ipmitool console session crashed with SIGSEGV

Bug #234302 reported by Daniel J Blueman on 2008-05-23
8
Affects Status Importance Assigned to Milestone
ipmitool (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: ipmitool

When using the ipmitool 'sol activate 1' command so some time, a significant (~10%) amount of the time, ipmitool gets hit with a SEGV.

This is reproducible on Ubuntu 8.04 HH x86-64 connecting to an Intel S5000PAL IPMI interface and is semi-random. I'll see if I can get valgrind debugging.

ProblemType: Crash
Architecture: amd64
Date: Fri May 23 12:51:04 2008
DistroRelease: Ubuntu 8.04
ExecutablePath: /usr/bin/ipmitool
Package: ipmitool 1.8.8-3.1
PackageArchitecture: amd64
ProcCmdline: ipmitool -A MD5 -o intelplus -I lanplus -e [ -P XXXXXXX -H quorum0-mc sol activate 1
ProcEnviron:
 SHELL=/bin/bash
 PATH=/home/username/.bin/noarch:/home/username/.bin/:/bin:/usr/bin:/usr/local/bin:/usr/bin/X11:/sbin:/usr/sbin:/product/software/tools/Linux_common
 LANG=en_GB
Signal: 11
SourcePackage: ipmitool
StacktraceTop:
 ?? ()
 ?? ()
 ?? ()
 ?? ()
 ?? ()
Title: ipmitool crashed with SIGSEGV
Uname: Linux 2.6.24-16-generic x86_64
UserGroups: adm admin audio cdrom contract dialout dip floppy fuse kvm lpadmin plugdev swdev testers video

StacktraceTop:ipmi_lanplus_send_payload (intf=0x6672e0, payload=0x7fff8b39f140) at lanplus.c:2167
ipmi_lanplus_send_sol (intf=0x6672e0, v2_payload=0x7fff8b39f140) at lanplus.c:2325
ipmi_sol_activate (intf=0x6672e0, looptest=<value optimized out>, interval=<value optimized out>)
ipmi_sol_main (intf=0x6672e0, argc=2, argv=0x7fff8b39f7e8) at ipmi_sol.c:1716
ipmi_main (argc=16, argv=0x7fff8b39f778, cmdlist=0x655860, intflist=0x0) at ipmi_main.c:601

Changed in ipmitool:
importance: Undecided → Medium

Reliable reproducer:
 1. establish SOL session to node (see ProcCmdline above)
 2. separately, issue 'sol deactivate 1' command
 3. try to disconnect first session, or perform any activity on it, eg '~.' or '[.'
<SEGV>

Installed dbg-sym package. Run with valgrind:

$ valgrind ipmitool -A MD5 -o intelplus -I lanplus -e [ -P fooey -H quorum3-mc sol activate 1
<snip>
[SOL Session operational. Use [? for help]
<separately issue 'sol disconnect 1'>
<press any key>
==14621==
==14621== Invalid read of size 1
==14621== at 0x431154: ipmi_lanplus_recv_sol (lanplus.c:2459)
==14621== by 0x42FCA7: ipmi_lanplus_send_payload (lanplus.c:2167)
==14621== by 0x4312BB: ipmi_lanplus_send_sol (lanplus.c:2298)
==14621== by 0x411482: ipmi_sol_activate (ipmi_sol.c:1259)
==14621== by 0x411B0B: ipmi_sol_main (ipmi_sol.c:1716)
==14621== by 0x428CE1: ipmi_main (ipmi_main.c:601)
==14621== by 0x40439F: main (ipmitool.c:115)
==14621== Address 0x40c is not stack'd, malloc'd or (recently) free'd
==14621==
==14621== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==14621== Access not within mapped region at address 0x40C
==14621== at 0x431154: ipmi_lanplus_recv_sol (lanplus.c:2459)
==14621== by 0x42FCA7: ipmi_lanplus_send_payload (lanplus.c:2167)
==14621== by 0x4312BB: ipmi_lanplus_send_sol (lanplus.c:2298)
==14621== by 0x411482: ipmi_sol_activate (ipmi_sol.c:1259)
==14621== by 0x411B0B: ipmi_sol_main (ipmi_sol.c:1716)
==14621== by 0x428CE1: ipmi_main (ipmi_main.c:601)
==14621== by 0x40439F: main (ipmitool.c:115)
<snip>

Use the source, Luke:

/*
 * ipmi_lanplus_recv_sol
 *
 * Receive a SOL packet and send an ACK in response.
 *
 */
struct ipmi_rs *
ipmi_lanplus_recv_sol(struct ipmi_intf * intf)
{
        struct ipmi_rs * rsp = ipmi_lan_poll_recv(intf);

   if(rsp->session.authtype != 0) <---- SEGV
   {
        ack_sol_packet(intf, rsp);

           /*
            * Remembers the data sent, and alters the data to just
            * include the new stuff.
            */
           check_sol_packet_for_new_data(intf, rsp);
   }
        return rsp;
}

Given the SEGV is from a load at address from 0x40c, clearly invalid, this is most likely the offset of session.authtype from 'rsp', which is obviously now NULL. Oops!

This patch fixes the behaviour:

--- ./ipmitool-1.8.8/src/plugins/lanplus/lanplus.c 2006-04-21 17:34:30.000000000 +0100
+++ ./ipmitool-1.8.8-dan/ipmitool-1.8.8/src/plugins/lanplus/lanplus.c 2008-05-30 18:12:02.000000000 +0100
@@ -2165,6 +2165,8 @@

    rsp = ipmi_lanplus_recv_sol(intf); /* Grab the next packet */
+ if (!rsp)
+ break;

    if (sol_response_acks_packet(rsp, payload))
     break;
@@ -2456,7 +2458,7 @@
 {
  struct ipmi_rs * rsp = ipmi_lan_poll_recv(intf);

- if(rsp->session.authtype != 0)
+ if(rsp && rsp->session.authtype != 0)
    {
     ack_sol_packet(intf, rsp);

Now, the session is terminated after it is timed out:

$ ipmitool -A MD5 -o intelplus -I lanplus -e [ -P fooey -H quorum1-mc sol activate 1
[SOL Session operational. Use [? for help]
<terminate from other command>
Error sending SOL data: FAIL
SOL session closed by BMC
$

Can someone kick this upstream?

Chuck Short (zulcss) wrote :

Can you try the version in my ppa (http://launchpad.net/~zulcss/+archive) when its available.

Thanks
chuck

Changed in ipmitool:
status: New → Incomplete

Hi Chuck,

I tested your PPA's 'ipmitool_1.8.8-3.1ubuntu1~ppa1_amd64.deb' package on intrepid 8.10 amd64, and found that when I enter SOL mode [1], no further input is accepted.

The same test with ipmitool 1.8.9-1 (in the repos) works fine. Let me know for further testing...

--- [1]

ipmitool -A MD5 -o intelplus -I lanplus -e [ -P foo -H quorum4-mc sol activate 1

Maybe I'm missing something, but why attempt to patch 1.8.8? Is there some reason for not updating to 1.8.9 which has been available since 2007, and also fixes this problem? At least, it did for me, and the changelog specifically says:

* Fix segfault in SOL when remote BMC does not return packet

.. which may or may not be the problem in this case - at any rate, it fixed the segfaults I was seeing when doing SOL with 1.8.8. 1.8.10 has also been available since August 2008.

Chuck Short (zulcss) wrote :

This should be fixed in karmic now.

Regards
chuck

Chuck Short (zulcss) on 2009-10-29
Changed in ipmitool (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers