AgentX use-after-free net-snmp 5.8
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
net-snmp (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Focal |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
# Patch the file network.py from the pyagentx python module:
wget https:/
cd /
sudo patch -p0 < ~/pyagentx-
cd -
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response) in a loop. Wait at least 10 iterations:
$ declare -i i=0; while /bin/true; do date; echo i=$i; snmpget -v 1 -c public localhost 1.3.6.1.
The response, when you get one, should be like this:
iso.3.6.
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
The original verification for this bug found another crash after running the snmpget command in a loop. This has been fixed in 5.8+dfsg-2ubuntu2.9 which will be uploaded with a changes file incorporating 5.8+dfsg-2ubuntu2.8 as well.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https:/
Likely a security issue too
Related branches
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 189 lines (+161/-0)4 files modifieddebian/changelog (+10/-0)
debian/patches/remove-request-when-sending-failed-1.patch (+68/-0)
debian/patches/remove-request-when-sending-failed-2.patch (+81/-0)
debian/patches/series (+2/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 207 lines (+167/-0)6 files modifieddebian/changelog (+14/-0)
debian/patches/double-free-agentx_got_response.patch (+36/-0)
debian/patches/double-free-delegated-cache.patch (+33/-0)
debian/patches/double-free-failed-transport.patch (+40/-0)
debian/patches/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch (+40/-0)
debian/patches/series (+4/-0)
information type: | Private Security → Public Security |
Changed in net-snmp (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in net-snmp (Ubuntu Focal): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in net-snmp (Ubuntu): | |
status: | In Progress → Fix Released |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in net-snmp (Ubuntu Focal): | |
status: | Triaged → In Progress |
tags: | removed: server-todo |
Can I make this bug public? The upstream bug and patch are public...