[Bug 1384943] Re: [SRU] Pinger crashes with segfault in libc

Wed Dec 17 10:40:26 UTC 2014

I download 6.2 source package and recompile it on my ubuntu 14.04 trusty system but now pinger have some problems:
It seems that if pinger receive a Packet too big ICMP v6 packet while is pinging an ipv6 address run into strange errors, here is what I found in the log activating debug:

2014/12/17 11:06:20.182| cc(206) SendEcho: x=40
2014/12/17 11:06:20.182| c(116) Log: pingerLog: 1418810780.182442 [2a00:1450:4002:801::1016]                    0
2014/12/17 11:06:20.204| cc(263) Recv: 40 bytes from [2a00:1450:4002:801::1016]
2014/12/17 11:06:20.204| c(116) Log: pingerLog: 1418810780.204457 [2a00:1450:4002:801::1016]                    129 Echo Reply      22ms 1 hops
2014/12/17 11:06:20.204| nger.cc(235) SendResult: return result to squid. len=78
2014/12/17 11:06:20.577| cc(263) Recv: 282 bytes from [2001:1418:100:84df:1::1]
2014/12/17 11:06:20.578| cc(306) Recv: [2001:1418:100:84df:1::1] said: 2/0 Packet Too Big
*** Error in `(pinger)': munmap_chunk(): invalid pointer: 0x00007f5550efb260 ***

2014/12/17 11:17:24.223| nger.cc(213) Recv:  Pass [2a00:1450:4002:801::1016] off to ICMPv6 module.
2014/12/17 11:17:24.223| cc(194) SendEcho: Send Icmp6 packet to [2a00:1450:4002:801::1016].
2014/12/17 11:17:24.223| cc(206) SendEcho: x=40
2014/12/17 11:17:24.224| c(116) Log: pingerLog: 1418811444.223975 [2a00:1450:4002:801::1016]                    0
2014/12/17 11:17:24.246| cc(263) Recv: 40 bytes from [2a00:1450:4002:801::1016]
2014/12/17 11:17:24.246| c(116) Log: pingerLog: 1418811444.246856 [2a00:1450:4002:801::1016]                    129 Echo Reply      23ms 1 hops
2014/12/17 11:17:24.247| nger.cc(235) SendResult: return result to squid. len=78
2014/12/17 11:17:24.618| cc(263) Recv: 282 bytes from [2001:1418:100:84df:1::1]
2014/12/17 11:17:24.618| cc(306) Recv: [2001:1418:100:84df:1::1] said: 2/0 Packet Too Big
*** Error in `(pinger)': free(): invalid size: 0x00007f32eb024260 ***

2014/12/17 11:19:27.987| nger.cc(213) Recv:  Pass [2a00:1450:4002:801::1015] off to ICMPv6 module.
2014/12/17 11:19:27.987| cc(194) SendEcho: Send Icmp6 packet to [2a00:1450:4002:801::1015].
2014/12/17 11:19:27.987| cc(206) SendEcho: x=40
2014/12/17 11:19:27.987| c(116) Log: pingerLog: 1418811567.987412 [2a00:1450:4002:801::1015]                    0
2014/12/17 11:19:28.004| cc(263) Recv: 282 bytes from [2001:1418:100:84df:1::1]
2014/12/17 11:19:28.004| cc(306) Recv: [2001:1418:100:84df:1::1] said: 2/0 Packet Too Big
*** Error in `(pinger)': double free or corruption (out): 0x00007f155f608260 ***

2014/12/17 11:20:14| recv: (111) Connection refused
2014/12/17 11:20:14| Closing Pinger socket on FD 28

after every one of this error pinger exit. If I restart squid I came
into the error again since my ipv6 is a tunnel and i can get a lot of
this ICMP packet too.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1384943

Title:
  [SRU] Pinger crashes with segfault in libc

Status in squid3 package in Ubuntu:
  Fix Released
Status in squid3 source package in Trusty:
  Fix Released
Status in squid3 source package in Utopic:
  Fix Released

Bug description:
  [Description]

  Malformed ICMP packets were accepted into processing with undefined
  and potentially nasty results.

  Both sets of flaws can result in pinger segmentation fault and halting
  the Squid functionality relying on pinger for correct operation.

  A backtrace obtained from a failing guest, shows

  #0  0x00007f6e3833cb4a in __strcmp_sse2 () from /lib/x86_64-linux-gnu/libc.so.6
  #1  0x00007f6e38369971 in __tzfile_compute (timer=1415395716, use_localtime=<optimized out>, leap_correct=0x7ffff810be00,
      leap_hit=0x7ffff810bdf0, tp=0x7f6e38679de0 <_tmbuf>) at tzfile.c:786
  #2  0x00007f6e38368547 in __tz_convert () from /lib/x86_64-linux-gnu/libc.so.6
  #3  0x00007f6e38dc2683 in _db_print(char const*, ...) ()
  #4  0x00007f6e38dc300b in Debug::finishDebug() ()
  #5  0x00007f6e38dc0581 in IcmpPinger::Recv (this=0x7f6e38fd1680 <control>) at IcmpPinger.cc:190
  #6  0x00007f6e38dbf04e in main (argc=<optimized out>, argv=<optimized out>) at pinger.cc:223

  Dissecting the trace , it appears that the amount
  of read bytes on the  IcmpPinger::Recv method is < 0 (error), but
  no validation is being performed on the readed data, thus an segfault is being triggered.

  This patch handles most of this cases by bound checking all the recv values, also the ICMP type checking routines are improved to properly
  handle just existent types.

  [Test Case]

  - Install latest squid3 from archive.
  - Enable ICMP pinger
  - Wait for some anomalous ICMP response to come from any origin server,
  - Then the pinger process will segfault with an error like this:

  Nov 8 06:28:56 gd2mrbp001 kernel: [1543874.494491] pinger[8802]: segfault at 0 ip 00007fd276d6bb4a sp 00007fff11711908 error 4 in libc-2.19.so[7fd276ce4000+1bb000]
  - After applying this patch, i have ran this over 10 times without
  experiencing this issue anymore.

  [Other Customer information]

  After upgrading ubuntu over from 12. something to the 14.04 lts release my squid proxy did not work any longer.
  It often happens that sites are loading quite long and in the end there is a connection problem.
  Just in this moments I can see the following happen in dmesg output

  [4611237.325605] pinger[15651]: segfault at 0 ip 00007f6db12aeb4a sp 00007fff2552ad68 error 4 in libc-2.19.so[7f6db1227000+1bb000]
  [4611258.022931] init: squid3 main process (32738) killed by ABRT signal
  [4611258.022968] init: squid3 main process ended, respawning

  I already tried to reinstall squid3 and glibc and I build the squid3
  packages on the machine just in case there was something wrong with my
  glibc.

  I am using ubuntu 14.04.1 lts
  The squid version is
  squid3 3.3.8-1ubuntu6.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943/+subscriptions