NTP : Use-after-free in routing socket code after dropping root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NTP |
Fix Released
|
High
|
|||
ntp (Debian) |
Fix Released
|
Unknown
|
|||
ntp (Ubuntu) |
Fix Released
|
Medium
|
Eric Desrochers | ||
Precise |
Fix Released
|
Medium
|
Eric Desrochers | ||
Trusty |
Fix Released
|
Medium
|
Eric Desrochers | ||
Vivid |
Fix Released
|
Medium
|
Eric Desrochers | ||
Wily |
Fix Released
|
Medium
|
Eric Desrochers |
Bug Description
[Impact]
* User experienced repeated segfaults at the same instruction pointer
i/o error on routing socket No buffer space available - disabling
segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-
The remove_ and delete_ functions remove the current element from the asyncio_
We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element, whose contents are (in theory) now scrambled
by having link pointers, etc, from internal malloc state overlaying the data.
[Test Case]
You can easily reproduce the bug by :
- Lowering the sysctl value net.core.rmem_max
$ sysctl -w net.core.
This sets the max OS send buffer size for all types of connections.
- Adding multiple network interfaces and static routes.
[Regression Potential]
None expected since the fix is already available upstream (https:/
If after installing the patch, user are receiving this kind of message in /var/log/syslog : "routing socket reports: No buffer space available".
The next step, would be to increase the "net.core.rmem_max" and "net.core.wmem_max" values equally until the "routing socket reports: No buffer space available" message no longer showed up.
[Other Info]
NTP upstream (https:/
[Bug 2224] Use-after-free in routing socket code after dropping root. - Commit: d6df9d3
[Bug 2890] Ignore ENOBUFS on routing netlink socket. - Commit: db47bd4
The use-after-free bug has been fix in Debian release (closes: #795315)
Will submit the ignore-
[Original Description]
We have 1 server (among hundreds) that its ntp service is crashing.
A few minute/seconds after a start attempts we can see the following in syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-
OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic
I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol.
Changed in ntp (Ubuntu): | |
assignee: | nobody → eric.desrochers (eric-desrochers-z) |
summary: |
- Use-after-free in routing socket code after dropping root + NTP : Use-after-free in routing socket code after dropping root |
Changed in ntp (Ubuntu): | |
importance: | Undecided → Low |
milestone: | none → ubuntu-12.04.5 |
Changed in ntp (Ubuntu): | |
milestone: | ubuntu-12.04.5 → trusty-updates |
milestone: | trusty-updates → none |
information type: | Public → Private |
description: | updated |
information type: | Private → Public |
Changed in ntp (Ubuntu Trusty): | |
assignee: | nobody → eric.desrochers (eric-desrochers-z) |
Changed in ntp (Ubuntu Precise): | |
assignee: | nobody → Eric Desrochers (eric-desrochers-z) |
Changed in ntp (Ubuntu Vivid): | |
assignee: | nobody → Eric Desrochers (eric-desrochers-z) |
Changed in ntp (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in ntp (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in ntp (Ubuntu Vivid): | |
status: | New → Confirmed |
description: | updated |
tags: | added: verification-done |
Changed in ntp (Ubuntu Precise): | |
status: | Confirmed → In Progress |
Changed in ntp (Ubuntu Vivid): | |
status: | Confirmed → In Progress |
importance: | Undecided → Medium |
Changed in ntp (Ubuntu Wily): | |
importance: | Low → Medium |
Changed in ntp: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
Changed in ntp (Debian): | |
status: | Unknown → Fix Released |
tags: |
added: verification-done removed: verification-needed |
tags: | added: sts |
tags: |
added: verification-done removed: verification-needed |
tags: |
added: verification-done-trusty verification-needed removed: verification-done |
tags: |
added: verification-done removed: verification-needed |
Hello everyone, I want to file a bug.
Run command: ntpd --user=ntpd:ntpd --logfile= /var/log/ ntpd.log
It runs for some seconds and then is segfaults.
Happens only when I use both the --user and --logfile parameters.
Happens only when I have configured it with --enable-clockctl alone.
If configured with both --enable-clockctl and --enable-linuxcaps it works OK.
/var/log/ntpd.log: -rw-r--r-- 1 ntpd ntpd 21957 Jun 11 14:49 /var/log/ntpd.log 10:17:ntpd: /dev/null: /bin/false
/etc/passwd: ntpd:x:
/etc/group: ntpd:x:1008:
/etc/ntpd.conf is empty.
Strace gives in the end: http:// pastebin. com/Bujn2MNn pastebin. com/YNWBrRJG pastebin. com/2JpzK4jh
With more advanced debugging I got: http://
When runs in normal manner, strace gives: http://
In my humble opinion, the error occurs when ntpd tries to do something with the network interfaces.
My machine is a kernel 2.6.35.14 with glibc 2.14.1.
ntpd - NTP daemon program - Ver. 4.2.6p5
Greetings.