[pkg-ntp-maintainers] Bug#795315: /usr/sbin/ntpd: ntpd segfaults in input_handler at ntp_io.c:3642

Bjørn Mork bjorn at mork.no
Wed Aug 12 20:50:50 UTC 2015 

Package: ntp
Version: 1:4.2.6.p5+dfsg-7
Severity: important
File: /usr/sbin/ntpd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Maintainer,

Lately I've had repeated segfaults at the same strange instruction pointer.  Some examples:

[413548.161658] ntpd[10451]: segfault at 31 ip 0000000000000031 sp 00007fff671f60a8 error 14 in ntpd[400000+7c000]
[415129.821268] ntpd[14753]: segfault at 31 ip 0000000000000031 sp 00007ffc33800348 error 14 in ntpd[400000+7c000]
[415189.853330] ntpd[16079]: segfault at 31 ip 0000000000000031 sp 00007ffd18644c18 error 14 in ntpd[400000+7c000]
[416749.789097] ntpd[17432]: segfault at 31 ip 0000000000000031 sp 00007ffc796c6e48 error 14 in ntpd[400000+7c000]
[418309.853324] ntpd[18741]: segfault at 31 ip 0000000000000031 sp 00007fff8da5e968 error 14 in ntpd[400000+7c000]
[419959.837194] ntpd[21252]: segfault at 31 ip 0000000000000031 sp 00007ffde6edec38 error 14 in ntpd[400000+7c000]
[421669.853236] ntpd[23963]: segfault at 31 ip 0000000000000031 sp 00007fff2de10768 error 14 in ntpd[400000+7c000]
[424699.869224] ntpd[26256]: segfault at 31 ip 0000000000000031 sp 00007ffdd1b560c8 error 14 in ntpd[400000+7c000]
[437479.836984] ntpd[4566]: segfault at 31 ip 0000000000000031 sp 00007fffffffded8 error 14 in ntpd[400000+7c000]
[453139.804986] ntpd[2638]: segfault at 31 ip 0000000000000031 sp 00007ffc61382d88 error 14 in ntpd[400000+7c000]

A gdb backtrace gave this:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000031 in ?? ()
(gdb) bt full
#0  0x0000000000000031 in ?? ()
No symbol table info available.
#1  0x000000000040efd8 in input_handler (cts=cts at entry=0x7fffffffe3c0) at ntp_io.c:3642
        buflen = <optimized out>
        n = <optimized out>
        doing = <optimized out>
        fd = <optimized out>
        tvzero = {tv_sec = 0, tv_usec = 0}
        ts = {Ul_i = {Xl_ui = 3648400129, Xl_i = -646567167}, Ul_f = {Xl_uf = 2931768944, Xl_f = -1363198352}}
        fds = {fds_bits = {562949953421312, 0 <repeats 15 times>}}
        select_count = <optimized out>
        ep = 0x0
        asyncio_reader = 0x6fe530
#2  0x0000000000412890 in ntpdmain (argc=<optimized out>, argv=0x7fffffffe5a8) at ntpd.c:1102
        ts = {Ul_i = {Xl_ui = 3648400129, Xl_i = -646567167}, Ul_f = {Xl_uf = 2931768944, Xl_f = -1363198352}}
        rdfdes = {fds_bits = {562949953421312, 0 <repeats 15 times>}}
        nfound = <optimized out>
        now = {Ul_i = {Xl_ui = 3648397054, Xl_i = -646570242}, Ul_f = {Xl_uf = 909946309, Xl_f = 909946309}}
        rbuf = <optimized out>
#3  0x0000000000405bd9 in main (argc=<optimized out>, argv=<optimized out>) at ntpd.c:358
No locals.

Looking at the code around ntp_io.c:3642 I see this:
 
#ifdef HAS_ROUTING_SOCKET
	/*
	 * scan list of asyncio readers - currently only used for routing sockets
	 */
	asyncio_reader = asyncio_reader_list;

	while (asyncio_reader != NULL) {
		if (FD_ISSET(asyncio_reader->fd, &fds)) {
			++select_count;
			(asyncio_reader->receiver)(asyncio_reader);
		}
		asyncio_reader = asyncio_reader->link;
	}
#endif /* HAS_ROUTING_SOCKET */


Line 3642 is the indirect call to 'asyncio_reader->receiver', which of course
explains how we could get such a consistently strange address on the stack. I
haven't looked further into this, but is seems obvious that something sometimes
set asyncio_reader->receiver to 0x31. Hoping that you might have some
idea where that could be...


Bjørn

- -- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ntp depends on:
ii  adduser      3.113+nmu3
ii  dpkg         1.17.25
ii  libc6        2.19-18
ii  libcap2      1:2.24-8
ii  libedit2     3.1-20140620-2
ii  libopts25    1:5.18.4-3
ii  libssl1.0.0  1.0.1k-3+deb8u1
ii  lsb-base     4.1+Debian13+nmu1
ii  netbase      5.3

Versions of packages ntp recommends:
ii  perl  5.20.2-3+deb8u1

Versions of packages ntp suggests:
pn  ntp-doc  <none>

- -- Configuration Files:
/etc/ntp.conf changed [not included]

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlXLsagACgkQ10rqkowbIslbHACggNnbyKGLqSBGeW2dkZ44hjSo
Gv4AoJEt7M9El3pa1oaDUolNYc69Rqaj
=sL1Q
-----END PGP SIGNATURE-----

More information about the pkg-ntp-maintainers mailing list