Ubuntu
rinetd package

rinetd crashing (SIGBUS/SIGSEGV) on large lists - Ubuntu LTS 12.04

Bug #1187790 reported by Helio Loureiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rinetd (Ubuntu)
New
Undecided
Unassigned

Bug Description

Using rinetd in Ubuntu 12.04 LTS with large lists (further than 32 entries) on /etc/rinetd.conf leads to a crash.

Sometimes by SIGBUS or SIGSEGV. Using strace, it is possible to see results:

read(28, "# Network services, Internet sty"..., 4096) = 4096
read(28, "\t\t# IPX\nipx\t\t213/udp\nimap3\t\t220/"..., 4096) = 4096
read(28, "\nlotusnote\t1352/udp\tlotusnotes\nm"..., 4096) = 4096
read(28, "\t\t\t# MySQL Proxy\nmysql-proxy\t644"..., 4096) = 4096
read(28, "dp\t\t\t# predict -- satellite trac"..., 4096) = 2917
read(28, "", 4096) = 0
close(28) = 0
munmap(0x7f4c2c2d4000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 28
setsockopt(28, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(28, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("10.109.28.15")}, 16) = 0
listen(28, 5) = 0
ioctl(28, FIONBIO, [1]) = 0
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4c2c2d5000, 4096) = 0
open("/var/run/rinetd.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4c2c2d5000
write(3, "10331\n", 6) = 6
close(3) = 0
munmap(0x7f4c2c2d5000, 4096) = 0
sendto(11, "<30>Jun 3 10:40:02 rinetd[10331"..., 59, MSG_NOSIGNAL, NULL, 0) = 59
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

or

open("/etc/services", O_RDONLY|O_CLOEXEC) = 130
fstat(130, {st_mode=S_IFREG|0644, st_size=19301, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5694cfc000
read(130, "# Network services, Internet sty"..., 4096) = 4096
read(130, "\t\t# IPX\nipx\t\t213/udp\nimap3\t\t220/"..., 4096) = 4096
read(130, "\nlotusnote\t1352/udp\tlotusnotes\nm"..., 4096) = 4096
read(130, "\t\t\t# MySQL Proxy\nmysql-proxy\t644"..., 4096) = 4096
read(130, "dp\t\t\t# predict -- satellite trac"..., 4096) = 2917
read(130, "", 4096) = 0
close(130) = 0
munmap(0x7f5694cfc000, 4096) = 0
open("/etc/services", O_RDONLY|O_CLOEXEC) = 130
fstat(130, {st_mode=S_IFREG|0644, st_size=19301, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5694cfc000
read(130, "# Network services, Internet sty"..., 4096) = 4096
read(130, "\t\t# IPX\nipx\t\t213/udp\nimap3\t\t220/"..., 4096) = 4096
read(130, "\nlotusnote\t1352/udp\tlotusnotes\nm"..., 4096) = 4096
read(130, "\t\t\t# MySQL Proxy\nmysql-proxy\t644"..., 4096) = 4096
read(130, "dp\t\t\t# predict -- satellite trac"..., 4096) = 2917
read(130, "", 4096) = 0
close(130) = 0
munmap(0x7f5694cfc000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 130
setsockopt(130, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(130, {sa_family=AF_INET, sin_port=htons(20), sin_addr=inet_addr("10.109.29.16")}, 16) = 0
listen(130, 5) = 0
ioctl(130, FIONBIO, [1]) = 0
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f5694cfd000, 4096) = 0
open("/var/run/rinetd.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5694cfd000
write(3, "8215\n", 5) = 5
close(3) = 0
munmap(0x7f5694cfd000, 4096) = 0
sendto(6, "<30>Jun 3 10:27:19 rinetd[8215]"..., 58, MSG_NOSIGNAL, NULL, 0) = 58
--- SIGBUS (Bus error) @ 0 (0) ---
+++ killed by SIGBUS (core dumped) +++
Bus error (core dumped)

Tags: patch
Revision history for this message
Helio Loureiro (helioloureiro) wrote :
Revision history for this message
Helio Loureiro (helioloureiro) wrote :
Download full text (3.8 KiB)

Installing source code (apt-get source -b rinetd), compiling, and testing generates similar error.

root@elx3030vlm-78:rinetd-0.62# make
./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: config.h is unchanged
gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -DHAVE_CONFIG_H -Wall -Wwrite-strings -I. -c -o rinetd.o rinetd.c
rinetd.c:196:6: warning: conflicting types for built-in function ‘log’ [enabled by default]
rinetd.c: In function ‘handleAccept’:
rinetd.c:1056:2: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness [-Wpointer-sign]
/usr/include/x86_64-linux-gnu/sys/socket.h:214:12: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’
rinetd.c: In function ‘log’:
rinetd.c:1467:6: warning: the address of ‘log’ will always evaluate as ‘true’ [-Waddress]
gcc rinetd.o match.o -o rinetd -Wl,-Bsymbolic-functions -Wl,-z,relro
root@elx3030vlm-78:rinetd-0.62# ./rinetd -f -c /tmp/rinetd.conf
*** buffer overflow detected ***: ./rinetd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f15f8c7c817]
/lib/x86_64-linux-gnu/libc.so.6(+0x109710)[0x7f15f8c7b710]
/lib/x86_64-linux-gnu/libc.so.6(+0x10a7ce)[0x7f15f8c7c7ce]
./rinetd[0x403de9]
./rinetd[0x401435]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f15f8b9376d]
./rinetd[0x401469]
======= Memory map: ========
00400000-00406000 r-xp 00000000 fc:01 15731923 /usr/src/rinetd-0.62/rinetd
00605000-00606000 r--p 00005000 fc:01 15731923 /usr/src/rinetd-0.62/rinetd
00606000-00607000 rw-p 00006000 fc:01 15731923 /usr/src/rinetd-0.62/rinetd
01b95000-01bd7000 rw-p 00000000 00:00 0 [heap]
7f15f874f000-7f15f8764000 r-xp 00000000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8764000-7f15f8963000 ---p 00015000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8963000-7f15f8964000 r--p 00014000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8964000-7f15f8965000 rw-p 00015000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8965000-7f15f8971000 r-xp 00000000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8971000-7f15f8b70000 ---p 0000c000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8b70000-7f15f8b71000 r--p 0000b000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8b71000-7f15f8b72000 rw-p 0000c000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8b72000-7f15f8d27000 r-xp 00000000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8d27000-7f15f8f26000 ---p 001b5000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8f26000-7f15f8f2a000 r--p 001b4000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8f2a000-7f15f8f2c000 rw-p 001b8000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8f2c000-7f15f8f31000 rw-...

Read more...

Revision history for this message
Helio Loureiro (helioloureiro) wrote :

Making information more accurate.

affects: launchpad → rinetd (Ubuntu)
summary: - rinetd crashing (SIGBUS/SIGSEGV) on large lists
+ rinetd crashing (SIGBUS/SIGSEGV) on large lists - Ubuntu LTS 12.04
Revision history for this message
Helio Loureiro (helioloureiro) wrote :

After a little debug, I could find that seFds[i] is tried to initialize improperly, leading to core dumps.

I just created a little patch and that fixed the issue.

If possible, I would to see rinetd updated to a next version, 0.62-5.2 probably, and fixed for this issue on LTS.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to fix rinetd" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.