Ubuntu
ntp package

SIGSEGV in ntpq

Bug #254375 reported by petre
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Fix Released
Low
Unassigned
Declined for Jaunty by Chuck Short

Bug Description

Binary package hint: ntp

Bug appears on two different computers, both with same release of (k)ubuntu and same architecture (x86_64).

% uname -a
Linux xxxxx 2.6.24-19-generic #1 SMP Fri Jul 11 21:01:46 UTC 2008 x86_64 GNU/Linux

% lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

% apt-cache policy ntp
ntp:
  Installed: 1:4.2.4p4+dfsg-3ubuntu2
  Candidate: 1:4.2.4p4+dfsg-3ubuntu2
  Version table:
 *** 1:4.2.4p4+dfsg-3ubuntu2 0
        500 http://ro.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status
---------------------
After installing ntp package, without any modification to config files:

% ntptrace
ntpq -n -c rv 127.0.0.1 failed at /usr/bin/ntptrace line 40.

% ntpq -n -c rv 127.0.0.1
assID=0 status=c644 sync_alarm, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p4@1.1520-o Fri Mar 7 20:36:58 UTC 2008 (1)",
processor="x86_64", system="Linux/2.6.24-19-generic", leap=11,
stratum=16, precision=-20, rootdelay=0.000, rootdispersion=11.925,
Segmentation fault

% valgrind ntpq -n -c rv 127.0.0.1
==14479== Memcheck, a memory error detector.
==14479== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==14479== Using LibVEX rev 1804, a library for dynamic binary translation.
==14479== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==14479== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework.
==14479== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==14479== For more details, rerun with: -v
==14479==
==14479== Invalid read of size 8
==14479== at 0x4015ECA: (within /lib/ld-2.7.so)
==14479== by 0x4011C2B: (within /lib/ld-2.7.so)
==14479== by 0x56F8F7F: (within /lib/libc-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==14479== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==14479== by 0x56D3114: (within /lib/libc-2.7.so)
==14479== by 0x56DBB28: getservbyname_r (in /lib/libc-2.7.so)
==14479== by 0x56A9ADC: (within /lib/libc-2.7.so)
==14479== by 0x56A9DC7: (within /lib/libc-2.7.so)
==14479== by 0x56AC35D: getaddrinfo (in /lib/libc-2.7.so)
==14479== by 0x403546: (within /usr/bin/ntpq)
==14479== Address 0x5fa7fc0 is 40 bytes inside a block of size 46 alloc'd
==14479== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==14479== by 0x400DF00: (within /lib/ld-2.7.so)
==14479== by 0x4008DA5: (within /lib/ld-2.7.so)
==14479== by 0x4012048: (within /lib/ld-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x401191A: (within /lib/ld-2.7.so)
==14479== by 0x56F8F7F: (within /lib/libc-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==14479== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==14479== by 0x56D3114: (within /lib/libc-2.7.so)
==14479== by 0x56DBB28: getservbyname_r (in /lib/libc-2.7.so)
==14479==
==14479== Invalid read of size 8
==14479== at 0x4015EE4: (within /lib/ld-2.7.so)
==14479== by 0x400AB93: (within /lib/ld-2.7.so)
==14479== by 0x40061E4: (within /lib/ld-2.7.so)
==14479== by 0x4008677: (within /lib/ld-2.7.so)
==14479== by 0x4012048: (within /lib/ld-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x401191A: (within /lib/ld-2.7.so)
==14479== by 0x56F8F7F: (within /lib/libc-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==14479== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==14479== by 0x56D3132: (within /lib/libc-2.7.so)
==14479== Address 0x5fa8140 is 16 bytes inside a block of size 23 alloc'd
==14479== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==14479== by 0x4008B75: (within /lib/ld-2.7.so)
==14479== by 0x4012048: (within /lib/ld-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x401191A: (within /lib/ld-2.7.so)
==14479== by 0x56F8F7F: (within /lib/libc-2.7.so)
==14479== by 0x400DDF5: (within /lib/ld-2.7.so)
==14479== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==14479== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==14479== by 0x56D3132: (within /lib/libc-2.7.so)
==14479== by 0x56DBB28: getservbyname_r (in /lib/libc-2.7.so)
==14479== by 0x56A9ADC: (within /lib/libc-2.7.so)
assID=0 status=c644 sync_alarm, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p4@1.1520-o Fri Mar 7 20:36:58 UTC 2008 (1)",
processor="x86_64", system="Linux/2.6.24-19-generic", leap=11,
stratum=16, precision=-20, rootdelay=0.000, rootdispersion=11.985,
==14479==
==14479== Invalid write of size 1
==14479== at 0x412693: (within /usr/bin/ntpq)
==14479== Address 0x7ff001000 is not stack'd, malloc'd or (recently) free'd
==14479==
==14479== Process terminating with default action of signal 11 (SIGSEGV)
==14479== Access not within mapped region at address 0x7FF001000
==14479== at 0x412693: (within /usr/bin/ntpq)
peer=13290==14479==
==14479== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 25 from 1)
==14479== malloc/free: in use at exit: 59 bytes in 2 blocks.
==14479== malloc/free: 51 allocs, 49 frees, 20,570 bytes allocated.
==14479== For counts of detected errors, rerun with: -v
==14479== searching for pointers to 2 not-freed blocks.
==14479== checked 365,984 bytes.
==14479==
==14479== LEAK SUMMARY:
==14479== definitely lost: 0 bytes in 0 blocks.
==14479== possibly lost: 0 bytes in 0 blocks.
==14479== still reachable: 59 bytes in 2 blocks.
==14479== suppressed: 0 bytes in 0 blocks.
==14479== Rerun with --leak-check=full to see details of leaked memory.
Segmentation fault

----------------------------------------------

After rebuild with debugging enabled:
valgrind ntpq -n -c rv 127.0.0.1
==27393== Memcheck, a memory error detector.
==27393== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==27393== Using LibVEX rev 1804, a library for dynamic binary translation.
==27393== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==27393== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework.
==27393== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==27393== For more details, rerun with: -v
==27393==
==27393== Invalid read of size 8
==27393== at 0x4015ECA: (within /lib/ld-2.7.so)
==27393== by 0x4011C2B: (within /lib/ld-2.7.so)
==27393== by 0x56F8F7F: (within /lib/libc-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==27393== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==27393== by 0x56D3114: (within /lib/libc-2.7.so)
==27393== by 0x56DBB28: getservbyname_r (in /lib/libc-2.7.so)
==27393== by 0x56A9ADC: (within /lib/libc-2.7.so)
==27393== by 0x56A9DC7: (within /lib/libc-2.7.so)
==27393== by 0x56AC35D: getaddrinfo (in /lib/libc-2.7.so)
==27393== by 0x40319A: openhost (ntpq.c:687)
==27393== Address 0x5fa7fc0 is 40 bytes inside a block of size 46 alloc'd
==27393== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==27393== by 0x400DF00: (within /lib/ld-2.7.so)
==27393== by 0x4008DA5: (within /lib/ld-2.7.so)
==27393== by 0x4012048: (within /lib/ld-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x401191A: (within /lib/ld-2.7.so)
==27393== by 0x56F8F7F: (within /lib/libc-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==27393== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==27393== by 0x56D3114: (within /lib/libc-2.7.so)
==27393== by 0x56DBB28: getservbyname_r (in /lib/libc-2.7.so)
==27393==
==27393== Invalid read of size 8
==27393== at 0x4015EE4: (within /lib/ld-2.7.so)
==27393== by 0x400AB93: (within /lib/ld-2.7.so)
==27393== by 0x40061E4: (within /lib/ld-2.7.so)
==27393== by 0x4008677: (within /lib/ld-2.7.so)
==27393== by 0x4012048: (within /lib/ld-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x401191A: (within /lib/ld-2.7.so)
==27393== by 0x56F8F7F: (within /lib/libc-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==27393== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==27393== by 0x56D3132: (within /lib/libc-2.7.so)
==27393== Address 0x5fa8140 is 16 bytes inside a block of size 23 alloc'd
==27393== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==27393== by 0x4008B75: (within /lib/ld-2.7.so)
==27393== by 0x4012048: (within /lib/ld-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x401191A: (within /lib/ld-2.7.so)
==27393== by 0x56F8F7F: (within /lib/libc-2.7.so)
==27393== by 0x400DDF5: (within /lib/ld-2.7.so)
==27393== by 0x56F90E6: __libc_dlopen_mode (in /lib/libc-2.7.so)
==27393== by 0x56D303C: __nss_lookup_function (in /lib/libc-2.7.so)
==27393== by 0x56D3132: (within /lib/libc-2.7.so)
==27393== by 0x56DBB28: getservbyname_r (in /lib/libc-2.7.so)
==27393== by 0x56A9ADC: (within /lib/libc-2.7.so)
assID=0 status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.4p4@1.1520-o Sun Aug 3 08:29:27 UTC 2008 (1)",
processor="x86_64", system="Linux/2.6.24-19-generic", leap=11,
stratum=16, precision=-20, rootdelay=0.000, rootdispersion=0.150,
peer=0, refid=INIT,
reftime=00000000.00000000 Thu, Feb 7 2036 8:28:16.000, poll=6,
clock=cc3feb02.5a323ae9 Sun, Aug 3 2008 11:29:54.352, state=0,
offset=0.000, frequency=0.000, jitter=0.001, noise=0.001,
stability=0.000, tai=0
==27393==
==27393== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 25 from 1)
==27393== malloc/free: in use at exit: 59 bytes in 2 blocks.
==27393== malloc/free: 62 allocs, 60 frees, 22,723 bytes allocated.
==27393== For counts of detected errors, rerun with: -v
==27393== searching for pointers to 2 not-freed blocks.
==27393== checked 364,008 bytes.
==27393==
==27393== LEAK SUMMARY:
==27393== definitely lost: 0 bytes in 0 blocks.
==27393== possibly lost: 0 bytes in 0 blocks.
==27393== still reachable: 59 bytes in 2 blocks.
==27393== suppressed: 0 bytes in 0 blocks.
==27393== Rerun with --leak-check=full to see details of leaked memory.

Revision history for this message
Chuck Short (zulcss) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue that you reported is one that should be reproducible with the live environment of the Desktop CD of the development release - Karmic Koala. It would help us greatly if you could test with it so we can work on getting it fixed in the next release of Ubuntu. You can find out more about the development release at http://www.ubuntu.com/testing/. Thanks again and we appreciate your help.

Changed in ntp (Ubuntu):
assignee: nobody → Chuck Short (zulcss)
importance: Undecided → Low
status: New → Incomplete
Chuck Short (zulcss)
Changed in ntp (Ubuntu):
assignee: Chuck Short (zulcss) → nobody
Revision history for this message
Chuck Short (zulcss) wrote :

We'd like to figure out what's causing this bug for you, but we haven't heard back from you in a while. Could you please provide the requested information? Thanks!

Revision history for this message
petre (petrem.) wrote : Re: [Bug 254375] Re: SIGSEGV in ntpq

I failed in a first attempt to reproduce the bug in roughly the same
conditions as first posted but I will keep trying. I will (hopefully
today) try with a kubuntu karmic live cd and report back.

Peter
On 19 Oct 2009, at 18:08 PM, Chuck Short wrote:

> We'd like to figure out what's causing this bug for you, but we
> haven't
> heard back from you in a while. Could you please provide the requested
> information? Thanks!
>
> --
> SIGSEGV in ntpq
> https://bugs.launchpad.net/bugs/254375
> You received this bug notification because you are a direct subscriber
> of the bug.

Revision history for this message
petre (petrem.) wrote :

Hello again,

I am not able to reproduce the bug neither in 8.04 (with lots of
updates since the bug was reported...) nor in the 9.10 beta.

On 19 Oct 2009, at 18:08 PM, Chuck Short wrote:

> We'd like to figure out what's causing this bug for you, but we
> haven't
> heard back from you in a while. Could you please provide the requested
> information? Thanks!
>
> --
> SIGSEGV in ntpq
> https://bugs.launchpad.net/bugs/254375
> You received this bug notification because you are a direct subscriber
> of the bug.

Revision history for this message
Chuck Short (zulcss) wrote :

Thanks closing then.

Regards
chuck

Changed in ntp (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
marekm (marekm) wrote :
Download full text (6.1 KiB)

Bug still present on 10.04 LTS 32-bit, installed on an old AMD64 box, with 32-bit PAE-enabled kernel for NX protection.

"ntpq rv" segfault happens soon after ntp is started:

$ ntpq -n -c rv 127.0.0.1
assID=0 status=c644 sync_alarm, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8@1.1612-o Fri Apr 9 00:28:40 UTC 2010 (1)",
processor="i686", system="Linux/2.6.32-21-generic-pae", leap=11,
stratum=16, precision=-19, rootdelay=0.000, rootdispersion=11.190,
Segmentation fault

but not anymore with time in sync with the NTP server:

$ ntpq -n -c rv 127.0.0.1
assID=0 status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.4p8@1.1612-o Fri Apr 9 00:28:40 UTC 2010 (1)",
processor="i686", system="Linux/2.6.32-21-generic-pae", leap=00,
stratum=3, precision=-19, rootdelay=49.444, rootdispersion=97.440,
peer=43637, refid=91.189.94.4,
reftime=cf8a76a2.db946652 Tue, May 4 2010 12:34:10.857, poll=6,
clock=cf8a7874.58f15d7e Tue, May 4 2010 12:41:56.347, state=4,
offset=-29.822, frequency=-100.651, jitter=37.655, noise=55.979,
stability=30.935, tai=0

Also, earlier it said "stack smashing detected" (just once, can't reproduce that again):

$ ntpq -n -c rv 127.0.0.1
assID=0 status=c644 sync_alarm, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8@1.1612-o Fri Apr 9 00:28:40 UTC 2010 (1)",
processor="i686", system="Linux/2.6.32-21-generic-pae", leap=11,
stratum=16, precision=-19, rootdelay=0.000, rootdispersion=10.965,
*** stack smashing detected ***: <unknown> terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb74f8350]
/lib/tls/i686/cmov/libc.so.6(+0xe22fa)[0xb74f82fa]
[0xb7769924]
[0xb7765ef6]
[0x0]
======= Memory map: ========
b73b1000-b73ce000 r-xp 00000000 08:05 133715 /lib/libgcc_s.so.1
b73ce000-b73cf000 r--p 0001c000 08:05 133715 /lib/libgcc_s.so.1
b73cf000-b73d0000 rw-p 0001d000 08:05 133715 /lib/libgcc_s.so.1
b73de000-b73e8000 r-xp 00000000 08:05 138070 /lib/tls/i686/cmov/libnss_files-2.11.1.so
b73e8000-b73e9000 r--p 00009000 08:05 138070 /lib/tls/i686/cmov/libnss_files-2.11.1.so
b73e9000-b73ea000 rw-p 0000a000 08:05 138070 /lib/tls/i686/cmov/libnss_files-2.11.1.so
b73ea000-b73eb000 rw-p 00000000 00:00 0
b73eb000-b73ef000 r-xp 00000000 08:05 133671 /lib/libattr.so.1.1.0
b73ef000-b73f0000 r--p 00003000 08:05 133671 /lib/libattr.so.1.1.0
b73f0000-b73f1000 rw-p 00004000 08:05 133671 /lib/libattr.so.1.1.0
b73f1000-b7404000 r-xp 00000000 08:05 133830 /lib/libz.so.1.2.3.3
b7404000-b7405000 r--p 00012000 08:05 133830 /lib/libz.so.1.2.3.3
b7405000-b7406000 rw-p 00013000 08:05 133830 /lib/libz.so.1.2.3.3
b7406000-b7407000 rw-p 00000000 00:00 0
b7407000-b7409000 r-xp 00000000 08:05 138059 /lib/tls/i686/cmov/libdl-2.11.1.so
b7409000-b740a000 r--p 00001000 08:05 138059 /lib/tls/i686/cmov/libdl-2.11.1.so
b740a000-b740b000 rw-p 00002000 08:05 138059 /lib/tls/i686/cmov/libdl-2.11.1.so
b740b000-b7414000 r-xp 00000000 08:05 133677 /lib/libbsd.so.0.2.0
b7414000-b7415000 r--p 00008000 08:05 133677 /lib/libbsd.so.0.2.0
b7415000-b7416000 rw-p 00009000 08:05 133677 /lib/libbsd.so.0.2.0
b7416000-b7569...

Read more...

Revision history for this message
david6 (andrew-dowden) wrote :

I still get this error on Ubuntu 10.04 LTS (latest updates), under 'cold start' conditions.

For example: (new host), install ntp (sudo apt-get install ntp)

~$ ntpq -c rl (on a different host)
associd=0 status=c011 leap_alarm, sync_unspec, 1 event, freq_not_set,
version="ntpd 4.2.6p2@1.2194 Fri Sep 2 18:37:15 UTC 2011 (1)",
processor="i686", system="Linux/3.0.0-12-generic-pae", leap=11,
stratum=16, precision=-20, rootdelay=0.000, rootdisp=0.420, refid=INIT,
reftime=00000000.00000000 Thu, Feb 7 2036 19:28:16.000,
clock=d26c2106.4ae705a8 Tue, Nov 15 2011 12:21:42.292, peer=0, tc=3,
mintc=3, offset=0.000, frequency=0.000, sys_jitter=0.000,
clk_jitter=0.001, clk_wander=0.000

sometime after install, BUT before it is properly synced, I may get:

~$ ntpq -c rl
assID=0 status=c644 sync_alarm, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8@1.1612-o Tue Apr 19 07:08:29 UTC 2011 (1)",
processor="i686", system="Linux/2.6.32-34-generic", leap=11, stratum=16,
Segmentation fault

later still, when properly synced, it returns valid data:

~$ ntpq -c rl
assID=0 status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.4p8@1.1612-o Tue Apr 19 07:08:29 UTC 2011 (1)",
processor="i686", system="Linux/2.6.32-34-generic", leap=00, stratum=3,
precision=-20, rootdelay=303.768, rootdispersion=75.598, peer=65450,
refid=91.189.94.4,
reftime=d26c181d.ef314855 Tue, Nov 15 2011 11:43:41.934, poll=6,
clock=d26c187f.d8e7310b Tue, Nov 15 2011 11:45:19.847, state=4,
offset=21.891, frequency=86.577, jitter=24.303, noise=46.878,
stability=25.729, tai=0

This must relate to string-space, a negative value (unexpected), or similar for nonsense data.

Does not ALWAYS occur, and HARD to reproduce ..

Revision history for this message
david6 (andrew-dowden) wrote :

Can this be assigned a higher priority, to resolve?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.