← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #98313

[Bug 1481388] Re: NTP : Use-after-free in routing socket code after dropping root

  Thread PreviousDate PreviousThread Next 
I was able to reproduce the problem on PRECISE (12.04) by lowering the
kernel parameter value "net.core.rmem_max".

And then test my .deb build on my PPA[1] with the following upstream
commits :

- d6df9d3 [Bug 2224] Use-after-free in routing socket code after dropping root.
- db47bd4 [Bug 2890] Ignore ENOBUFS on routing netlink socket.

What the patch does ?
===
The program first "read" from the fd. On success, the number of bytes written into buf is
returned. On error, the call returns −1 and sets errno

If the call returns -1, then there is a verification to validate if the
errno == ENOBUFS

and then send to syslog the following message : "routing socket reports:
No buffer space available"

Otherwise, if errno is NOT ENOBUFS, then it close the socket
(remove_asyncio_reader(reader);) and free the memory space
(delete_asyncio_reader(reader);)

And send to syslog the following message : i/o error on routing socket
No buffer space available - disabling

Before this patch, no matter what was the errno, it was automatically
close() and free() without validation if ENOBUFS or not.

To summarize, the patch allow the program to not close() and free() the socket when the a errno == ENOBUFS occur, but still send a message in syslog to notify the administrator.
=== 

If after installing the patch, you are receiving this kind of message in
/var/log/syslog : "routing socket reports: No buffer space available"
The next step, would be to increase the "net.core.rmem_max" and
"net.core.wmem_max"values equally until the "routing socket reports: No
buffer space available" message no longer showed up.


[1] 1:4.2.6.p3+dfsg-1ubuntu3.4+20150820lp1481388~2
https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1481388

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
  NTP : Use-after-free in routing socket code after dropping root

Status in ntp package in Ubuntu:
  Confirmed
Status in ntp source package in Trusty:
  Confirmed
Status in ntp source package in Wily:
  Confirmed

Bug description:
  We have 1 server (among hundreds) that its ntp service is crashing.

  A few minute/seconds after a start attempts we can see the following in syslog:
  ntpd[2729]: peers refreshed
  ntpd[2729]: Listening on routing socket on fd #49 for interface updates
  ntpd[2729]: i/o error on routing socket No buffer space available - disabling
  kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]

  OS: Ubuntu 12.04.4 LTS
  Kernel: 3.11.0-19-generic

  I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
  ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

References

  Thread PreviousDate PreviousThread Next