[Bug 1384943] Re: Pinger crashes with segfault in libc
Linked Vivid branch, Edited bug description for SRU. Attached Trusty patch. ** Tags added: cts ** Branch linked: lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1384943 Title: Pinger crashes with segfault in libc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1384943] Re: Pinger crashes with segfault in libc
** Description changed: + [Description] + + Malformed ICMP packets were accepted into processing with undefined + and potentially nasty results. + + Both sets of flaws can result in pinger segmentation fault and halting + the Squid functionality relying on pinger for correct operation. + + A backtrace obtained from a failing guest, shows + + #0 0x7f6e3833cb4a in __strcmp_sse2 () from /lib/x86_64-linux-gnu/libc.so.6 + #1 0x7f6e38369971 in __tzfile_compute (timer=1415395716, use_localtime=optimized out, leap_correct=0x7810be00, + leap_hit=0x7810bdf0, tp=0x7f6e38679de0 _tmbuf) at tzfile.c:786 + #2 0x7f6e38368547 in __tz_convert () from /lib/x86_64-linux-gnu/libc.so.6 + #3 0x7f6e38dc2683 in _db_print(char const*, ...) () + #4 0x7f6e38dc300b in Debug::finishDebug() () + #5 0x7f6e38dc0581 in IcmpPinger::Recv (this=0x7f6e38fd1680 control) at IcmpPinger.cc:190 + #6 0x7f6e38dbf04e in main (argc=optimized out, argv=optimized out) at pinger.cc:223 + + Dissecting the trace , it appears that the amount + of read bytes on the IcmpPinger::Recv method is 0, but + no validation is being performed on the readed data. + + This patch handles most of this cases by bound checking all the recv values, also the ICMP type checking routines are improved to properly + handle just existent types. + + [Test Case] + + - Install latest squid3 from archive. + - Enable ICMP pinger + - Wait for some anomalous ICMP response to come from any origin server, + - Then the pinger process will segfault with an error like this: + + Nov 8 06:28:56 gd2mrbp001 kernel: [1543874.494491] pinger[8802]: segfault at 0 ip 7fd276d6bb4a sp 7fff11711908 error 4 in libc-2.19.so[7fd276ce4000+1bb000] + - After applying this patch, i have ran this over 10 times without + experiencing this issue anymore. + + [Other Customer information] After upgrading ubuntu over from 12. something to the 14.04 lts release my squid proxy did not work any longer. It often happens that sites are loading quite long and in the end there is a connection problem. Just in this moments I can see the following happen in dmesg output [4611237.325605] pinger[15651]: segfault at 0 ip 7f6db12aeb4a sp 7fff2552ad68 error 4 in libc-2.19.so[7f6db1227000+1bb000] [4611258.022931] init: squid3 main process (32738) killed by ABRT signal [4611258.022968] init: squid3 main process ended, respawning I already tried to reinstall squid3 and glibc and I build the squid3 packages on the machine just in case there was something wrong with my glibc. - I am using ubuntu 14.04.1 lts + I am using ubuntu 14.04.1 lts The squid version is squid3 3.3.8-1ubuntu6.1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1384943 Title: Pinger crashes with segfault in libc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1384943] Re: Pinger crashes with segfault in libc
** Description changed: [Description] Malformed ICMP packets were accepted into processing with undefined and potentially nasty results. Both sets of flaws can result in pinger segmentation fault and halting the Squid functionality relying on pinger for correct operation. A backtrace obtained from a failing guest, shows #0 0x7f6e3833cb4a in __strcmp_sse2 () from /lib/x86_64-linux-gnu/libc.so.6 - #1 0x7f6e38369971 in __tzfile_compute (timer=1415395716, use_localtime=optimized out, leap_correct=0x7810be00, - leap_hit=0x7810bdf0, tp=0x7f6e38679de0 _tmbuf) at tzfile.c:786 + #1 0x7f6e38369971 in __tzfile_compute (timer=1415395716, use_localtime=optimized out, leap_correct=0x7810be00, + leap_hit=0x7810bdf0, tp=0x7f6e38679de0 _tmbuf) at tzfile.c:786 #2 0x7f6e38368547 in __tz_convert () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x7f6e38dc2683 in _db_print(char const*, ...) () #4 0x7f6e38dc300b in Debug::finishDebug() () #5 0x7f6e38dc0581 in IcmpPinger::Recv (this=0x7f6e38fd1680 control) at IcmpPinger.cc:190 #6 0x7f6e38dbf04e in main (argc=optimized out, argv=optimized out) at pinger.cc:223 Dissecting the trace , it appears that the amount - of read bytes on the IcmpPinger::Recv method is 0, but - no validation is being performed on the readed data. + of read bytes on the IcmpPinger::Recv method is 0 (error), but + no validation is being performed on the readed data, thus an segfault is being triggered. This patch handles most of this cases by bound checking all the recv values, also the ICMP type checking routines are improved to properly handle just existent types. [Test Case] - Install latest squid3 from archive. - Enable ICMP pinger - - Wait for some anomalous ICMP response to come from any origin server, + - Wait for some anomalous ICMP response to come from any origin server, - Then the pinger process will segfault with an error like this: - Nov 8 06:28:56 gd2mrbp001 kernel: [1543874.494491] pinger[8802]: segfault at 0 ip 7fd276d6bb4a sp 7fff11711908 error 4 in libc-2.19.so[7fd276ce4000+1bb000] + Nov 8 06:28:56 gd2mrbp001 kernel: [1543874.494491] pinger[8802]: segfault at 0 ip 7fd276d6bb4a sp 7fff11711908 error 4 in libc-2.19.so[7fd276ce4000+1bb000] - After applying this patch, i have ran this over 10 times without experiencing this issue anymore. [Other Customer information] After upgrading ubuntu over from 12. something to the 14.04 lts release my squid proxy did not work any longer. It often happens that sites are loading quite long and in the end there is a connection problem. Just in this moments I can see the following happen in dmesg output [4611237.325605] pinger[15651]: segfault at 0 ip 7f6db12aeb4a sp 7fff2552ad68 error 4 in libc-2.19.so[7f6db1227000+1bb000] [4611258.022931] init: squid3 main process (32738) killed by ABRT signal [4611258.022968] init: squid3 main process ended, respawning I already tried to reinstall squid3 and glibc and I build the squid3 packages on the machine just in case there was something wrong with my glibc. I am using ubuntu 14.04.1 lts The squid version is squid3 3.3.8-1ubuntu6.1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1384943 Title: Pinger crashes with segfault in libc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1384943] Re: Pinger crashes with segfault in libc
** Patch added: lp1384943_fix_icmp_trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943/+attachment/4263140/+files/lp1384943_fix_icmp_trusty.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1384943 Title: Pinger crashes with segfault in libc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
