snmpd core with "double free or corruption (fasttop)" in 5.8

Saleem Thu, 01 Oct 2020 14:55:29 -0700

Hi Experts,

we upgraded the net-snmp recently in our project to the 5.8 version.
One of our Linux box got a snmpd core with below backtrace pointing to
agentx_master_handler() call.


Generating backtrace for core.snmpd.6.4.3e.7403
Using /usr/sbin/snmpd to generate backtrace for core.snmpd.6.4.3e.7403
[New LWP 7403]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/snmpd -f -Lsd -M+/sw/unicorn/snmp/mibs
-Dtrap -Dusm -Dinit_mibs -I-sy'.
Program terminated with signal 6, Aborted.
#0  0x00007f348df14f57 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:63
#0  0x00007f348df14f57 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:63
        resultvar = 0
        pid = 7403
        selftid = 7403
#1  0x00007f348df16418 in __GI_abort () at abort.c:90
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7ffd80c6b47a,
sa_sigaction = 0x7ffd80c6b47a}, sa_mask = {__val = {6, 139863697671872, 2,
140726763959438, 2, 139863697662956, 1, 139863697671868, 3,
140726763959412, 12, 139863697671872, 2, 140726763960224, 20,
140726763961984}}, sa_flags = 100, sa_restorer = 0x7}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f348df52e3b in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7f348e0468a0 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:197
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7ffd80c6be90, reg_save_area = 0x7ffd80c6bda0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area =
0x7ffd80c6be90, reg_save_area = 0x7ffd80c6bda0}}
        fd = 2
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3  0x00007f348df589be in malloc_printerr (ptr=<optimized out>,
str=0x7f348e046a00 "double free or corruption (fasttop)", action=3,
ar_ptr=<optimized out>) at malloc.c:4855
        buf = "0000000001007c40"
        cp = <optimized out>
#4  malloc_printerr (action=3, str=0x7f348e046a00 "double free or
corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at
malloc.c:4836
No locals.
#5  0x00007f348fedb269 in agentx_master_handler () from
/usr/lib64/libnetsnmpagent.so.35
No symbol table info available.
#6  0x00007f348fec5dcf in netsnmp_call_handlers () from
/usr/lib64/libnetsnmpagent.so.35
No symbol table info available.
#7  0x00007f348fed6a95 in handle_var_requests () from
/usr/lib64/libnetsnmpagent.so.35
No symbol table info available.
#8  0x00007f348fed7baf in handle_pdu () from
/usr/lib64/libnetsnmpagent.so.35
No symbol table info available.
#9  0x00007f348fed7dc8 in netsnmp_handle_request () from
/usr/lib64/libnetsnmpagent.so.35
No symbol table info available.
#10 0x00007f348fed887a in handle_snmp_packet () from
/usr/lib64/libnetsnmpagent.so.35
No symbol table info available.
#11 0x00007f348f6e7517 in ?? () from /usr/lib64/libnetsnmp.so.35
No symbol table info available.
#12 0x00007f348f6e88f0 in _sess_read () from /usr/lib64/libnetsnmp.so.35
No symbol table info available.
#13 0x00007f348f6e8f09 in snmp_sess_read2 () from
/usr/lib64/libnetsnmp.so.35
No symbol table info available.
#14 0x00007f348f6e8fbb in snmp_read2 () from /usr/lib64/libnetsnmp.so.35
No symbol table info available.
#15 0x00007f348f6bdd1a in snmp_synch_response_cb () from
/usr/lib64/libnetsnmp.so.35
No symbol table info available.
#16 0x00007f348f6be19b in ?? () from /usr/lib64/libnetsnmp.so.35
No symbol table info available.
#17 0x00007f348fa82495 in mteTrigger_run () from
/usr/lib64/libnetsnmpmibs.so.35
No symbol table info available.
#18 0x00007f348f70b997 in run_alarms () from /usr/lib64/libnetsnmp.so.35
No symbol table info available.
#19 0x000000000040448a in ?? ()
No symbol table info available.
#20 0x0000000000403b1b in ?? ()
No symbol table info available.
#21 0x00007f348df01865 in __libc_start_main (main=0x402900, argc=20,
ubp_av=0x7ffd80c6cb68, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffd80c6cb58) at libc-start.c:274
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0,
-7221113138933426041, 4210716, 140726763965280, 0, 0, 7219958867996153991,
7322967600052148359}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0,
0x4048e0, 0x7ffd80c6cb68}, data = {prev = 0x0, cleanup = 0x0, canceltype =
4212960}}}
        not_first_call = <optimized out>
#22 0x0000000000404045 in ?? ()
No symbol table info available.

There are also lot of "snmpd: send_trap: Timeout" messages
I could see a similar bug in net-snmp but not sure it is same
https://sourceforge.net/p/net-snmp/mailman/message/36702965/

Your help is highly appreciated

Thanks and Regards,
Salim

C

_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

snmpd core with "double free or corruption (fasttop)" in 5.8

Reply via email to