Ubuntu
iproute package

iproute: ss -u segfaults if ipv6 module is not loaded

Bug #225573 reported by Jukka Partanen
4
Affects Status Importance Assigned to Milestone
iproute (CentOS)
Fix Released
Low
iproute (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: iproute

ss command (kind of netstat from iproute package) fails when requested to display
udp sockets. I have blacklisted ipv6 module in /etc/modprobe.d.

Release: 8.04
iproute:
  Installed: 20071016-2ubuntu1
  Candidate: 20071016-2ubuntu1
  Version table:
 *** 20071016-2ubuntu1 0
        500 http://fi.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status

Example output:

$ ss -un
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 x.x.x.x:46860 x.x.x.x:123
ESTAB 0 0 x.x.x.x:46869 x.x.x.x:123
ESTAB 0 0 x.x.x.x:46646 x.x.x.x:123
ESTAB 0 0 x.x.x.x:43324 x.x.x.x:123
ESTAB 0 0 x.x.x.x:58233 x.x.x.x:123
Segmentation fault

See the attachment for strace listing. It segfaults after trying to open /proc/net/upd6.

In Gutsy I remember using it without any problems.

Tags: ipv6
Revision history for this message
Jukka Partanen (jukka-partanen) wrote :
Revision history for this message
Andreas Henriksson (andreas-fatal) wrote :

Running "PROC_NET_UDP6=/foobar/non-exist ss -un" works just fine. The problem is not about a missing proc file.

Jukka:
Could you please get a gdb backtrace? strace is mostly useless for hunting down segmentation faults.

To get a useful backtrace you most likely need to rebuild with debugging symbols. Try this:

apt-get install build-essential
cd /tmp
apt-get source iproute
cd iproute-*
apt-get build-dep iproute
make
gdb ./misc/ss
set args -un
run
bt

Revision history for this message
Jukka Partanen (jukka-partanen) wrote :

Here it is (I modified CCOPTS in the Makefile to replace -O2 by -g to get line numbers):
#0 0xb7f8eb45 in fgets () from /lib/tls/i686/cmov/libc.so.6
#1 0x0804c6ff in generic_record_read (fp=0x0,
    worker=0x804dc35 <dgram_show_line>, f=0x805af50, fam=10) at ss.c:1233
#2 0x0804e216 in udp_show (f=0x805af50) at ss.c:1786
#3 0x08050d59 in main (argc=0, argv=0xbf9ccecc) at ss.c:2774

I think the problem is in the pointer comparison at ss.c:1785:
 if ((f->families&(1<<AF_INET6)) &&
     (fp = net_udp6_open()) >= 0) {

I changed this to
 if ((f->families&(1<<AF_INET6)) &&
     (fp = net_udp6_open()) != NULL) {

and the problem went away. There is similar bug in ss.c:1777, too:
 if (f->families&(1<<AF_INET)) {
  if ((fp = net_udp_open()) < 0)

Indeed trying PROC_NET_UDP=/foo/bar ./misc/ss -un segfaulted. Changing above to:
 if (f->families&(1<<AF_INET)) {
  if ((fp = net_udp_open()) == NULL)

fixed also that problem.

Revision history for this message
Andreas Henriksson (andreas-fatal) wrote :

Thanks Jukka! I'm on a newer version of iproute and those exact changes seems to have already been made there, that's why I couldn't reproduce.
Upstream commit: http://git.kernel.org/?p=linux/kernel/git/shemminger/iproute2.git;a=commitdiff;h=69cae645

In other words, this is already fixed in newer iproute releases.

Revision history for this message
In , Mihail (mihail-redhat-bugs) wrote :

when i type
[root@myserver ~]# ss
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.1.0.12:ssh x.x.x.x:4172
ESTAB 0 0 10.1.0.12:mysql 10.1.0.11:34003
Segmentation fault
[root@myserver ~]#

When ipv6 is off

close(4) = 0
open("/proc/net/tcp6", O_RDONLY) = -1 ENOENT (No such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

I try this on i386 and x86_64 and is the same error

Revision history for this message
In , Mihail (mihail-redhat-bugs) wrote :

http://bugs.centos.org/view.php?id=3475

Revision history for this message
In , Marcela (marcela-redhat-bugs) wrote :

*** Bug 493622 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Marcela (marcela-redhat-bugs) wrote :

You can use for the meantime: "ss -f inet"

After fixing previous problem "not showing all socket states" #446198 with upstream commit ab01dbbb94b8620c2bc85e30e107c3a9f0870a73 show up different bugs. On RHEL-5 machine could be seen this one, which could be fixed by upstream commit:
69cae645b28edbba53c8601ddeba01430e5e9da0

Revision history for this message
In , Marcela (marcela-redhat-bugs) wrote :

Created attachment 338509
Upstream commit git 69cae645b28edbba53c8601ddeba01430e5e9da0

Revision history for this message
In , Roberto (roberto-redhat-bugs) wrote :

In the function:

static FILE *generic_proc_open(const char *env, const char *name)
{
        char store[128];
        const char *p = getenv(env);
        FILE *fp;
        if (!p) {
                p = getenv("PROC_ROOT") ? : "/proc";
                snprintf(store, sizeof(store)-1, "%s/%s", p, name);
                p = store;
        }

        return fopen(p, "r");
}

PROC_ROOT can be something longer than 128 and cause other segfault.

Revision history for this message
In , Marcela (marcela-redhat-bugs) wrote :

(In reply to comment #7)
> In the function:
>
> static FILE *generic_proc_open(const char *env, const char *name)
> {
> char store[128];
> const char *p = getenv(env);
> FILE *fp;
> if (!p) {
> p = getenv("PROC_ROOT") ? : "/proc";
> snprintf(store, sizeof(store)-1, "%s/%s", p, name);
> p = store;
> }
>
> return fopen(p, "r");
> }
>
> PROC_ROOT can be something longer than 128 and cause other segfault.

If you have a reproducer for this problem, then please open a new bug. This is different problem.

Revision history for this message
In , Roberto (roberto-redhat-bugs) wrote :

(In reply to comment #8)
> (In reply to comment #7)
> > In the function:
> >
> > static FILE *generic_proc_open(const char *env, const char *name)
> > {
> > char store[128];
> > const char *p = getenv(env);
> > FILE *fp;
> > if (!p) {
> > p = getenv("PROC_ROOT") ? : "/proc";
> > snprintf(store, sizeof(store)-1, "%s/%s", p, name);
> > p = store;
> > }
> >
> > return fopen(p, "r");
> > }
> >
> > PROC_ROOT can be something longer than 128 and cause other segfault.
>
> If you have a reproducer for this problem, then please open a new bug. This is
> different problem.

I didn't see (i'm blind..) the snprintf out of bound comprobation and the segfault was produced because the content of PROC_ROOT was an invalid path (you fixed it in the last attachment).

Sorry.

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1520.html

Revision history for this message
Angelo Lisco (angystardust-gmail) wrote :

I just found the same bug was tracked in Red Hat Enterprise Bugzilla. It was fixed one month ago with this errata:
http://rhn.redhat.com/errata/RHBA-2009-1520.html

Revision history for this message
Andreas Henriksson (andreas-fatal) wrote :

The RH errata refers to the same upstream commit that I earlier wrote about.... That commit was part of the iproute version shipped with Intrepid (and later).

Bug Watch Updater (bug-watch-updater)
Changed in iproute (CentOS):
status: Unknown → Fix Released
Emmet Hikory (persia)
tags: added: ipv6
Revision history for this message
Vibhav Pant (vibhavp) wrote :

Fixed in Ubuntu 12.04

Changed in iproute (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in iproute (CentOS):
importance: Unknown → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.