SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
net-snmp (Ubuntu) |
Fix Released
|
High
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
High
|
Sergio Durigan Junior | ||
Groovy |
Fix Released
|
High
|
Sergio Durigan Junior |
Bug Description
[Impact]
When the user requests a bulkget operation using the snmpv3 protocol, and this operation errors out, snmpd will experience a double free error and will abort. This will obviously be very annoying to the user, because from the client side it is not possible to determine why the server suddenly stopped responding.
Upstream has fixed this problem already, albeit it took several patches to get everything right. The fix involved redesigning how a specific struct is manipulated internally, including the addition of a refcount mechanism.
[Test Case]
To reproduce the issue, one can do:
$ lxc launch ubuntu-daily:focal net-snmp-bug1877027-focal
$ lxc shell net-snmp-bug1877027-focal
# apt update
# apt install -y snmpd snmp
# systemctl stop snmpd.service
# cat >> /var/lib/
createUser testuser SHA "testpass" AES "testpass"
__EOF__
# cat >> /etc/snmp/
rwuser testuser
__EOF__
# systemct start snmpd.service
# snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
You can check that snmpd crashed by doing:
# systemctl status snmpd.service
[Regression Potential]
Due to the fact that several patches needed to be backported to fix this issue, and that parts of the code had to be redesign in order to guarantee that nothing is being freed twice, there exists the possibility of encountering a regression when dealing with snmpv3, because most of the code that was touched was there to deal with security states of the protocol.
I took a non-trivial amount of time to review the patches and make sure that they are as contained as possible, and I am satisfied with the approach taken by upstream.
[Other Info]
It is interesting to note that when the bug is fixed, the "snmpbulkget" command will fail with:
Error in packet.
Reason: (genError) A general failure occured
This is expected, and upstream also shows this error.
[Original Description]
Logs:
Apr 30 19:39:11 snmpd[1895]: Cannot adopt OID in UCD-SNMP-MIB: laIndex ::= { laEntry 1 }
Apr 30 19:39:11 snmpd[1895]: /etc/snmp/
Apr 30 19:39:11 snmpd[1895]: /etc/snmp/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: /var/lib/
Apr 30 19:39:11 snmpd[1895]: Error opening specified endpoint "udp:161"
Apr 30 19:39:11 snmpd[1895]: Server Exiting with code 1
Related branches
- Andreas Hasenack: Pending requested
- Canonical Server: Pending requested
-
Diff: 872 lines (+820/-0)8 files modifieddebian/changelog (+21/-0)
debian/patches/fix-usmStateReference-free.patch (+31/-0)
debian/patches/introduce-refcount-usmStateReference.patch (+169/-0)
debian/patches/move-free-securityStateRef-into-snmp-free-pdu.patch (+92/-0)
debian/patches/move-securityStateRef-into-free_securityStateRef.patch (+78/-0)
debian/patches/prevent-snmpv3-bulkget-errors-double-free.patch (+349/-0)
debian/patches/series (+6/-0)
debian/patches/unexport-struct-usmStateReference.patch (+74/-0)
- Andreas Hasenack: Needs Information
- Canonical Server: Pending requested
-
Diff: 872 lines (+820/-0)8 files modifieddebian/changelog (+21/-0)
debian/patches/fix-usmStateReference-free.patch (+31/-0)
debian/patches/introduce-refcount-usmStateReference.patch (+169/-0)
debian/patches/move-free-securityStateRef-into-snmp-free-pdu.patch (+92/-0)
debian/patches/move-securityStateRef-into-free_securityStateRef.patch (+78/-0)
debian/patches/prevent-snmpv3-bulkget-errors-double-free.patch (+349/-0)
debian/patches/series (+6/-0)
debian/patches/unexport-struct-usmStateReference.patch (+74/-0)
CVE References
Changed in net-snmp (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in net-snmp (Ubuntu): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in net-snmp (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in net-snmp (Ubuntu Groovy): | |
status: | Triaged → Confirmed |
Changed in net-snmp (Ubuntu Focal): | |
importance: | Undecided → High |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
description: | updated |
snmpd 5.8+dfsg-2 "double free or corruption"
openat(AT_FDCWD, "/proc/ net/ipv6_ route", O_RDONLY) = 14 S_IFREG| 0444, st_size=0, ...}) = 0 000000000000000 000"... , 1024) = 900 CLOCK_MONOTONIC , {501384, 839231761}) = 0 CLOCK_MONOTONIC , {501384, 839412979}) = 0
fstat(14, {st_mode=
read(14, "fe800000000000
read(14, "", 1024) = 0
close(14) = 0
clock_gettime(
clock_gettime(
writev(2, [
{"*double free or corruption* (fastt"..., 35}
, {"\n", 1}], 2) = 36 PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f39a2e10000 SIG_UNBLOCK, [ABRT], NULL, 8) = 0 SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0 SIG_SETMASK, [], NULL, 8) = 0
mmap(NULL, 4096, PROT_READ|
rt_sigprocmask(
rt_sigprocmask(
getpid() = 17928
gettid() = 17928
tgkill(17928, 17928, SIGABRT) = 0
rt_sigprocmask(
+++ killed by SIGABRT +++