Re: ntpd NULL deref

Otto Moerbeek Thu, 21 Mar 2024 11:53:09 -0700

On Tue, Mar 19, 2024 at 02:06:18PM +0100, Alexander Bluhm wrote:

> Hi,
> 
> ntpd crashed on my laptop.  cstr->addr is NULL.  According to
> accounting it was running for a while.
> 
> ntpd[43355]  -       _ntp  __         0.06 secs Thu Mar 14 10:57 (41:41:32.00)
> ntpd[81566]  -F      root  __         0.28 secs Thu Mar 14 10:57 (41:39:28.00)
> ntpd[5567]   -DXT    _ntp  __         0.02 secs Thu Mar 14 10:57 (41:39:28.00)
> 
> -rw-r--r--   1 root  wheel  1583504 Mar 16 03:36 5567.core
> 
> constraint.c
>    204          cstr->last = now;
>    205          cstr->state = STATE_QUERY_SENT;
>    206
>    207          memset(&am, 0, sizeof(am));
> *  208          memcpy(&am.a, cstr->addr, sizeof(am.a));
>    209          am.synced = synced;
>    210
>    211          iov[iov_cnt].iov_base = &am;
>    212          iov[iov_cnt++].iov_len = sizeof(am);
> 
> Core was generated by `ntpd'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x000006db7eb7fea0 in memcpy (dst0=0x7b224d08a0e8, src0=<optimized out>, 
> length=272) at /usr/src/lib/libc/string/memcpy.c:103
> 103             TLOOP(*(word *)dst = *(word *)src; src += wsize; dst += 
> wsize);
> (gdb) bt
> #0  0x000006db7eb7fea0 in memcpy (dst0=0x7b224d08a0e8, src0=<optimized out>, 
> length=272) at /usr/src/lib/libc/string/memcpy.c:103
> #1  0x000006d915308864 in constraint_query (cstr=0x6db756f4000, synced=0) at 
> /usr/src/usr.sbin/ntpd/constraint.c:208
> #2  0x000006d9152ff753 in ntp_main (nconf=<optimized out>, pw=<optimized 
> out>, argc=<optimized out>, argv=<optimized out>)
>     at /usr/src/usr.sbin/ntpd/ntp.c:330
> #3  0x000006d9152fd07a in main (argc=<optimized out>, argv=<optimized out>) 
> at /usr/src/usr.sbin/ntpd/ntpd.c:224
> (gdb) frame 1
> #1  0x000006d915308864 in constraint_query (cstr=0x6db756f4000, synced=0) at 
> /usr/src/usr.sbin/ntpd/constraint.c:208
> 208             memcpy(&am.a, cstr->addr, sizeof(am.a));
> 
> (gdb) print *cstr
> value of type `constraint' requires 65704 bytes, which is more than 
> max-value-size
> (gdb) print cstr->entry
> $3 = {tqe_next = 0x0, tqe_prev = 0x6dba8b72000}
> (gdb) print cstr->addr_head
> $4 = {name = 0x6db60004850 "www.google.com", path = 0x6db600041c0 "/", a = 
> 0x0, pool = 2 '\002'}
> (gdb) print cstr->addr
> $5 = (struct ntp_addr *) 0x0
> (gdb) print cstr->senderrors
> $6 = 0
> (gdb) print cstr->state
> $7 = STATE_QUERY_SENT
> (gdb) print cstr->id
> $11 = 209
> (gdb) print cstr->fd
> $12 = -1
> (gdb) print cstr->pid
> $13 = 0
> (gdb) print cstr->ibuf
> value of type `imsgbuf' requires 65600 bytes, which is more than 
> max-value-size
> (gdb) print cstr->last
> $14 = 146373
> (gdb) print cstr->constraint
> $15 = 0
> (gdb) print cstr->dnstries
> $16 = 0
> 
> bluhm
>


I'll try to look into this, but the constraint state engine is very
hard to follow...

        -Otto

Re: ntpd NULL deref

Reply via email to