On Mon, May 03, 2021 at 08:27:57AM -0600, Theo de Raadt wrote:
> Can you reproduce this, and capture core files?
Yes after a reboot I could reproduce it, I didn't even have to cycle the
interfaces. I got a coredump like you descriped for me. See below:
> Since our tcpdump is a privsep program, getting a core is a bit harder.
>
> mkdir /var/crash/tcpdump
> echo kern.nosuidcoredump=3 >> /etc/sysctl.conf
> reboot
>
> You could recompile tcpdump with -g or -ggdb, to gain better symbols.
>
> If you manage to create a coredump, run gdb against the unstripped
> binary (src/usr.sbin/tcpdump/obj/tcpdump) and let's see what the trace is.
Loaded symbols for /usr/libexec/ld.so
#0 0x00000032fd8d2f74 in wg_print () from /usr/sbin/tcpdump
(gdb) bt
#0 0x00000032fd8d2f74 in wg_print () from /usr/sbin/tcpdump
#1 0x00000032fd891880 in udp_print () from /usr/sbin/tcpdump
#2 0x00000032fd88d5f8 in ip_print () from /usr/sbin/tcpdump
#3 0x00000032fd88c4f8 in ether_encap_print () from /usr/sbin/tcpdump
#4 0x00000032fd88bf10 in ether_tryprint () from /usr/sbin/tcpdump
#5 0x00000032fd88bcc4 in ether_if_print () from /usr/sbin/tcpdump
#6 0x0000003766337f98 in pcap_read (p=0x37aa410e00, cnt=-1,
callback=0x32fd88bc40 <ether_if_print>, user=0x0)
at /usr/src/lib/libpcap/pcap-bpf.c:188
#7 0x00000037663359d4 in pcap_loop (p=0x37aa410e00, cnt=-1,
callback=0x32fd88bc40 <ether_if_print>, user=0x0)
at /usr/src/lib/libpcap/pcap.c:76
#8 0x00000032fd8818e8 in main () from /usr/sbin/tcpdump
It looks like it's in wg_print() I looked at this, but was unable to find
a solution. Perhaps memcpy'ing bp in wg_print() to another aligned buffer
and then trying to get the values out of it. I spent days fixing my programs
on octeon similar to that, but I used an unpack8, unpack16, unpack32, unpack64
and unpack() to do so, which in the latter case memcpy'd. I know too little
though of how tcpdump is best worked with, just writing memcpy's in there is
probably not a good idea.
Best Regards,
-peter
