Ubuntu
net-snmp package

AgentX use-after-free net-snmp 5.8

Bug #2012926 reported by Kieran Kunhya
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
net-snmp (Ubuntu)
Fix Released
Undecided
Andreas Hasenack
Focal
Fix Released
Undecided
Andreas Hasenack

Bug Description

[ Impact ]

Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.

agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.

The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.

The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.

[ Test Plan ]

In a focal container, perform the following steps:

# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y

# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none

# restart snmpd
sudo systemctl restart snmpd

# Download the reproducer script from this bug:

wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py

# Patch the file network.py from the pyagentx python module:

wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
cd -

# Run the python script as root:

sudo python3 myagentx.py

# In another terminal, run this command as a regular user (you may or may not get a response) in a loop. Wait at least 10 iterations:
$ declare -i i=0; while /bin/true; do date; echo i=$i; snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0; i=$((i+1)); done

The response, when you get one, should be like this:
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"

# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.

# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.

Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.

[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.

That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.

[ Other Info ]
The original verification for this bug found another crash after running the snmpget command in a loop. This has been fixed in 5.8+dfsg-2ubuntu2.9 which will be uploaded with a changes file incorporating 5.8+dfsg-2ubuntu2.8 as well.

[ Original Description ]

Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883

Likely a security issue too

See original description

Related branches

~ahasenack/ubuntu/+source/net-snmp:focal-net-snmp-more-crashes
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Canonical Server Reporter: Pending requested
Diff: 189 lines (+161/-0)
4 files modified
debian/changelog (+10/-0)
debian/patches/remove-request-when-sending-failed-1.patch (+68/-0)
debian/patches/remove-request-when-sending-failed-2.patch (+81/-0)
debian/patches/series (+2/-0)
~ahasenack/ubuntu/+source/net-snmp:focal-snmp-double-free-2012926
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Canonical Server Reporter: Pending requested
Diff: 207 lines (+167/-0)
6 files modified
debian/changelog (+14/-0)
debian/patches/double-free-agentx_got_response.patch (+36/-0)
debian/patches/double-free-delegated-cache.patch (+33/-0)
debian/patches/double-free-failed-transport.patch (+40/-0)
debian/patches/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch (+40/-0)
debian/patches/series (+4/-0)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public? The upstream bug and patch are public...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream bug report: https://sourceforge.net/p/net-snmp/bugs/2943/

Revision history for this message
Kieran Kunhya (kierank) wrote : Re: [Bug 2012926] Re: AgentX use-after-free net-snmp 5.8

Sure.

On Fri, 28 Apr 2023 at 02:40, Marc Deslauriers <email address hidden>
wrote:

> Can I make this bug public? The upstream bug and patch are public...
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2012926
>
> Title:
> AgentX use-after-free net-snmp 5.8
>
> Status in net-snmp package in Ubuntu:
> New
>
> Bug description:
> Is there a way this patch could be backported to Ubuntu 20.04 net-snmp
> as it fixes a crash we see:
>
> https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
>
> Likely a security issue too
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+subscriptions
>
>

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Robie Basak (racb) wrote :

Ah, I just noticed that this is still Public Security. Marc, are you planning on patching it in the security pocket? Or should the server team look into an SRU?

tags: added: server-todo
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'm not planning a security update for this, as it is unclear to me if it can be attacker controlled. Could the server team please handle this as an SRU?

Christian Ehrhardt  (paelzer)
Changed in net-snmp (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There are 3 commits that handle a double-free in agentx:

a)
commit f3e80746fde826cf4665fb959bda78cce061c883
Author: Bart Van Assche <email address hidden>
Date: Mon Aug 5 20:15:37 2019 -0700

    AgentX: Fix a use-after-free

    When calling snmp_async_send(), the callback function is called whether or
    not sending succeeds. Since the agentx_got_response() callback function
    frees the cache unconditionally, calling netsnmp_free_delegated_cache()
    explicitly after snmp_async_send() is wrong.

    See also https://sourceforge.net/p/net-snmp/bugs/2943/.

    Fixes: f9304c83f762 ("CHANGES: PATCH 1633670: fixed snmpd crashing when an AgentX subagent disconnect in the middle of processing of a request.") # v5.8.

b)
commit d73ebccfe45be49f70ab0a3f5dd298db78c99f6d
Author: Bart Van Assche <email address hidden>
Date: Thu May 16 13:48:03 2019 +0200

    AgentX: Fix two use-after-free issues

    snmp_add_full() frees the transport if it fails. This was detected by Coverity.

c)
commit 33f8e2e1d63ad5932ade885ffbff379cab1e50bd
Author: Shogo Matsumoto <email address hidden>
Date: Tue May 7 09:41:13 2019 +0900

    agent/mibgroup/agentx: Fix double free of delegated cache in agentx_got_response()

    If snmpd receives a response from subagent immediately after the agentx
    session closed, agentx_got_response() frees delegated cache twice.

    This patch changes return value of "response too late on session"
    in agentx_got_response function to make the caller of this function
    remove the request in order to prevent double free.

    See also https://sourceforge.net/p/net-snmp/patches/1392/.

    Signed-off-by: Shogo Matsumoto <email address hidden>
    [ bvanassche: added patch tracker URL ]

https://sourceforge.net/p/net-snmp/bugs/2943/#8085 claims that patch 1392 (33f8e2e1d63ad5932ade885ffbff379cab1e50bd) did not fix the issue.

https://sourceforge.net/p/net-snmp/patches/1400/#0e56 describes what could perhaps become the test case for this bug:
"""
BTW, a good regression test for this, and how I could reproduce it, would be to kill (-9) the subagent while we are polling it. In my case, I start walking 1.3.6.1.2.1.15 and kill the subagent (bgpd) while we are doing the walk.
"""

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@kierank, if we have trouble reproducing this bug, do you have an environment where it happens reliably, and if yes, would you be able to test packages with the proposed fix to confirm they fix the issue?

Revision history for this message
Kieran Kunhya (kierank) wrote :

Yes, we will be able to do that.

I'm not sure specifically what triggers this. I think a slow response (1-2
seconds) from a GET to an OID is what causes the problem.

Then again we did try to backport the fixes manually on our side but didn't
manage to get it working.

Regards,
Kieran Kunhya

Sent from my mobile device

On Thu, 15 Jun 2023, 05:30 Andreas Hasenack, <email address hidden>
wrote:

> @kierank, if we have trouble reproducing this bug, do you have an
> environment where it happens reliably, and if yes, would you be able to
> test packages with the proposed fix to confirm they fix the issue?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2012926
>
> Title:
> AgentX use-after-free net-snmp 5.8
>
> Status in net-snmp package in Ubuntu:
> New
>
> Bug description:
> Is there a way this patch could be backported to Ubuntu 20.04 net-snmp
> as it fixes a crash we see:
>
> https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
>
> Likely a security issue too
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+subscriptions
>
>

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

> Then again we did try to backport the fixes manually on our side but didn't
> manage to get it working.

Which patches did you try that did not work?

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

I think I found a way to reproduce it with python3-pyagentx, a demo agentx agent, and a bit of time.sleep() :)

Jun 16 17:57:01 f-net-snmp-dbl-free snmpd[2421]: Unknown operation 6 in agentx_got_response
Jun 16 17:57:02 f-net-snmp-dbl-free snmpd[2421]: Unknown operation 6 in agentx_got_response
Jun 16 17:57:03 f-net-snmp-dbl-free snmpd[2421]: corrupted double-linked list
Jun 16 17:57:03 f-net-snmp-dbl-free systemd[1]: Created slice system-apport\x2dforward.slice.
Jun 16 17:57:03 f-net-snmp-dbl-free systemd[1]: Starting Apport crash forwarding receiver...
Jun 16 17:57:03 f-net-snmp-dbl-free systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 16 17:57:03 f-net-snmp-dbl-free systemd[1]: snmpd.service: Failed with result 'core-dump'.
Jun 16 17:57:03 f-net-snmp-dbl-free systemd[1]: apport-forward@0-unknown.service: Succeeded.

Slightly different error message, though. Let's see what else I can dig up.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

With the 3 patches from comment #6 applied, I still get a crash:
$ sudo /usr/sbin/snmpd -LOn -u Debian-snmp -g Debian-snmp -I "-smux mteTrigger mteTriggerConf" -f -p /run/snmpd.pid
Unknown operation 6 in agentx_got_response
corrupted size vs. prev_size
Aborted

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And sometimes a different crash:
Unknown operation 6 in agentx_got_response
Unknown operation 6 in agentx_got_response
malloc(): smallbin double linked list corrupted

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Found another one:
commit 7f88b06bf0f4140bc03cabacd35eaeffdf21d722
Author: Anders Wallin <email address hidden>
Date: Sun Apr 7 18:31:16 2019 -0400

    agentx/master: Return when NETSNMP_CALLBACK_OP_RESEND is set to the callback

    snmpd is terminated abnormally due to the double free for the
    request cache after the request is resend.

    That is because the callback for NETSNMP_CALLBACK_OP_RESEND isn't
    cared and the cache is freed wrongly.

    Let's just return if NETSNMP_CALLBACK_OP_RESEND is set on the
    callback.

    Fixes: b7b50bbac ("snmp_send callback updates")

    Signed-off-by: Anders Wallin <email address hidden>

This now seems to have done it, I cannot reproduce the crash anymore with the same test case.

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

Here is a focal ppa with the 4 patches above applied, if you would like to give it a try:

https://launchpad.net/~ahasenack/+archive/ubuntu/net-snmp-double-free/

And the git branch:

https://code.launchpad.net/~ahasenack/ubuntu/+source/net-snmp/+git/net-snmp/+ref/focal-snmp-double-free-2012926

Changed in net-snmp (Ubuntu):
status: New → Triaged
status: Triaged → In Progress
Andreas Hasenack (ahasenack)
Changed in net-snmp (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in net-snmp (Ubuntu):
status: In Progress → Fix Released
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Script to mimick an agentx subagent, to help reproduce the bug.

description: updated
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
Sergio Durigan Junior (sergiodj)
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Kieran, or anyone else affected,

Accepted net-snmp into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/net-snmp/5.8+dfsg-2ubuntu2.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in net-snmp (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.9 KiB)

Reproducing the bug

$ apt-cache policy snmpd
snmpd:
  Installed: 5.8+dfsg-2ubuntu2.7
  Candidate: 5.8+dfsg-2ubuntu2.7
  Version table:
 *** 5.8+dfsg-2ubuntu2.7 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status

The query timed out:
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
Timeout: No Response from localhost.

The python agentx however got it, and later couldn't reconnect to snmpd:
2023-07-12 16:39:59,471 - pyagentx.network - INFO - Received GET PDU
2023-07-12 16:39:59,471 - pyagentx.network - INFO - SLEEP
2023-07-12 16:40:00,573 - pyagentx.network - INFO - Received GET PDU
2023-07-12 16:40:00,574 - pyagentx.network - INFO - SLEEP
2023-07-12 16:40:01,675 - pyagentx.network - INFO - Received GET PDU
2023-07-12 16:40:01,675 - pyagentx.network - INFO - SLEEP
2023-07-12 16:40:02,778 - pyagentx.network - ERROR - Network error, master disconnect?!

That's because snmpd crashed:
Jul 12 16:38:59 f-snmp-dbl-free systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Jul 12 16:40:00 f-snmp-dbl-free snmpd[3431]: Unknown operation 6 in agentx_got_response
Jul 12 16:40:01 f-snmp-dbl-free snmpd[3431]: Unknown operation 6 in agentx_got_response
Jul 12 16:40:01 f-snmp-dbl-free snmpd[3431]: malloc(): smallbin double linked list corrupted
Jul 12 16:40:01 f-snmp-dbl-free systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jul 12 16:40:01 f-snmp-dbl-free systemd[1]: snmpd.service: Failed with result 'core-dump'.

I ran it again, and got a different crash (this one wasn't listed in the SRU test plan):
Jul 12 16:42:15 f-snmp-dbl-free snmpd[4211]: Unknown operation 6 in agentx_got_response
Jul 12 16:42:16 f-snmp-dbl-free snmpd[4211]: corrupted size vs. prev_size
Jul 12 16:42:16 f-snmp-dbl-free systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jul 12 16:42:16 f-snmp-dbl-free systemd[1]: snmpd.service: Failed with result 'core-dump'.

And a third time got me this third type of error message and a crash:
Jul 12 16:43:11 f-snmp-dbl-free systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Jul 12 16:43:11 f-snmp-dbl-free systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Jul 12 16:43:16 f-snmp-dbl-free snmpd[4379]: Unknown operation 6 in agentx_got_response
Jul 12 16:43:23 f-snmp-dbl-free snmpd[4379]: malloc(): unsorted double linked list corrupted
Jul 12 16:43:23 f-snmp-dbl-free systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jul 12 16:43:23 f-snmp-dbl-free systemd[1]: snmpd.service: Failed with result 'core-dump'.

And a fourth error message plus crash:
Jul 12 16:44:47 f-snmp-dbl-free snmpd[4488]: free(): double free detected in tcache 2
Jul 12 16:44:47 f-snmp-dbl-free systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jul 12 16:44:47 f-snmp-dbl-free systemd[1]: snmpd.service: Failed with result 'core-dump'.

I tried a few more times, but these are the four types of crashes I could get.

With the packages from proposed:
$ apt-cache policy snmpd
snmpd:
  Installed: 5.8+dfsg-2ubuntu2.8
  Candidate: 5.8+dfsg-2ubuntu2.8
  Ve...

Read more...

tags: added: verification-failed-focal
removed: verification-needed-focal
Changed in net-snmp (Ubuntu Focal):
status: Fix Committed → Triaged
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Reopening the bug, as another crash was found after all these patches were applied. I don't know if it was introduced by the fixes, or if it's just another double free that was there already and also needs fixing.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I found another two patches that fix the latest crash:

commit 408c8919e36feb4e9c1024e74d3b8c77454d89a0
Author: Bart Van Assche <email address hidden>
Date: Sun Apr 14 18:57:17 2019 -0700

    snmplib: Introduce the function remove_request()

    This patch does not change any functionality.

and this one which uses the new function:

commit d6689d6a938e29e02f1964bc7d7a15103817c0fa
Author: Masayoshi Mizuma <email address hidden>
Date: Mon Apr 8 19:56:04 2019 -0400

    snmplib/snmp_api: Remove the request on the session when the sending is failed

    snmpd is terminated abnormally due to an invalid memory access after
    the sending of a request is failed.

    The time out callback for the failed request is executed when the
    session is closing because the request remains in the internal session.
    The cleanup for the request is executed on the
    callback(NETSNMP_CALLBACK_OP_SEND_FAILED,) and also on the time out
    callback(NETSNMP_CALLBACK_OP_TIMED_OUT,), so the wrong memory access
    happens.

    Remove the failed request from the internal session after the callback
    for the failed request is done.

    Signed-off-by: Masayoshi Mizuma <email address hidden>
    Reported-by: Shogo Matsumoto <email address hidden>

I ran the snmpget loop over 21 thousand times now, no crash. I do observe something similar to a connection reset, though:

("i" is my loop counter)
i=21234
Error in packet
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: iso.3.6.1.4.1.8072.9999.9999.3.0

And the agentx module shows:
2023-07-28 20:27:04,503 - pyagentx.network - ERROR - Network error, master disconnect?!

But it reconnects just fine.

I tried the same loop in jammy, and observed the same behavior: this disconnect, and recovery. Maybe it's something in the python module, or the way it was implemented. After all, it's a demo.

I'll upload this new package to the ppa.

Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
Changed in net-snmp (Ubuntu Focal):
status: Triaged → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I uploaded 5.8+dfsg-2ubuntu2.9 to focal unapproved, which addresses the verification-failed problem.

Revision history for this message
Robie Basak (racb) wrote :

Hello Kieran, or anyone else affected,

Accepted net-snmp into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/net-snmp/5.8+dfsg-2ubuntu2.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in net-snmp (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
removed: verification-failed-focal
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Focal verification

Reproducing the bug with:
ubuntu@f-snmp:~$ apt-cache policy snmpd
snmpd:
  Installed: 5.8+dfsg-2ubuntu2.7
  Candidate: 5.8+dfsg-2ubuntu2.7
  Version table:
 *** 5.8+dfsg-2ubuntu2.7 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status

Ran the reproducer in a loop, and on the first iteration it crashed the server already, as expected:
Aug 09 12:51:25 f-snmp systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Aug 09 12:52:08 f-snmp snmpd[3341]: Unknown operation 6 in agentx_got_response
Aug 09 12:52:09 f-snmp snmpd[3341]: Unknown operation 6 in agentx_got_response
Aug 09 12:52:09 f-snmp snmpd[3341]: Unknown operation 6 in agentx_got_response
Aug 09 12:52:10 f-snmp snmpd[3341]: malloc(): smallbin double linked list corrupted
Aug 09 12:52:10 f-snmp systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Aug 09 12:52:10 f-snmp systemd[1]: snmpd.service: Failed with result 'core-dump'.

Upgrading to the packages in proposed:
ubuntu@f-snmp:~$ apt-cache policy snmpd
snmpd:
  Installed: 5.8+dfsg-2ubuntu2.9
  Candidate: 5.8+dfsg-2ubuntu2.9
  Version table:
 *** 5.8+dfsg-2ubuntu2.9 500
        500 http://br.archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

Let the reproducer run for more than 20 times and no crash:
Wed Aug 9 12:56:19 UTC 2023
i=20
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
Wed Aug 9 12:56:20 UTC 2023
i=21
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
Wed Aug 9 12:56:22 UTC 2023
i=22

Focal verification succeeded.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package net-snmp - 5.8+dfsg-2ubuntu2.9

---------------
net-snmp (5.8+dfsg-2ubuntu2.9) focal; urgency=medium

  * Fix "double free or corruption (fasttop)" crash (LP: #2012926):
    - d/p/remove-request-when-sending-failed-1.patch: introduce
      remove_request() function
    - d/p/remove-request-when-sending-failed-2.patch: Remove the request
      on the session when the sending is failed

net-snmp (5.8+dfsg-2ubuntu2.8) focal; urgency=medium

  * Fix multiple double free() bugs (LP: #2012926):
    - d/p/double-free-agentx_got_response.patch: fix double free of
      delegated cache in agentx_got_response()
    - d/p/double-free-failed-transport.patch: fix use-after-free in
      agentx when the transport fails
    - d/p/double-free-delegated-cache.patch: fix double free in the
      delegated cache
    - d/p/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch: fix
      double free when NETSNMP_CALLBACK_OP_RESEND is set to the callback

 -- Andreas Hasenack <email address hidden> Fri, 28 Jul 2023 17:42:56 -0300

Changed in net-snmp (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for net-snmp has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Michał Małoszewski (michal-maloszewski99)
tags: removed: server-todo
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.