static PIE & corrupted trace

Tue, 11 Jul 2017 05:46:14 -0700 

Binaries linked with '-static -pie' produce unusable core dumps at least
on amd64.  This is a real problem to debug isakmpd(8)/iked(8) crashing on
production machines.

With the diff below, I trigger a NULL-dereference in ntpd(8).  When
compiled with '-static -pie' I obtain the following trace:

  # gdb /sbin/ntpd /var/crash/ntpd/34857.core
  #0  0x000010249cd0ca32 in ?? ()
  (gdb) bt
  #0  0x000010249cd0ca32 in ?? ()
  #1  0x000010276a411300 in ?? ()
  #2  0x000010249d0e9540 in ?? ()
  #3  0x0000000000004000 in ntp_main (nconf=0x3, pw=0x8f5, argc=Variable "argc" 
is not available.) at /usr/src/usr.sbin/ntpd/ntp.c:215
  #4  0x38efae2bb7a38b39 in ?? ()
  #5  0x000010270b35ec00 in ?? ()
  #6  0x00000000000016f6 in dispatch_imsg (lconf=0x38efae2bb7a38b39, 
argc=-1664058825, argv=0x10270b35ec00) at /usr/src/usr.sbin/ntpd/ntpd.c:393
  #7  0x000000005959fe2b in ?? ()
  #8  0x00000000372f8819 in ?? ()
  #9  0x000000005959a297 in ?? ()
  #10 0x0000000000000000 in ?? ()

When compiled with '-static -nopie' or by default, I obtain the correct
trace:

  # gdb /sbin/ntpd /var/crash/ntpd/94479.core
  (gdb) bt
  #0  constraint_query (cstr=0x0) at /usr/src/usr.sbin/ntpd/constraint.c:151
  #1  0x000000000040413c in ntp_main (nconf=Variable "nconf" is not available.) 
at /usr/src/usr.sbin/ntpd/ntp.c:336
  #2  0x0000000000402079 in main (argc=0, argv=Variable "argv" is not 
available.) at /usr/src/usr.sbin/ntpd/ntpd.c:193


Index: Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/Makefile,v
retrieving revision 1.16
diff -u -p -r1.16 Makefile
--- Makefile    20 Nov 2015 18:53:42 -0000      1.16
+++ Makefile    11 Jul 2017 12:33:24 -0000
@@ -16,4 +16,5 @@ DPADD+= ${LIBUTIL} ${LIBCRYPTO} ${LIBSSL
 LINKS= ${BINDIR}/ntpd ${BINDIR}/ntpctl
 MAN=   ntpd.8 ntpd.conf.5 ntpctl.8
 
+LDSTATIC=      ${STATIC}
 .include <bsd.prog.mk>
Index: ntp.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v
retrieving revision 1.146
diff -u -p -r1.146 ntp.c
--- ntp.c       30 May 2017 23:30:48 -0000      1.146
+++ ntp.c       11 Jul 2017 12:28:50 -0000
@@ -331,6 +331,8 @@ ntp_main(struct ntpd_conf *nconf, struct
                ctls = i;
 
                TAILQ_FOREACH(cstr, &conf->constraints, entry) {
+                       if (arc4random() % 2)
+                               cstr = NULL;
                        if (constraint_query(cstr) == -1)
                                continue;
                }

Reply via email to