Package: ifupdown Version: 0.8.6 Tags: patch User: [email protected] Usertags: origin-ubuntu ubuntu-patch xenial
Hello, In https://launchpad.net/bugs/1532722 it was reported that since per-interface locking was introduced, ifquery sometimes crashes here: | #1 0x00013032 in strncpy (__len=80, __src=<optimized out>, __dest=0xbe86aa70 "lo") at /usr/include/arm-linux-gnueabihf/bits/string3.h:126 | No locals. | #2 do_interface (target_iface=<optimized out>) at main.c:846 | iface = "lo", '\000' <repeats 77 times> | liface = "lo", '\000' <repeats 77 times> | pch = <optimized out> | envname = "IFUPDOWN_lo\000\000\000\000\000\070\000\000\000[\000\000\000n\000\000\000\005\000\000\000\000\320\362\266\003\000\000\000\000\000\000\000\344\240\002\000\000\000\000\000\204\t\001\000\220S\366\266PX\366\266\001\000\000\000\000\000\000\000\267\277\364\266\000\320\362\266\001\000\000\000\001\000\000\000\000\000\000\000\003\000\000\000\f\240\344\266 \242\002\000\220~\001\000\t\000\000\000\000\000\000\000\220\240\311\000`\240\311\000h\247\002\000\t\000\000\000\b\240\311\000\220\240\311\000οΊ€\002\000\210\242\311\000\004\000\000\000\337S\001\000\000\000\000" | siface = <optimized out> | envval = <optimized out> | piface = "lo", '\000' <repeats 77 times> | plock = 0x0 | success = false | lock = 0x0 | current_state = 0x1 <error: Cannot access memory at address 0x1> | __PRETTY_FUNCTION__ = "do_interface" | have_mapping = <optimized out> | okay = <optimized out> | failed = <optimized out> | #3 0x00011994 in main (argc=<optimized out>, argv=0xbe86ade8) at main.c:1146 | i = 0 | success = true The full analysis is on the Launchpad bug, but I give a summary: The problem starts in do_interface(): char *current_state; lock = lock_interface(iface, ¤t_state); current_state is a stack variable and thus could have a random value. It seems to be NULL on my amd64 build, but the crashes were reported on ARM where it just happened to be 0x01 (see above stack trace). Calling lock_interface() failed because /run/network/ifstate.lo does not exist (yet), and thus lock == NULL (see stack trace), and current_state does not get written to as that's an early exit path in lock_interface(). Then do_interface progresses into the "else if (cmds == iface_query)" branch, current_state != NULL is satisfied, and strncpy() gets called on the uninitialized value. This is reproducible by explicitly initializing it to a bogus value: char *current_state = (char*) 1; then $ sudo rm /run/network/ifstate.lo $ ./ifquery lo crashes in this manner. The fix is trivial, I'll send it in a followup once I get the bug number from this report. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
