2015-08-04 15:14:32 |
Eric Desrochers |
bug |
|
|
added bug |
2015-08-04 15:15:04 |
Eric Desrochers |
ntp (Ubuntu): assignee |
|
eric.desrochers (eric-desrochers-z) |
|
2015-08-04 15:15:35 |
Eric Desrochers |
summary |
Use-after-free in routing socket code after dropping root |
NTP : Use-after-free in routing socket code after dropping root |
|
2015-08-04 15:25:31 |
Eric Desrochers |
ntp (Ubuntu): importance |
Undecided |
Low |
|
2015-08-04 15:25:47 |
Eric Desrochers |
ntp (Ubuntu): milestone |
|
ubuntu-12.04.5 |
|
2015-08-05 17:49:52 |
Eric Desrochers |
ntp (Ubuntu): milestone |
ubuntu-12.04.5 |
trusty-updates |
|
2015-08-05 17:49:56 |
Eric Desrochers |
ntp (Ubuntu): milestone |
trusty-updates |
|
|
2015-08-05 17:51:07 |
Eric Desrochers |
nominated for series |
|
Ubuntu Trusty |
|
2015-08-05 17:51:07 |
Eric Desrochers |
nominated for series |
|
Ubuntu Wily |
|
2015-08-05 18:54:33 |
Chris J Arges |
bug task added |
|
ntp (Ubuntu Trusty) |
|
2015-08-05 18:54:37 |
Chris J Arges |
bug task added |
|
ntp (Ubuntu Wily) |
|
2015-08-06 14:12:49 |
Pierre Amadio |
information type |
Public |
Private |
|
2015-08-06 14:49:42 |
Eric Desrochers |
description |
We have 1 server (among hundreds) that its ntp service is crashing.
A few minute/seconds after a start attempts we can see the following in syslog:
Jul 1 05:33:28 svpr-stk67 ntpd[2729]: peers refreshed
Jul 1 05:33:28 svpr-stk67 ntpd[2729]: Listening on routing socket on fd #49 for interface updates
Jul 1 05:36:32 svpr-stk67 ntpd[2729]: i/o error on routing socket No buffer space available - disabling
Jul 1 05:36:32 svpr-stk67 kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic
I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol. |
We have 1 server (among hundreds) that its ntp service is crashing.
A few minute/seconds after a start attempts we can see the following in syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic
I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol. |
|
2015-08-06 14:54:58 |
Pierre Amadio |
information type |
Private |
Public |
|
2015-08-06 15:10:12 |
Launchpad Janitor |
ntp (Ubuntu): status |
New |
Confirmed |
|
2015-08-06 15:10:12 |
Launchpad Janitor |
ntp (Ubuntu Trusty): status |
New |
Confirmed |
|
2015-08-08 14:55:26 |
Eric Desrochers |
ntp (Ubuntu Trusty): assignee |
|
eric.desrochers (eric-desrochers-z) |
|
2015-08-24 16:18:14 |
Adam Conrad |
nominated for series |
|
Ubuntu Vivid |
|
2015-08-24 16:18:14 |
Adam Conrad |
bug task added |
|
ntp (Ubuntu Vivid) |
|
2015-08-24 16:18:14 |
Adam Conrad |
nominated for series |
|
Ubuntu Precise |
|
2015-08-24 16:18:14 |
Adam Conrad |
bug task added |
|
ntp (Ubuntu Precise) |
|
2015-08-26 09:45:21 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server Team |
2015-08-26 18:14:43 |
Eric Desrochers |
ntp (Ubuntu Precise): assignee |
|
Eric Desrochers (eric-desrochers-z) |
|
2015-08-26 18:14:46 |
Eric Desrochers |
ntp (Ubuntu Vivid): assignee |
|
Eric Desrochers (eric-desrochers-z) |
|
2015-08-26 18:14:53 |
Eric Desrochers |
ntp (Ubuntu Precise): status |
New |
Confirmed |
|
2015-08-26 18:30:10 |
Eric Desrochers |
ntp (Ubuntu Precise): importance |
Undecided |
Medium |
|
2015-08-26 18:30:16 |
Eric Desrochers |
ntp (Ubuntu Vivid): status |
New |
Confirmed |
|
2015-08-26 18:56:45 |
Eric Desrochers |
description |
We have 1 server (among hundreds) that its ntp service is crashing.
A few minute/seconds after a start attempts we can see the following in syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic
I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol. |
[Impact]
* User experienced repeated segfaults at the same instruction pointer
i/o error on routing socket No buffer space available - disabling
segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
The remove_ and delete_ functions remove the current element from the asyncio_reader_list, and free it, respectively.
We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element, whose contents are (in theory) now scrambled
by having link pointers, etc, from internal malloc state overlaying the data.
[Test Case]
You can easily reproduce the bug by :
- Lowering the sysctl value net.core.rmem_max
$ sysctl -w net.core.wmem_max=<LOWER_VALUE>
This sets the max OS send buffer size for all types of connections.
- Adding multiple network interfaces and static routes.
[Regression Potential]
None expected since the fix is already available upstream (https://github.com/ntp-project/ntp.git) and Debian package.
If after installing the patch, user are receiving this kind of message in /var/log/syslog : "routing socket reports: No buffer space available".
The next step, would be to increase the "net.core.rmem_max" and "net.core.wmem_max" values equally until the "routing socket reports: No buffer space available" message no longer showed up.
[Other Info]
NTP upstream (https://github.com/ntp-project/ntp.git)
[Bug 2224] Use-after-free in routing socket code after dropping root. - Commit: d6df9d3
[Bug 2890] Ignore ENOBUFS on routing netlink socket. - Commit: db47bd4
The use-after-free bug has been fix in Debian release (closes: #795315)
Will submit the ignore-ENOBUFS-on-routing-netlink-socket in Debian in the next days.
[Original Description]
We have 1 server (among hundreds) that its ntp service is crashing.
A few minute/seconds after a start attempts we can see the following in syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic
I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol. |
|
2015-08-26 18:57:10 |
Eric Desrochers |
tags |
|
verification-done |
|
2015-08-26 18:57:20 |
Eric Desrochers |
bug |
|
|
added subscriber SRU Verification |
2015-08-26 18:58:04 |
Eric Desrochers |
attachment added |
|
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452885/+files/lp1481388_precise.debdiff |
|
2015-08-26 18:58:12 |
Eric Desrochers |
ntp (Ubuntu Precise): status |
Confirmed |
In Progress |
|
2015-08-26 19:00:17 |
Eric Desrochers |
attachment removed |
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452885/+files/lp1481388_precise.debdiff |
|
|
2015-08-26 19:02:26 |
Eric Desrochers |
attachment added |
|
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452890/+files/lp1481388_precise.debdiff |
|
2015-08-26 19:04:54 |
Eric Desrochers |
attachment removed |
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452890/+files/lp1481388_precise.debdiff |
|
|
2015-08-26 19:06:31 |
Eric Desrochers |
attachment added |
|
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452891/+files/lp1481388_precise.debdiff |
|
2015-08-26 19:07:23 |
Eric Desrochers |
attachment removed |
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452891/+files/lp1481388_precise.debdiff |
|
|
2015-08-26 19:09:29 |
Eric Desrochers |
attachment added |
|
debdiff for precise https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452908/+files/lp1481388_precise.debdiff |
|
2015-08-26 20:18:29 |
Ubuntu Foundations Team Bug Bot |
tags |
verification-done |
patch verification-done |
|
2015-08-26 20:18:38 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2015-08-27 14:38:16 |
Eric Desrochers |
attachment added |
|
1:4.2.6.p5+dfsg-3ubuntu2.14.04.4 https://bugs.launchpad.net/ubuntu/precise/+source/ntp/+bug/1481388/+attachment/4453392/+files/lp1481388_trusty.debdiff |
|
2015-08-27 14:38:28 |
Eric Desrochers |
ntp (Ubuntu Trusty): status |
Confirmed |
In Progress |
|
2015-08-27 14:38:31 |
Eric Desrochers |
ntp (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2015-09-01 15:21:41 |
Eric Desrochers |
attachment added |
|
debdiff for Vivid https://bugs.launchpad.net/ubuntu/precise/+source/ntp/+bug/1481388/+attachment/4455714/+files/lp1481388_vivid.debdiff |
|
2015-09-01 15:22:08 |
Eric Desrochers |
ntp (Ubuntu Vivid): status |
Confirmed |
In Progress |
|
2015-09-01 15:25:10 |
Eric Desrochers |
ntp (Ubuntu Vivid): importance |
Undecided |
Medium |
|
2015-09-02 14:21:13 |
Eric Desrochers |
attachment removed |
debdiff for Vivid https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4455714/+files/lp1481388_vivid.debdiff |
|
|
2015-09-02 14:35:02 |
Eric Desrochers |
attachment added |
|
debdiff for vivid https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4456186/+files/lp1481388_vivid.debdiff |
|
2015-09-02 14:35:39 |
Eric Desrochers |
attachment added |
|
debdiff for wily https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4456187/+files/lp1481388_wily.debdiff |
|
2015-09-02 14:35:53 |
Eric Desrochers |
ntp (Ubuntu Wily): status |
Confirmed |
In Progress |
|
2015-09-02 14:56:00 |
Eric Desrochers |
ntp (Ubuntu Wily): importance |
Low |
Medium |
|
2015-09-15 11:50:48 |
Marc Deslauriers |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795315 |
|
2015-09-15 11:50:48 |
Marc Deslauriers |
bug task added |
|
ntp (Debian) |
|
2015-09-15 11:51:10 |
Marc Deslauriers |
bug watch added |
|
http://bugs.ntp.org/show_bug.cgi?id=2224 |
|
2015-09-15 11:51:10 |
Marc Deslauriers |
bug task added |
|
ntp |
|
2015-09-15 12:29:15 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-09-15 12:29:23 |
Marc Deslauriers |
tags |
patch verification-done |
patch |
|
2015-09-15 12:29:28 |
Marc Deslauriers |
ntp (Ubuntu Wily): status |
In Progress |
Fix Committed |
|
2015-09-15 13:23:59 |
Launchpad Janitor |
ntp (Ubuntu Wily): status |
Fix Committed |
Fix Released |
|
2015-09-15 22:25:57 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/ntp |
|
2015-09-16 14:52:59 |
Bug Watch Updater |
ntp: status |
Unknown |
Fix Released |
|
2015-09-16 14:52:59 |
Bug Watch Updater |
ntp: importance |
Unknown |
High |
|
2015-09-16 15:51:12 |
Chris J Arges |
ntp (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2015-09-16 15:51:20 |
Chris J Arges |
tags |
patch |
patch verification-needed |
|
2015-09-16 15:51:54 |
Chris J Arges |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2015-09-16 15:52:06 |
Chris J Arges |
ntp (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2015-09-16 15:52:55 |
Chris J Arges |
ntp (Ubuntu Vivid): status |
In Progress |
Fix Committed |
|
2015-09-16 16:33:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/vivid-proposed/ntp |
|
2015-09-16 16:33:27 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/ntp |
|
2015-09-16 16:33:30 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/trusty/ntp/trusty-proposed |
|
2015-09-16 22:19:09 |
Bug Watch Updater |
ntp (Debian): status |
Unknown |
Fix Released |
|
2015-09-17 03:08:57 |
paz |
bug |
|
|
added subscriber paz |
2015-09-17 20:11:30 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
2015-10-27 17:22:58 |
Eric Desrochers |
tags |
patch verification-needed |
patch verification-done |
|
2015-10-28 02:50:26 |
Mathew Hodson |
ntp (Ubuntu Precise): status |
Fix Committed |
In Progress |
|
2015-10-28 02:50:34 |
Mathew Hodson |
ntp (Ubuntu Trusty): status |
Fix Committed |
In Progress |
|
2015-10-28 02:50:37 |
Mathew Hodson |
ntp (Ubuntu Vivid): status |
Fix Committed |
In Progress |
|
2015-10-28 19:39:18 |
Mathew Hodson |
bug |
|
|
added subscriber Mathew Hodson |
2015-10-29 13:52:42 |
Eric Desrochers |
attachment removed |
debdiff for precise https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4452908/+files/lp1481388_precise.debdiff |
|
|
2015-10-29 13:52:54 |
Eric Desrochers |
attachment removed |
debdiff for trusty https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4453392/+files/lp1481388_trusty.debdiff |
|
|
2015-10-29 13:53:05 |
Eric Desrochers |
attachment removed |
debdiff for vivid https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4456186/+files/lp1481388_vivid.debdiff |
|
|
2015-10-29 14:14:14 |
Eric Desrochers |
attachment added |
|
Rebase Trusty debdiff https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4508494/+files/lp1481388_rebase_trusty.debdiff |
|
2015-10-29 14:19:11 |
Eric Desrochers |
attachment added |
|
Rebase Precise debdiff https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4508496/+files/lp1481388_rebase_precise.debdiff |
|
2015-10-29 14:24:46 |
Eric Desrochers |
attachment added |
|
Rebase Vivid debdiff https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4508498/+files/lp1481388_rebase_vivid.debdiff |
|
2015-10-30 04:00:45 |
Mathew Hodson |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2015-11-05 18:26:17 |
Eric Desrochers |
tags |
patch verification-done |
patch sts verification-done |
|
2015-11-10 16:52:48 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2015-11-10 17:14:54 |
Mathew Hodson |
removed subscriber Mathew Hodson |
|
|
|
2015-11-11 17:55:55 |
Chris J Arges |
ntp (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2015-11-11 17:56:03 |
Chris J Arges |
tags |
patch sts verification-done |
patch sts |
|
2015-11-11 17:56:04 |
Chris J Arges |
tags |
patch sts |
patch sts verification-needed |
|
2015-11-11 17:57:03 |
Chris J Arges |
ntp (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2015-11-11 18:17:19 |
Chris J Arges |
ntp (Ubuntu Vivid): status |
In Progress |
Fix Committed |
|
2015-11-16 22:11:28 |
Eric Desrochers |
tags |
patch sts verification-needed |
patch sts verification-done |
|
2015-11-19 19:05:28 |
Brian Murray |
tags |
patch sts verification-done |
patch sts verification-done-trusty verification-needed |
|
2015-12-10 14:30:31 |
Eric Desrochers |
tags |
patch sts verification-done-trusty verification-needed |
patch sts verification-done verification-done-trusty |
|
2015-12-10 20:50:19 |
Launchpad Janitor |
ntp (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|
2015-12-10 20:50:26 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2015-12-10 20:50:45 |
Launchpad Janitor |
ntp (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2015-12-10 20:51:18 |
Launchpad Janitor |
ntp (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|