rinetd crashing (SIGBUS/SIGSEGV) on large lists - Ubuntu LTS 12.04

Bug #1187790 reported by Helio Loureiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rinetd (Ubuntu)
Undecided
Unassigned

Bug Description

Using rinetd in Ubuntu 12.04 LTS with large lists (further than 32 entries) on /etc/rinetd.conf leads to a crash.

Sometimes by SIGBUS or SIGSEGV. Using strace, it is possible to see results:

read(28, "# Network services, Internet sty"..., 4096) = 4096
read(28, "\t\t# IPX\nipx\t\t213/udp\nimap3\t\t220/"..., 4096) = 4096
read(28, "\nlotusnote\t1352/udp\tlotusnotes\nm"..., 4096) = 4096
read(28, "\t\t\t# MySQL Proxy\nmysql-proxy\t644"..., 4096) = 4096
read(28, "dp\t\t\t# predict -- satellite trac"..., 4096) = 2917
read(28, "", 4096) = 0
close(28) = 0
munmap(0x7f4c2c2d4000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 28
setsockopt(28, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(28, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("10.109.28.15")}, 16) = 0
listen(28, 5) = 0
ioctl(28, FIONBIO, [1]) = 0
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4c2c2d5000, 4096) = 0
open("/var/run/rinetd.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4c2c2d5000
write(3, "10331\n", 6) = 6
close(3) = 0
munmap(0x7f4c2c2d5000, 4096) = 0
sendto(11, "<30>Jun 3 10:40:02 rinetd[10331"..., 59, MSG_NOSIGNAL, NULL, 0) = 59
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

or

open("/etc/services", O_RDONLY|O_CLOEXEC) = 130
fstat(130, {st_mode=S_IFREG|0644, st_size=19301, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5694cfc000
read(130, "# Network services, Internet sty"..., 4096) = 4096
read(130, "\t\t# IPX\nipx\t\t213/udp\nimap3\t\t220/"..., 4096) = 4096
read(130, "\nlotusnote\t1352/udp\tlotusnotes\nm"..., 4096) = 4096
read(130, "\t\t\t# MySQL Proxy\nmysql-proxy\t644"..., 4096) = 4096
read(130, "dp\t\t\t# predict -- satellite trac"..., 4096) = 2917
read(130, "", 4096) = 0
close(130) = 0
munmap(0x7f5694cfc000, 4096) = 0
open("/etc/services", O_RDONLY|O_CLOEXEC) = 130
fstat(130, {st_mode=S_IFREG|0644, st_size=19301, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5694cfc000
read(130, "# Network services, Internet sty"..., 4096) = 4096
read(130, "\t\t# IPX\nipx\t\t213/udp\nimap3\t\t220/"..., 4096) = 4096
read(130, "\nlotusnote\t1352/udp\tlotusnotes\nm"..., 4096) = 4096
read(130, "\t\t\t# MySQL Proxy\nmysql-proxy\t644"..., 4096) = 4096
read(130, "dp\t\t\t# predict -- satellite trac"..., 4096) = 2917
read(130, "", 4096) = 0
close(130) = 0
munmap(0x7f5694cfc000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 130
setsockopt(130, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(130, {sa_family=AF_INET, sin_port=htons(20), sin_addr=inet_addr("10.109.29.16")}, 16) = 0
listen(130, 5) = 0
ioctl(130, FIONBIO, [1]) = 0
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f5694cfd000, 4096) = 0
open("/var/run/rinetd.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5694cfd000
write(3, "8215\n", 5) = 5
close(3) = 0
munmap(0x7f5694cfd000, 4096) = 0
sendto(6, "<30>Jun 3 10:27:19 rinetd[8215]"..., 58, MSG_NOSIGNAL, NULL, 0) = 58
--- SIGBUS (Bus error) @ 0 (0) ---
+++ killed by SIGBUS (core dumped) +++
Bus error (core dumped)

Revision history for this message
Helio Loureiro (helioloureiro) wrote :
Revision history for this message
Helio Loureiro (helioloureiro) wrote :
Download full text (3.8 KiB)

Installing source code (apt-get source -b rinetd), compiling, and testing generates similar error.

root@elx3030vlm-78:rinetd-0.62# make
./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: config.h is unchanged
gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -DHAVE_CONFIG_H -Wall -Wwrite-strings -I. -c -o rinetd.o rinetd.c
rinetd.c:196:6: warning: conflicting types for built-in function ‘log’ [enabled by default]
rinetd.c: In function ‘handleAccept’:
rinetd.c:1056:2: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness [-Wpointer-sign]
/usr/include/x86_64-linux-gnu/sys/socket.h:214:12: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’
rinetd.c: In function ‘log’:
rinetd.c:1467:6: warning: the address of ‘log’ will always evaluate as ‘true’ [-Waddress]
gcc rinetd.o match.o -o rinetd -Wl,-Bsymbolic-functions -Wl,-z,relro
root@elx3030vlm-78:rinetd-0.62# ./rinetd -f -c /tmp/rinetd.conf
*** buffer overflow detected ***: ./rinetd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f15f8c7c817]
/lib/x86_64-linux-gnu/libc.so.6(+0x109710)[0x7f15f8c7b710]
/lib/x86_64-linux-gnu/libc.so.6(+0x10a7ce)[0x7f15f8c7c7ce]
./rinetd[0x403de9]
./rinetd[0x401435]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f15f8b9376d]
./rinetd[0x401469]
======= Memory map: ========
00400000-00406000 r-xp 00000000 fc:01 15731923 /usr/src/rinetd-0.62/rinetd
00605000-00606000 r--p 00005000 fc:01 15731923 /usr/src/rinetd-0.62/rinetd
00606000-00607000 rw-p 00006000 fc:01 15731923 /usr/src/rinetd-0.62/rinetd
01b95000-01bd7000 rw-p 00000000 00:00 0 [heap]
7f15f874f000-7f15f8764000 r-xp 00000000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8764000-7f15f8963000 ---p 00015000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8963000-7f15f8964000 r--p 00014000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8964000-7f15f8965000 rw-p 00015000 fc:01 524340 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f15f8965000-7f15f8971000 r-xp 00000000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8971000-7f15f8b70000 ---p 0000c000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8b70000-7f15f8b71000 r--p 0000b000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8b71000-7f15f8b72000 rw-p 0000c000 fc:01 524480 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f15f8b72000-7f15f8d27000 r-xp 00000000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8d27000-7f15f8f26000 ---p 001b5000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8f26000-7f15f8f2a000 r--p 001b4000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8f2a000-7f15f8f2c000 rw-p 001b8000 fc:01 524384 /lib/x86_64-linux-gnu/libc-2.15.so
7f15f8f2c000-7f15f8f31000 rw-...

Read more...

Revision history for this message
Helio Loureiro (helioloureiro) wrote :

Making information more accurate.

affects: launchpad → rinetd (Ubuntu)
summary: - rinetd crashing (SIGBUS/SIGSEGV) on large lists
+ rinetd crashing (SIGBUS/SIGSEGV) on large lists - Ubuntu LTS 12.04
Revision history for this message
Helio Loureiro (helioloureiro) wrote :

After a little debug, I could find that seFds[i] is tried to initialize improperly, leading to core dumps.

I just created a little patch and that fixed the issue.

If possible, I would to see rinetd updated to a next version, 0.62-5.2 probably, and fixed for this issue on LTS.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to fix rinetd" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers