2023-03-27 12:36:05 |
Kieran Kunhya |
bug |
|
|
added bug |
2023-06-09 18:23:04 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
2023-06-12 11:57:09 |
Robie Basak |
tags |
|
server-todo |
|
2023-06-12 11:57:16 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server |
2023-06-14 15:25:31 |
Christian Ehrhardt |
net-snmp (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2023-06-16 20:44:29 |
Andreas Hasenack |
net-snmp (Ubuntu): status |
New |
Triaged |
|
2023-06-16 20:44:36 |
Andreas Hasenack |
net-snmp (Ubuntu): status |
Triaged |
In Progress |
|
2023-06-27 12:50:43 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Focal |
|
2023-06-27 12:50:43 |
Andreas Hasenack |
bug task added |
|
net-snmp (Ubuntu Focal) |
|
2023-06-27 12:50:48 |
Andreas Hasenack |
net-snmp (Ubuntu Focal): status |
New |
In Progress |
|
2023-06-27 12:50:50 |
Andreas Hasenack |
net-snmp (Ubuntu Focal): assignee |
|
Andreas Hasenack (ahasenack) |
|
2023-06-27 12:50:54 |
Andreas Hasenack |
net-snmp (Ubuntu): status |
In Progress |
Fix Released |
|
2023-06-27 14:10:23 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/net-snmp/+git/net-snmp/+merge/445445 |
|
2023-06-27 14:13:31 |
Andreas Hasenack |
description |
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-27 14:22:48 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-27 14:31:51 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Create this script, or download it from this bug:
#!/usr/bin/python3
import pyagentx
# Updater class that set OID values
class NetSnmpPlaypen(pyagentx.Updater):
def update(self):
self.set_INTEGER('1.0', 1000)
self.set_OCTETSTRING('3.0', 'String for NET-SNMP-EXAMPLES-MIB')
class MyAgent(pyagentx.Agent):
def setup(self):
# Register Updater class that responsd to
# the tree under "netSnmpPlaypen": 1.3.6.1.4.1.8072.9999.9999
self.register('1.3.6.1.4.1.8072.9999.9999', NetSnmpPlaypen)
print("registered")
# Main
pyagentx.setup_logging(debug=False)
try:
a = MyAgent()
a.start()
except Exception as e:
print ("Unhandled exception:", e)
a.stop()
except KeyboardInterrupt:
a.stop()
# To download: wget <URL> TBD
Patch the file
/usr/lib/python3/dist-packages/pyagentx/network.py:
cd /
sudo patch -p0 <<EOF
--- /usr/lib/python3/dist-packages/pyagentx/network.py 2019-10-23 17:22:32.000000000 +0000
+++ /usr/lib/python3/dist-packages/pyagentx/network.py 2023-06-27 13:32:36.353368761 +0000
@@ -7,6 +7,7 @@
)
# --------------------------------------------
+import time
import logging
class NullHandler(logging.Handler):
def emit(self, record):
@@ -242,7 +243,8 @@
for handler in self._sethandlers.values():
handler.network_cleanup(request.session_id, request.transaction_id)
logger.info("Received CLEANUP PDU")
-
+ logger.info("SLEEP")
+ time.sleep(1.1)
self.send_pdu(response)
EOF
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-27 14:32:44 |
Andreas Hasenack |
attachment added |
|
myagentx.py https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py |
|
2023-06-27 14:33:29 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Create this script, or download it from this bug:
#!/usr/bin/python3
import pyagentx
# Updater class that set OID values
class NetSnmpPlaypen(pyagentx.Updater):
def update(self):
self.set_INTEGER('1.0', 1000)
self.set_OCTETSTRING('3.0', 'String for NET-SNMP-EXAMPLES-MIB')
class MyAgent(pyagentx.Agent):
def setup(self):
# Register Updater class that responsd to
# the tree under "netSnmpPlaypen": 1.3.6.1.4.1.8072.9999.9999
self.register('1.3.6.1.4.1.8072.9999.9999', NetSnmpPlaypen)
print("registered")
# Main
pyagentx.setup_logging(debug=False)
try:
a = MyAgent()
a.start()
except Exception as e:
print ("Unhandled exception:", e)
a.stop()
except KeyboardInterrupt:
a.stop()
# To download: wget <URL> TBD
Patch the file
/usr/lib/python3/dist-packages/pyagentx/network.py:
cd /
sudo patch -p0 <<EOF
--- /usr/lib/python3/dist-packages/pyagentx/network.py 2019-10-23 17:22:32.000000000 +0000
+++ /usr/lib/python3/dist-packages/pyagentx/network.py 2023-06-27 13:32:36.353368761 +0000
@@ -7,6 +7,7 @@
)
# --------------------------------------------
+import time
import logging
class NullHandler(logging.Handler):
def emit(self, record):
@@ -242,7 +243,8 @@
for handler in self._sethandlers.values():
handler.network_cleanup(request.session_id, request.transaction_id)
logger.info("Received CLEANUP PDU")
-
+ logger.info("SLEEP")
+ time.sleep(1.1)
self.send_pdu(response)
EOF
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Create this script, or download it from this bug:
#!/usr/bin/python3
import pyagentx
# Updater class that set OID values
class NetSnmpPlaypen(pyagentx.Updater):
def update(self):
self.set_INTEGER('1.0', 1000)
self.set_OCTETSTRING('3.0', 'String for NET-SNMP-EXAMPLES-MIB')
class MyAgent(pyagentx.Agent):
def setup(self):
# Register Updater class that responsd to
# the tree under "netSnmpPlaypen": 1.3.6.1.4.1.8072.9999.9999
self.register('1.3.6.1.4.1.8072.9999.9999', NetSnmpPlaypen)
print("registered")
# Main
pyagentx.setup_logging(debug=False)
try:
a = MyAgent()
a.start()
except Exception as e:
print ("Unhandled exception:", e)
a.stop()
except KeyboardInterrupt:
a.stop()
# To download the script instead:
$ wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
Patch the file
/usr/lib/python3/dist-packages/pyagentx/network.py:
cd /
sudo patch -p0 <<EOF
--- /usr/lib/python3/dist-packages/pyagentx/network.py 2019-10-23 17:22:32.000000000 +0000
+++ /usr/lib/python3/dist-packages/pyagentx/network.py 2023-06-27 13:32:36.353368761 +0000
@@ -7,6 +7,7 @@
)
# --------------------------------------------
+import time
import logging
class NullHandler(logging.Handler):
def emit(self, record):
@@ -242,7 +243,8 @@
for handler in self._sethandlers.values():
handler.network_cleanup(request.session_id, request.transaction_id)
logger.info("Received CLEANUP PDU")
-
+ logger.info("SLEEP")
+ time.sleep(1.1)
self.send_pdu(response)
EOF
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-27 14:35:06 |
Andreas Hasenack |
attachment added |
|
pyagentx-network.patch https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch |
|
2023-06-27 14:37:39 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Create this script, or download it from this bug:
#!/usr/bin/python3
import pyagentx
# Updater class that set OID values
class NetSnmpPlaypen(pyagentx.Updater):
def update(self):
self.set_INTEGER('1.0', 1000)
self.set_OCTETSTRING('3.0', 'String for NET-SNMP-EXAMPLES-MIB')
class MyAgent(pyagentx.Agent):
def setup(self):
# Register Updater class that responsd to
# the tree under "netSnmpPlaypen": 1.3.6.1.4.1.8072.9999.9999
self.register('1.3.6.1.4.1.8072.9999.9999', NetSnmpPlaypen)
print("registered")
# Main
pyagentx.setup_logging(debug=False)
try:
a = MyAgent()
a.start()
except Exception as e:
print ("Unhandled exception:", e)
a.stop()
except KeyboardInterrupt:
a.stop()
# To download the script instead:
$ wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
Patch the file
/usr/lib/python3/dist-packages/pyagentx/network.py:
cd /
sudo patch -p0 <<EOF
--- /usr/lib/python3/dist-packages/pyagentx/network.py 2019-10-23 17:22:32.000000000 +0000
+++ /usr/lib/python3/dist-packages/pyagentx/network.py 2023-06-27 13:32:36.353368761 +0000
@@ -7,6 +7,7 @@
)
# --------------------------------------------
+import time
import logging
class NullHandler(logging.Handler):
def emit(self, record):
@@ -242,7 +243,8 @@
for handler in self._sethandlers.values():
handler.network_cleanup(request.session_id, request.transaction_id)
logger.info("Received CLEANUP PDU")
-
+ logger.info("SLEEP")
+ time.sleep(1.1)
self.send_pdu(response)
EOF
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
$ Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-27 14:40:13 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
$ Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-27 14:45:06 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Or some other one.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-29 14:49:50 |
Sergio Durigan Junior |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-29 18:28:57 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to comeup with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-06-29 18:29:26 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly above the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-07-01 03:45:46 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Andreas Hasenack |
2023-07-07 07:12:12 |
Timo Aaltonen |
net-snmp (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2023-07-07 07:12:13 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-07-07 07:12:16 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2023-07-07 07:12:21 |
Timo Aaltonen |
tags |
server-todo |
server-todo verification-needed verification-needed-focal |
|
2023-07-12 16:39:37 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
cd -
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-07-12 16:56:53 |
Andreas Hasenack |
tags |
server-todo verification-needed verification-needed-focal |
server-todo verification-failed-focal verification-needed |
|
2023-07-12 16:57:02 |
Andreas Hasenack |
net-snmp (Ubuntu Focal): status |
Fix Committed |
Triaged |
|
2023-07-31 12:42:15 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/net-snmp/+git/net-snmp/+merge/448072 |
|
2023-07-31 12:47:00 |
Andreas Hasenack |
description |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
cd -
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response):
$ snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
Not at this time.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
[ Impact ]
Multiple double free bugs in snmpd can cause it to crash when dealing with agentx submodules.
agentx is a protocol between snmpd and agents and is a way to add MIBs to the server. In simple terms, the agentx master will basically pass on requests for such MIBs to a registered subagent, which is like a plugin.
The crashes are happening in this exchange between the master agent and a subagent, and involves timing and race conditions.
The easiest and most reliable way to reproduce the crashes was to come up with a custom agent, and add a pause in the communication just slightly higher than the agentx timeout of 1s. That is enough to reliably reproduce the crashes.
[ Test Plan ]
In a focal container, perform the following steps:
# install packages
sudo apt update
sudo apt install snmp snmpd python3-pyagentx -y
# change /etc/snmp/snmpd.conf
# Add the following lines just below the last "view" line in section "access control setup":
view all included .1 80
com2sec readonly default public
group MyROGroup v1 readonly
access MyROGroup "" any noauth exact all none none
# restart snmpd
sudo systemctl restart snmpd
# Download the reproducer script from this bug:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682346/+files/myagentx.py
# Patch the file network.py from the pyagentx python module:
wget https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926/+attachment/5682347/+files/pyagentx-network.patch
cd /
sudo patch -p0 < ~/pyagentx-network.patch
cd -
# Run the python script as root:
sudo python3 myagentx.py
# In another terminal, run this command as a regular user (you may or may not get a response) in a loop. Wait at least 10 iterations:
$ declare -i i=0; while /bin/true; do date; echo i=$i; snmpget -v 1 -c public localhost 1.3.6.1.4.1.8072.9999.9999.3.0; i=$((i+1)); done
The response, when you get one, should be like this:
iso.3.6.1.4.1.8072.9999.9999.3.0 = STRING: "String for NET-SNMP-EXAMPLES-MIB"
# Check snmpd logs with journalctl -u snmpd -f
# snmpd will crash with this error:
Jun 27 13:39:55 f-snmpd snmpd[6986]: Unknown operation 6 in agentx_got_response
Jun 27 13:39:58 f-snmpd snmpd[6986]: corrupted double-linked list
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:39:58 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
# Or this one:
Jun 27 13:41:19 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:20 f-snmpd snmpd[7090]: Unknown operation 6 in agentx_got_response
Jun 27 13:41:21 f-snmpd snmpd[7090]: malloc(): smallbin double linked list corrupted
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Main process exited, code=dumped, status=6/ABRT
Jun 27 13:41:21 f-snmpd systemd[1]: snmpd.service: Failed with result 'core-dump'.
Update to the packages in proposed, and snmpd will not crash anymore with this reproducer.
[ Where problems could occur ]
This started as a patch-on-a-plate bug, with one patch to supposedly fix the problem. But further investigation in upstream bug reports and git log showed more double free fixes. I applied them one by one until I couldn't reproduce the bug anymore.
That being said, this is all lovely C code dealing with memory management. While these few crashes seem fixed, and all the patches are committed upstream and available in released versions of net-snmp, I could have missed another one, or introduced a memory leak by not freeing something that should have been freed.
[ Other Info ]
The original verification for this bug found another crash after running the snmpget command in a loop. This has been fixed in 5.8+dfsg-2ubuntu2.9 which will be uploaded with a changes file incorporating 5.8+dfsg-2ubuntu2.8 as well.
[ Original Description ]
Is there a way this patch could be backported to Ubuntu 20.04 net-snmp as it fixes a crash we see:
https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
Likely a security issue too |
|
2023-07-31 13:24:58 |
Andreas Hasenack |
net-snmp (Ubuntu Focal): status |
Triaged |
In Progress |
|
2023-08-09 00:10:20 |
Robie Basak |
net-snmp (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2023-08-09 00:10:22 |
Robie Basak |
tags |
server-todo verification-failed-focal verification-needed |
server-todo verification-needed verification-needed-focal |
|
2023-08-09 12:57:20 |
Andreas Hasenack |
tags |
server-todo verification-needed verification-needed-focal |
server-todo verification-done-focal verification-needed |
|
2023-08-16 12:38:30 |
Launchpad Janitor |
net-snmp (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2023-08-16 12:38:34 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-08-17 13:25:45 |
Michał Małoszewski |
tags |
server-todo verification-done-focal verification-needed |
verification-done-focal verification-needed |
|