Bug#920885: ntp: segmentation fault in libc-2.24.so[7f9cf2783000+195000]

[Bernhard Übelacker]

Hello Vincas Dargis,
I guess the provided information may not be enough for the
maintainer to find the cause or make a fix.

And I am just curious, but this "0x2f9b8" are just the "195000" from
the kernel log line? I am not sure, but would here not make
0x7f9cf2783000 - 0x7f9cf2803676 = 0x80676 more sense?
That way we would end in the strlen function, at least an instruction
with offset ...676 like the instruction pointer "ip".

But to get more information of a crash you could consider
installing a core dump collector like systemd-coredump.

Then a first backtrace would be already written to the logs.
You could list the cores collected at least of the current boot:

    coredumpctl list

    (previous boots might just get stored in /var/lib/systemd/coredump)

And get more information from the core by e.g.:

    coredumpctl gdb [PID]
        bt

Even better would be if debug symbols are installed like
described in [1], in this case ntp-dbgsym.

Kind regards,
Bernhard


[1] https://wiki.debian.org/HowToGetABacktrace#Installing_the_debugging_symbols




root@debian:~# apt install gdb binutils ntp ntp-dbgsym

root@debian:~# addr2line -e /lib/x86_64-linux-gnu/libc-2.24.so 0x80676
/build/glibc-yWQXbR/glibc-2.24/string/../sysdeps/x86_64/strlen.S:106

root@debian:~# gdb -q -ex 'b main' -ex 'run' -ex 'dele 1' --args /usr/sbin/ntpd
Reading symbols from /usr/sbin/ntpd...Reading symbols from 
/usr/lib/debug/.build-id/5a/8c27a9b583247c96d38ca88835dc36f0ad253d.debug...done.
done.
Breakpoint 1 at 0x12390: file ntpd.c, line 400.
Starting program: /usr/sbin/ntpd 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main (argc=1, argv=0x7fffffffed28) at ntpd.c:400
400     ntpd.c: Datei oder Verzeichnis nicht gefunden.
(gdb) b strlen.S:106
Breakpoint 2 at 0x7ffff6cd9676: strlen.S:106. (2 locations)
(gdb) disassemble 0x7ffff6cd9676-0x16,0x7ffff6cd9676+0x16
Dump of assembler code from 0x7ffff6cd9660 to 0x7ffff6cd968c:
   0x00007ffff6cd9660 <strlen+16>:      mov    %rdi,%rax
   0x00007ffff6cd9663 <strlen+19>:      mov    %rdi,%rcx
   0x00007ffff6cd9666 <strlen+22>:      and    $0xfff,%rcx
   0x00007ffff6cd966d <strlen+29>:      cmp    $0xfcf,%rcx
   0x00007ffff6cd9674 <strlen+36>:      ja     0x7ffff6cd96e0 <strlen+144>
   0x00007ffff6cd9676 <strlen+38>:      movdqu (%rax),%xmm4
   0x00007ffff6cd967a <strlen+42>:      pcmpeqb %xmm0,%xmm4
   0x00007ffff6cd967e <strlen+46>:      pmovmskb %xmm4,%edx
   0x00007ffff6cd9682 <strlen+50>:      test   %edx,%edx
   0x00007ffff6cd9684 <strlen+52>:      je     0x7ffff6cd968a <strlen+58>
   0x00007ffff6cd9686 <strlen+54>:      bsf    %edx,%eax
   0x00007ffff6cd9689 <strlen+57>:      retq   
   0x00007ffff6cd968a <strlen+58>:      and    $0xfffffffffffffff0,%rax
End of assembler dump.