ACK on the debdiffs, thanks!
I've slightly modified the whitespace in the changelog and have added
the bug number, and have uploaded it to wily, and to the other releases
for processing by the SRU team.
** Tags removed: verification-done
** Changed in: ntp (Ubuntu Wily)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1481388
Title:
NTP : Use-after-free in routing socket code after dropping root
Status in NTP:
Unknown
Status in ntp package in Ubuntu:
Fix Committed
Status in ntp source package in Precise:
In Progress
Status in ntp source package in Trusty:
In Progress
Status in ntp source package in Vivid:
In Progress
Status in ntp source package in Wily:
Fix Committed
Status in ntp package in Debian:
Unknown
Bug description:
[Impact]
* User experienced repeated segfaults at the same instruction pointer
i/o error on routing socket No buffer space available - disabling
segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in
libpthread-2.15.so[7f967a5d9000+18000]
The remove_ and delete_ functions remove the current element from the
asyncio_reader_list, and free it, respectively.
We then return back to the loop at the top, wherein the asyncio_reader
variable still points at the now-freed element, whose contents are (in theory)
now scrambled
by having link pointers, etc, from internal malloc state overlaying the data.
[Test Case]
You can easily reproduce the bug by :
- Lowering the sysctl value net.core.rmem_max
$ sysctl -w net.core.wmem_max=<LOWER_VALUE>
This sets the max OS send buffer size for all types of connections.
- Adding multiple network interfaces and static routes.
[Regression Potential]
None expected since the fix is already available upstream
(https://github.com/ntp-project/ntp.git) and Debian package.
If after installing the patch, user are receiving this kind of message in
/var/log/syslog : "routing socket reports: No buffer space available".
The next step, would be to increase the "net.core.rmem_max" and
"net.core.wmem_max" values equally until the "routing socket reports: No buffer
space available" message no longer showed up.
[Other Info]
NTP upstream (https://github.com/ntp-project/ntp.git)
[Bug 2224] Use-after-free in routing socket code after dropping root. -
Commit: d6df9d3
[Bug 2890] Ignore ENOBUFS on routing netlink socket. - Commit: db47bd4
The use-after-free bug has been fix in Debian release (closes: #795315)
Will submit the ignore-ENOBUFS-on-routing-netlink-socket in Debian in the
next days.
[Original Description]
We have 1 server (among hundreds) that its ntp service is crashing.
A few minute/seconds after a start attempts we can see the following in
syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp
00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic
I tried to compare it to other servers, and the only thing I could find that
is different is that while it's up (before it crashes) I can see the following
when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
