[pkg-ntp-maintainers] Bug#793806: ntpq "rv" -> ntpd SEGV in ctl_putstr

Mon Jul 27 17:00:04 UTC 2015

Package: ntp
Version: 1:4.2.8p3+dfsg-1
Severity: normal
Tags: d-i upstream

With the most recent update I have my ntpd dump core when receiving
an "rv" command:

(gdb) where
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000004174d0 in ctl_putstr (tag=0x0, data=0x7fffffffe0d0 "md5", len=3) at ntp_control.c:1400
#2  0x000000000041924f in ctl_putsys (varid=<optimized out>) at ntp_control.c:2360
#3  0x000000000041b3f1 in read_sysvars () at ntp_control.c:3181
#4  read_variables (rbufp=<optimized out>, restrict_mask=<optimized out>) at ntp_control.c:3205
#5  0x000000000042da92 in receive (rbufp=0x718140) at ntp_proto.c:461
#6  0x0000000000415568 in ntpdmain (argc=0, argv=0x7fffffffeba0) at ntpd.c:1214
#7  0x0000000000406309 in main (argc=<optimized out>, argv=<optimized out>) at ntpd.c:290

This was narrowed down to being related to the use of autokey and
possibly an error in defined dependencies.

Short correction on Debian rules: --enable-leap-smear must be enabled when compiled
with autokey (autodetected on my installation).

I would believe the bug might also apply to the upstream code, as when LEAP_SMEAR
is not defined some of the autokey elements in "sys_var" point to null pointer.

>From the end of the sys_var declaration:

        { CS_TIMER_XMTS,        RO, "timer_xmts" },     /* 87 */
        { CS_FUZZ,              RO, "fuzz" },           /* 88 */
        { CS_WANDER_THRESH,     RO, "clk_wander_threshold" }, /* 89 */
#ifdef LEAP_SMEAR
        { CS_LEAPSMEARINTV,     RO, "leapsmearinterval" },    /* 90 */
        { CS_LEAPSMEAROFFS,     RO, "leapsmearoffset" },      /* 91 */
#endif   /* LEAP_SMEAR */
#ifdef AUTOKEY
        { CS_FLAGS,     RO, "flags" },          /* 1 + CS_MAX_NOAUTOKEY */
        { CS_HOST,      RO, "host" },           /* 2 + CS_MAX_NOAUTOKEY */
        { CS_PUBLIC,    RO, "update" },         /* 3 + CS_MAX_NOAUTOKEY */
        { CS_CERTIF,    RO, "cert" },           /* 4 + CS_MAX_NOAUTOKEY */
        { CS_SIGNATURE, RO, "signature" },      /* 5 + CS_MAX_NOAUTOKEY */
        { CS_REVTIME,   RO, "until" },          /* 6 + CS_MAX_NOAUTOKEY */
        { CS_IDENT,     RO, "ident" },          /* 7 + CS_MAX_NOAUTOKEY */
        { CS_DIGEST,    RO, "digest" },         /* 8 + CS_MAX_NOAUTOKEY */
#endif  /* AUTOKEY */
        { 0,            EOV, "" }               /* 87/95 */
};

and above:

#define CS_MAX_NOAUTOKEY        CS_LEAPSMEAROFFS

So basically when LEAP_SMEAR is not defined, CS_MAX_NOAUTOKEY would not have
the right value, and some of the AUTOKEY CS_* fields might point to
unallocated space.

By defining the above compile option I did get rid of the core
dump, although I must admit this is not the proper correction.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ntp depends on:
ii  adduser       3.113+nmu3
ii  dpkg          1.18.1
ii  libc6         2.19-19
ii  libcap2       1:2.24-9
ii  libgcc1       1:5.1.1-14
ii  libopts25     1:5.18.6~pre3-3
ii  libreadline6  6.3-8+b3
ii  libssl1.0.0   1.0.2d-1
ii  lsb-base      4.1+Debian13+nmu1
ii  netbase       5.3

Versions of packages ntp recommends:
ii  perl  5.20.2-6

Versions of packages ntp suggests:
ii  ntp-doc  2:4.2.6.p5+cw-1

-- Configuration Files:
/etc/ntp.conf changed [not included]

-- no debconf information