NetBSD Problem Report #51267
From www@NetBSD.org Fri Jun 24 06:54:20 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id CBBB17AABF
for <gnats-bugs@gnats.NetBSD.org>; Fri, 24 Jun 2016 06:54:20 +0000 (UTC)
Message-Id: <20160624065420.008AE7AAC0@mollari.NetBSD.org>
Date: Fri, 24 Jun 2016 06:54:19 +0000 (UTC)
From: divyadv2010@gmail.com
Reply-To: divyadv2010@gmail.com
To: gnats-bugs@NetBSD.org
Subject: NETBSD 3.1 crashes on continuous ping
X-Send-Pr-Version: www-1.0
>Number: 51267
>Category: bin
>Synopsis: NETBSD 3.1 crashes on continuous ping
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jun 24 06:55:00 +0000 2016
>Closed-Date: Sun Jul 31 18:19:53 +0000 2016
>Last-Modified: Sun Jul 31 18:19:53 +0000 2016
>Originator: Divya
>Release: 3.1
>Organization:
Quest
>Environment:
>Description:
NetBsd crashes on continuous ping. As per crash log the suspected line is a printf below.
(void)printf(" time=%.3f ms", triptime*1000.0);
in pr_pack_sub() function
Seems like the %.3f is causing the crash. Please help if anybody faced this issue before.
>How-To-Repeat:
ping to any ip continuously for more than 12 hours
>Fix:
none
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/51267: NETBSD 3.1 crashes on continuous ping
Date: Fri, 24 Jun 2016 09:54:59 +0200
On Fri, Jun 24, 2016 at 06:55:00AM +0000, divyadv2010@gmail.com wrote:
> >Release: 3.1
3.1 is a typo?
Also what architecture are you on and what value of "crash" do you see?
Kernel panic? Ping program dies with a core?
Martin
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 24 Jun 2016 15:44:46 +0000
State-Changed-Why:
some questions were asked
From: "Greg A. Woods" <woods@planix.ca>
To: NetBSD GNATS <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: bin/51267 (NETBSD 3.1 crashes on continuous ping)
Date: Thu, 30 Jun 2016 13:32:17 -0700
--pgp-sign-Multipart_Thu_Jun_30_13:32:17_2016-1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Turns out this is almost certainly due to the signal handlers in ping
calling non-reentrant functions (stdio, and malloc via stdio).
See the related question, which has been updated with additional
information, along with my answer here:
http://stackoverflow.com/a/38131441/816536
A good quick mostly fix would be to import OpenBSD's ping (and to keep
in mind tracking it as it appears they will end up with a merged
ping/ping6 at some point (soon?)).
I say "mostly" because it appears on quick inspection that rev. 1.139 of
OpenBSD ping still has a call to summary(signo) in a signal handler, and
though their summary() avoids malloc() and stdout if called from a
signal handler, I think on first glance it may still not be 100%
reentrant due to the libc calls it does still make. It's still 110%
better than what we have in NetBSD now though. (I think I've seen a
crash from a signal handler calling NetBSD's snprintf(), but I'm not
completely sure my memory is correct about that, and I have no notes
about it that I can find.)
The OpenBSD ping could have the SIGCONT feature patched into it, but
that's hardly a critical feature that would go missing.
BTW, this probably isn't a security-critical fix given that ping drops
privs before setting up signal handlers, and I don't think it opens any
avenues for remote exploitation.
--=20
Greg A. Woods
Planix, Inc.
<woods@planix.com> +1 250 762-7675 http://www.planix.com/
--pgp-sign-Multipart_Thu_Jun_30_13:32:17_2016-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iEYEABECAAYFAld1gdEACgkQZn1xt3i/9H91cgCfUYWywxwunm4bh+8OOTNui18N
lH8AnA1vb1Ie2WklWXXr06/joLJRpy/b
=bPdD
-----END PGP SIGNATURE-----
--pgp-sign-Multipart_Thu_Jun_30_13:32:17_2016-1--
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51267 CVS commit: src/sbin/ping
Date: Sun, 31 Jul 2016 18:14:36 +0000
Module Name: src
Committed By: dholland
Date: Sun Jul 31 18:14:36 UTC 2016
Modified Files:
src/sbin/ping: ping.c
Log Message:
Manipulate the signal masks so signals only arrive while we're waiting,
so they can't illegally reenter libc.
Fixes the problem Greg A. Woods describes in PR 51267, which might or
might not be the original submitter's problem.
To generate a diff of this commit:
cvs rdiff -u -r1.110 -r1.111 src/sbin/ping/ping.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 31 Jul 2016 18:19:53 +0000
State-Changed-Why:
The problem that's been described is fixed. Since it's not a particularly
serious problem I'm not inclined to bother to have the fix merged into
the netbsd 6.x and 7.x release branches.
If the original problem is something else, please file a new PR with
sufficient info for diagnosis. Also note that NetBSD 3.1 has been EOL for
many years.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.