Debian Bug report logs - #810779
ifquery segfaults when interface cannot be locked

version graph

Package: ifupdown; Maintainer for ifupdown is Josué Ortega <josue@debian.org>; Source for ifupdown is src:ifupdown (PTS, buildd, popcon).

Reported by: Martin Pitt <martin.pitt@ubuntu.com>

Date: Tue, 12 Jan 2016 07:03:02 UTC

Severity: normal

Tags: patch

Found in version ifupdown/0.8.6

Fixed in version ifupdown/0.8.8

Done: Guus Sliepen <guus@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Guus Sliepen <guus@debian.org>:
Bug#810779; Package ifupdown. (Tue, 12 Jan 2016 07:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Guus Sliepen <guus@debian.org>. (Tue, 12 Jan 2016 07:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: Debian BTS Submit <submit@bugs.debian.org>
Subject: ifquery segfaults when interface cannot be locked
Date: Tue, 12 Jan 2016 08:01:12 +0100
[Message part 1 (text/plain, inline)]
Package: ifupdown
Version: 0.8.6
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu ubuntu-patch xenial

Hello,

In https://launchpad.net/bugs/1532722 it was reported that since
per-interface locking was introduced, ifquery sometimes crashes here:

|  #1 0x00013032 in strncpy (__len=80, __src=<optimized out>, __dest=0xbe86aa70 "lo") at /usr/include/arm-linux-gnueabihf/bits/string3.h:126
|  No locals.
|  #2 do_interface (target_iface=<optimized out>) at main.c:846
|          iface = "lo", '\000' <repeats 77 times>
|          liface = "lo", '\000' <repeats 77 times>
|          pch = <optimized out>
|          envname = "IFUPDOWN_lo\000\000\000\000\000\070\000\000\000[\000\000\000n\000\000\000\005\000\000\000\000\320\362\266\003\000\000\000\000\000\000\000\344\240\002\000\000\000\000\000\204\t\001\000\220S\366\266PX\366\266\001\000\000\000\000\000\000\000\267\277\364\266\000\320\362\266\001\000\000\000\001\000\000\000\000\000\000\000\003\000\000\000\f\240\344\266 \242\002\000\220~\001\000\t\000\000\000\000\000\000\000\220\240\311\000`\240\311\000h\247\002\000\t\000\000\000\b\240\311\000\220\240\311\000ﺀ\002\000\210\242\311\000\004\000\000\000\337S\001\000\000\000\000"
|          siface = <optimized out>
|          envval = <optimized out>
|          piface = "lo", '\000' <repeats 77 times>
|          plock = 0x0
|          success = false
|          lock = 0x0
|          current_state = 0x1 <error: Cannot access memory at address 0x1>
|          __PRETTY_FUNCTION__ = "do_interface"
|          have_mapping = <optimized out>
|          okay = <optimized out>
|          failed = <optimized out>
|  #3 0x00011994 in main (argc=<optimized out>, argv=0xbe86ade8) at main.c:1146
|          i = 0
|          success = true


The full analysis is on the Launchpad bug, but I give a summary: The
problem starts in do_interface():

	char *current_state;
	lock = lock_interface(iface, &current_state);

current_state is a stack variable and thus could have a random value.
It seems to be NULL on my amd64 build, but the crashes were reported
on ARM where it just happened to be 0x01 (see above stack trace).

Calling lock_interface() failed because /run/network/ifstate.lo does
not exist (yet), and thus lock == NULL (see stack trace), and
current_state does not get written to as that's an early exit path in
lock_interface(). Then do_interface progresses into the "else if (cmds
== iface_query)" branch, current_state != NULL is satisfied, and
strncpy() gets called on the uninitialized value.

This is reproducible by explicitly initializing it to a bogus value:

        char *current_state = (char*) 1;

then

     $ sudo rm /run/network/ifstate.lo
     $ ./ifquery lo

crashes in this manner.

The fix is trivial, I'll send it in a followup once I get the bug
number from this report.

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Guus Sliepen <guus@debian.org>:
Bug#810779; Package ifupdown. (Tue, 12 Jan 2016 07:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Guus Sliepen <guus@debian.org>. (Tue, 12 Jan 2016 07:15:03 GMT) (full text, mbox, link).

Message #10 received at 810779@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 810779@bugs.debian.org
Subject: Re: ifquery segfaults when interface cannot be locked
Date: Tue, 12 Jan 2016 08:12:35 +0100
[Message part 1 (text/plain, inline)]
Hello again,

as promised, the patch.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

[0001-Fix-ifquery-crash-if-interface-state-file-does-not-e.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Guus Sliepen <guus@debian.org>:
You have taken responsibility. (Tue, 12 Jan 2016 23:21:17 GMT) (full text, mbox, link).

Notification sent to Martin Pitt <martin.pitt@ubuntu.com>:
Bug acknowledged by developer. (Tue, 12 Jan 2016 23:21:18 GMT) (full text, mbox, link).

Message #15 received at 810779-close@bugs.debian.org (full text, mbox, reply):

From: Guus Sliepen <guus@debian.org>
To: 810779-close@bugs.debian.org
Subject: Bug#810779: fixed in ifupdown 0.8.8
Date: Tue, 12 Jan 2016 23:20:11 +0000
Source: ifupdown
Source-Version: 0.8.8

We believe that the bug you reported is fixed in the latest version of
ifupdown, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 810779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guus Sliepen <guus@debian.org> (supplier of updated ifupdown package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Jan 2016 23:50:29 +0100
Source: ifupdown
Binary: ifupdown
Architecture: source amd64
Version: 0.8.8
Distribution: unstable
Urgency: medium
Maintainer: Guus Sliepen <guus@debian.org>
Changed-By: Guus Sliepen <guus@debian.org>
Description:
 ifupdown   - high level tools to configure network interfaces
Closes: 761909 810656 810779
Changes:
 ifupdown (0.8.8) unstable; urgency=medium
 .
   [ Martin Pitt ]
   * Fix ifquery crash if interface state file does not exist yet.
     (Closes: #810779, LP: #1532722)
   * ifup@.service: Avoid stopping on shutdown via stopping system-ifup.slice
     (changed behaviour in systemd 228). (Closes: #761909, LP: #1492546)
 .
   [ Guus Sliepen ]
   * Remove quotes around TimeoutStartSec parameter. Closes: #810656
Checksums-Sha1:
 eabd26ed94cfee0bbf854978b9c06e63614b23c9 1536 ifupdown_0.8.8.dsc
 0a51eb8b21a450dda1f63406e5bd12558a870372 71384 ifupdown_0.8.8.tar.xz
 d3f161fa34a9d23d57834f79d4b4991e7194c441 60084 ifupdown-dbgsym_0.8.8_amd64.deb
 52dcadb8bf50188a55d33c4dc90c40c984e73cf4 72590 ifupdown_0.8.8_amd64.deb
Checksums-Sha256:
 75e84414680d7075116a92d582e78592a418dc7c66ddbb811d8913fbf172f156 1536 ifupdown_0.8.8.dsc
 180edaaa6de99e4e74de7229481edf74361b8e8468462842618a42a952a26c0e 71384 ifupdown_0.8.8.tar.xz
 300a239b82f898625571fb102cfe96b3f4c787622ffd8393a5818f420ef03ed8 60084 ifupdown-dbgsym_0.8.8_amd64.deb
 6b7d9157bb801d578fc18e3567f942dff92e7e786ccfacc170eed760c3a905cb 72590 ifupdown_0.8.8_amd64.deb
Files:
 9d5e60a170d5f4a1d67cd8dca47cac33 1536 admin important ifupdown_0.8.8.dsc
 1aae907459a1bb030aae1b3249830009 71384 admin important ifupdown_0.8.8.tar.xz
 21f953ec69fdfd4115b28320a8bfaaa5 60084 debug extra ifupdown-dbgsym_0.8.8_amd64.deb
 6080b35d845d1202257d2bca2d1255a2 72590 admin important ifupdown_0.8.8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWlYNWAAoJED9JDeuHHvn6l+MQAJMe+Mr+wiS1dfo9yOdbI6Nm
ZNuHL+5WHj7hyYufQjNKsA2kwLHWWFcOKqh7+RwhHUEBC2EllrQiNugiAW0VSq73
0bA/7WBpqbRGdXeu9QOdUJox+koBPsI9+LZnKSJrU24W9DSS3CCDJTc9Dqr9Hb5P
8876+GG26+DIQkJzsdrNXpWBSUVBu5Gt/bG6TaVp6SL2XXx2yGBdDSDxdRRW90+q
JZLz8uD/C/D1FbTPoM6ZJl9yZnFBM1mL0WVUywtAOVBjPM0aKdygdU4qAI4SVOnw
4Dpb5mz2RzOjruMKS2cfIBk0sLHcA9QXQEAmbyRpTEmJvr90eQTVcHj1GU8KFW1Q
TEl9Qfsg7u72parB4LMV2R/vm59ElJTXDSNEYCjR4tgEv7jLyOC4O6AiWZwLmj5s
4KseBQ9r43YVHDAD3RTt4XDuBA0z16keyEY/ysv41xumM1Xq8/cDQyQTHalndilb
kF1UqXHtTnWNCsPNcqfsRG1sbywWZWWxWSSH90SUX2yNnBBzcJ/DlPbaCLcBc8VJ
cd90qnUGnxORfxR16IRm1nVVw0wXkYXl3RA5/fBIuo7vL5ozXCAKu/0nVNY4w1Qs
gPlDWjsxuDX1TfaNOLpfSfzDmUkDSPgIWZpq4q38aS0VCoti4si4xPEWqUEG2mWW
XhUG8f9rbK36MFg+M3xL
=lHyo
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 15 Feb 2016 07:34:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 8 01:33:50 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.