a/38131441/816536


 A good quick mostly fix would be to import OpenBSD's ping (and to keep
 in mind tracking it as it appears they will end up with a merged
 ping/ping6 at some point (soon?)).

 I say "mostly" because it appears on quick inspection that rev. 1.139 of
 OpenBSD ping still has a call to summary(signo) in a signal handler, and
 though their summary() avoids malloc() and stdout if called from a
 signal handler, I think on first glance it may still not be 100%
 reentrant due to the libc calls it does still make.  It's still 110%
 better than what we have in NetBSD now though.  (I think I've seen a
 crash from a signal handler calling NetBSD's snprintf(), but I'm not
 completely sure my memory is correct about that, and I have no notes
 about it that I can find.)

 The OpenBSD ping could have the SIGCONT feature patched into it, but
 that's hardly a critical feature that would go missing.

 BTW, this probably isn't a security-critical fix given that ping drops
 privs before setting up signal handlers, and I don't think it opens any
 avenues for remote exploitation.

 --=20
 						Greg A. Woods
 						Planix, Inc.

 <woods@planix.com>       +1 250 762-7675        http://www.planix.com/

 --pgp-sign-Multipart_Thu_Jun_30_13:32:17_2016-1
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (NetBSD)

 iEYEABECAAYFAld1gdEACgkQZn1xt3i/9H91cgCfUYWywxwunm4bh+8OOTNui18N
 lH8AnA1vb1Ie2WklWXXr06/joLJRpy/b
 =bPdD
 -----END PGP SIGNATURE-----

 --pgp-sign-Multipart_Thu_Jun_30_13:32:17_2016-1--

From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/51267 CVS commit: src/sbin/ping
Date: Sun, 31 Jul 2016 18:14:36 +0000

 Module Name:	src
 Committed By:	dholland
 Date:		Sun Jul 31 18:14:36 UTC 2016

 Modified Files:
 	src/sbin/ping: ping.c

 Log Message:
 Manipulate the signal masks so signals only arrive while we're waiting,
 so they can't illegally reenter libc.

 Fixes the problem Greg A. Woods describes in PR 51267, which might or
 might not be the original submitter's problem.


 To generate a diff of this commit:
 cvs rdiff -u -r1.110 -r1.111 src/sbin/ping/ping.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 31 Jul 2016 18:19:53 +0000
State-Changed-Why:
The problem that's been described is fixed. Since it's not a particularly
serious problem I'm not inclined to bother to have the fix merged into
the netbsd 6.x and 7.x release branches.

If the original problem is something else, please file a new PR with
sufficient info for diagnosis. Also note that NetBSD 3.1 has been EOL for
many years.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.