[Fwd: Bug#488430: iproute: lnstat causes segmentation fault]

[Fwd: Bug#488430: iproute: lnstat causes segmentation fault]

[Andreas Henriksson]

[-- Attachment #1: Type: text/plain, Size: 6987 bytes --]

Hi Stephen and others interested!

Could you please have a look at lnstat. We got a bugreport in Debian
about it segfaulting. It happens for me too on my workstation (amd64),
which is also my internet gateway at home, but not on my laptop (i386).

I can't figure out what's going on. The segfault only happens when
lnstat is compiled with atleast -O1. It seems like the fp->params array
is getting corrupted at 65th element inside build_hdr_string() at the
first for loop where memory is malloced and memset. That seems totally
unrelated to me though, could it be something like use of freed memory?
I have no clue...

In case you can't reproduce, I've made a tarball of my /proc/net/stat
and attached, which I hope helps.

PS. any news on the debian front (stuff sent to 488430@bugs.debian.org)
will be available through http://bugs.debian.org/488430 (and other
problems at http://bugs.debian.org/iproute ).



-------- Forwarded Message --------
From: Andrew France <andrew@avito.co.uk>
Reply-To: Andrew France <andrew@avito.co.uk>, 488430@bugs.debian.org
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#488430: iproute: lnstat causes segmentation fault
Date: Sat, 28 Jun 2008 21:30:06 +0100

Package: iproute
Version: 20080417-1
Severity: important

Hi,

Running 'lnstat' results in a segmentation fault, although the symlinked
'rtstat' runs fine. Lnstat strace included below.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iproute depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libdb4.6                      4.6.21-8   Berkeley v4.6 Database Libraries [

Versions of packages iproute recommends:
ii  libatm1                       2.4.1-17.2 shared library for ATM (Asynchrono

-- no debconf information

*** lnstat.strace
execve("/usr/bin/lnstat", ["lnstat"], [/* 22 vars */]) = 0
brk(0)                                  = 0x604000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210df000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e0000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=36821, ...}) = 0
mmap(NULL, 36821, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2b0f210e2000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libresolv.so.2", O_RDONLY)   = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P3\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=72568, ...}) = 0
mmap(NULL, 2177800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b0f212e0000
mprotect(0x2b0f212f0000, 2097152, PROT_NONE) = 0
mmap(0x2b0f214f0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x2b0f214f0000
mmap(0x2b0f214f2000, 6920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b0f214f2000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\342"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1330480, ...}) = 0
mmap(NULL, 3437144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b0f214f4000
mprotect(0x2b0f21632000, 2097152, PROT_NONE) = 0
mmap(0x2b0f21832000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13e000) = 0x2b0f21832000
mmap(0x2b0f21837000, 16984, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b0f21837000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f2183c000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f2183d000
arch_prctl(ARCH_SET_FS, 0x2b0f2183caf0) = 0
mprotect(0x2b0f21832000, 12288, PROT_READ) = 0
munmap(0x2b0f210e2000, 36821)           = 0
open("/proc/net/stat", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 3
fstat(3, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
fcntl(3, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
brk(0)                                  = 0x604000
brk(0x625000)                           = 0x625000
getdents(3, /* 8 entries */, 1024)      = 248
open("/proc/net/stat/ip_conntrack", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e2000
lseek(4, 0, SEEK_SET)                   = 0
read(4, "entries  searched found new inva"..., 1024) = 444
open("/proc/net/stat/nf_conntrack", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e3000
lseek(5, 0, SEEK_SET)                   = 0
read(5, "entries  searched found new inva"..., 1024) = 444
open("/proc/net/stat/ndisc_cache", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e4000
lseek(6, 0, SEEK_SET)                   = 0
read(6, "entries  allocs destroys hash_gr"..., 1024) = 338
open("/proc/net/stat/clip_arp_cache", O_RDONLY) = 7
fstat(7, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e5000
lseek(7, 0, SEEK_SET)                   = 0
read(7, "entries  allocs destroys hash_gr"..., 1024) = 338
open("/proc/net/stat/rt_cache", O_RDONLY) = 8
fstat(8, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e6000
lseek(8, 0, SEEK_SET)                   = 0
read(8, "entries  in_hit in_slow_tot in_s"..., 1024) = 517
open("/proc/net/stat/arp_cache", O_RDONLY) = 9
fstat(9, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e7000
lseek(9, 0, SEEK_SET)                   = 0
read(9, "entries  allocs destroys hash_gr"..., 1024) = 338
getdents(3, /* 0 entries */, 1024)      = 0
close(3)                                = 0
mmap(NULL, 6356992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f2183e000
munmap(0x2b0f2183e000, 6356992)         = 0
brk(0xc42000)                           = 0xc42000
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 19271 detached



[-- Attachment #2: proc_net_stat.tar --]
[-- Type: application/x-tar, Size: 10240 bytes --]

Re: [Fwd: Bug#488430: iproute: lnstat causes segmentation fault]

[Stephen Hemminger]

On Sun, 29 Jun 2008 11:56:49 +0200
Andreas Henriksson <andreas@fatal.se> wrote:

> Hi Stephen and others interested!
> 
> Could you please have a look at lnstat. We got a bugreport in Debian
> about it segfaulting. It happens for me too on my workstation (amd64),
> which is also my internet gateway at home, but not on my laptop (i386).
> 
> I can't figure out what's going on. The segfault only happens when
> lnstat is compiled with atleast -O1. It seems like the fp->params array
> is getting corrupted at 65th element inside build_hdr_string() at the
> first for loop where memory is malloced and memset. That seems totally
> unrelated to me though, could it be something like use of freed memory?
> I have no clue...
> 
> In case you can't reproduce, I've made a tarball of my /proc/net/stat
> and attached, which I hope helps.
> 
> PS. any news on the debian front (stuff sent to 488430@bugs.debian.org)
> will be available through http://bugs.debian.org/488430 (and other
> problems at http://bugs.debian.org/iproute ).
> 
> 
> 
> -------- Forwarded Message --------
> From: Andrew France <andrew@avito.co.uk>
> Reply-To: Andrew France <andrew@avito.co.uk>, 488430@bugs.debian.org
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Subject: Bug#488430: iproute: lnstat causes segmentation fault
> Date: Sat, 28 Jun 2008 21:30:06 +0100
> 
> Package: iproute
> Version: 20080417-1
> Severity: important
> 
> Hi,
> 
> Running 'lnstat' results in a segmentation fault, although the symlinked
> 'rtstat' runs fine. Lnstat strace included below.
> 
> 
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages iproute depends on:
> ii  libc6                         2.7-10     GNU C Library: Shared libraries
> ii  libdb4.6                      4.6.21-8   Berkeley v4.6 Database Libraries [
> 
> Versions of packages iproute recommends:
> ii  libatm1                       2.4.1-17.2 shared library for ATM (Asynchrono
> 
> -- no debconf information
> 
> *** lnstat.strace
> execve("/usr/bin/lnstat", ["lnstat"], [/* 22 vars */]) = 0
> brk(0)                                  = 0x604000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210df000
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e0000
> access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=36821, ...}) = 0
> mmap(NULL, 36821, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2b0f210e2000
> close(3)                                = 0
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
> open("/lib/libresolv.so.2", O_RDONLY)   = 3
> read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P3\0\0\0"..., 832) = 832
> fstat(3, {st_mode=S_IFREG|0644, st_size=72568, ...}) = 0
> mmap(NULL, 2177800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b0f212e0000
> mprotect(0x2b0f212f0000, 2097152, PROT_NONE) = 0
> mmap(0x2b0f214f0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x2b0f214f0000
> mmap(0x2b0f214f2000, 6920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b0f214f2000
> close(3)                                = 0
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
> open("/lib/libc.so.6", O_RDONLY)        = 3
> read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\342"..., 832) = 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=1330480, ...}) = 0
> mmap(NULL, 3437144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b0f214f4000
> mprotect(0x2b0f21632000, 2097152, PROT_NONE) = 0
> mmap(0x2b0f21832000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13e000) = 0x2b0f21832000
> mmap(0x2b0f21837000, 16984, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b0f21837000
> close(3)                                = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f2183c000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f2183d000
> arch_prctl(ARCH_SET_FS, 0x2b0f2183caf0) = 0
> mprotect(0x2b0f21832000, 12288, PROT_READ) = 0
> munmap(0x2b0f210e2000, 36821)           = 0
> open("/proc/net/stat", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 3
> fstat(3, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
> fcntl(3, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
> brk(0)                                  = 0x604000
> brk(0x625000)                           = 0x625000
> getdents(3, /* 8 entries */, 1024)      = 248
> open("/proc/net/stat/ip_conntrack", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e2000
> lseek(4, 0, SEEK_SET)                   = 0
> read(4, "entries  searched found new inva"..., 1024) = 444
> open("/proc/net/stat/nf_conntrack", O_RDONLY) = 5
> fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e3000
> lseek(5, 0, SEEK_SET)                   = 0
> read(5, "entries  searched found new inva"..., 1024) = 444
> open("/proc/net/stat/ndisc_cache", O_RDONLY) = 6
> fstat(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e4000
> lseek(6, 0, SEEK_SET)                   = 0
> read(6, "entries  allocs destroys hash_gr"..., 1024) = 338
> open("/proc/net/stat/clip_arp_cache", O_RDONLY) = 7
> fstat(7, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e5000
> lseek(7, 0, SEEK_SET)                   = 0
> read(7, "entries  allocs destroys hash_gr"..., 1024) = 338
> open("/proc/net/stat/rt_cache", O_RDONLY) = 8
> fstat(8, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e6000
> lseek(8, 0, SEEK_SET)                   = 0
> read(8, "entries  in_hit in_slow_tot in_s"..., 1024) = 517
> open("/proc/net/stat/arp_cache", O_RDONLY) = 9
> fstat(9, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f210e7000
> lseek(9, 0, SEEK_SET)                   = 0
> read(9, "entries  allocs destroys hash_gr"..., 1024) = 338
> getdents(3, /* 0 entries */, 1024)      = 0
> close(3)                                = 0
> mmap(NULL, 6356992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b0f2183e000
> munmap(0x2b0f2183e000, 6356992)         = 0
> brk(0xc42000)                           = 0xc42000
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++
> Process 19271 detached
> 
> 


The problem is that MAX_FIELDS is 64, but lnstat is finding 71 fields.
This causes a array out of range problem.

Just bump MAX_FIELDS to 128

Re: [Fwd: Bug#488430: iproute: lnstat causes segmentation fault]

[Andreas Henriksson]

On mån, 2008-06-30 at 10:36 -0700, Stephen Hemminger wrote:
> The problem is that MAX_FIELDS is 64, but lnstat is finding 71 fields.
> This causes a array out of range problem.
> 
> Just bump MAX_FIELDS to 128

Oh, stupid me to not catch that when I was thinking it used un-allocated
memory and all...
Here's a patch that prevents the overflow and throws a warning instead.


diff --git a/misc/lnstat.c b/misc/lnstat.c
index b56598a..5a0c349 100644
--- a/misc/lnstat.c
+++ b/misc/lnstat.c
@@ -121,6 +121,10 @@ static int map_field_params(struct lnstat_file *lnstat_files,
 				if (!fps->params[j].print.width)
 					fps->params[j].print.width =
 							FIELD_WIDTH_DEFAULT;
+				if (j >= MAX_FIELDS) {
+					fprintf(stderr, "WARN: MAX_FIELDS (%d) reached, truncating input data.\n", MAX_FIELDS);
+					break;
+				}
 				j++;
 			}
 		}
@@ -269,8 +273,10 @@ int main(int argc, char **argv)
 				for (tok = strtok(tmp, ",");
 				     tok;
 				     tok = strtok(NULL, ",")) {
-					if (fp.num >= MAX_FIELDS)
+					if (fp.num >= MAX_FIELDS) {
+						fprintf(stderr, "WARN: MAX_FIELDS (%d) reached, truncating given keys.\n", MAX_FIELDS);
 						break;
+					}
 					fp.params[fp.num++].name = tok;
 				}
 				break;

-- 
Regards,
Andreas Henriksson