Discussion:
static PIE & corrupted trace
Martin Pieuchot
2017-07-11 12:45:36 UTC
Permalink
Binaries linked with '-static -pie' produce unusable core dumps at least
on amd64. This is a real problem to debug isakmpd(8)/iked(8) crashing on
production machines.

With the diff below, I trigger a NULL-dereference in ntpd(8). When
compiled with '-static -pie' I obtain the following trace:

# gdb /sbin/ntpd /var/crash/ntpd/34857.core
#0 0x000010249cd0ca32 in ?? ()
(gdb) bt
#0 0x000010249cd0ca32 in ?? ()
#1 0x000010276a411300 in ?? ()
#2 0x000010249d0e9540 in ?? ()
#3 0x0000000000004000 in ntp_main (nconf=0x3, pw=0x8f5, argc=Variable "argc" is not available.) at /usr/src/usr.sbin/ntpd/ntp.c:215
#4 0x38efae2bb7a38b39 in ?? ()
#5 0x000010270b35ec00 in ?? ()
#6 0x00000000000016f6 in dispatch_imsg (lconf=0x38efae2bb7a38b39, argc=-1664058825, argv=0x10270b35ec00) at /usr/src/usr.sbin/ntpd/ntpd.c:393
#7 0x000000005959fe2b in ?? ()
#8 0x00000000372f8819 in ?? ()
#9 0x000000005959a297 in ?? ()
#10 0x0000000000000000 in ?? ()

When compiled with '-static -nopie' or by default, I obtain the correct
trace:

# gdb /sbin/ntpd /var/crash/ntpd/94479.core
(gdb) bt
#0 constraint_query (cstr=0x0) at /usr/src/usr.sbin/ntpd/constraint.c:151
#1 0x000000000040413c in ntp_main (nconf=Variable "nconf" is not available.) at /usr/src/usr.sbin/ntpd/ntp.c:336
#2 0x0000000000402079 in main (argc=0, argv=Variable "argv" is not available.) at /usr/src/usr.sbin/ntpd/ntpd.c:193


Index: Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/Makefile,v
retrieving revision 1.16
diff -u -p -r1.16 Makefile
--- Makefile 20 Nov 2015 18:53:42 -0000 1.16
+++ Makefile 11 Jul 2017 12:33:24 -0000
@@ -16,4 +16,5 @@ DPADD+= ${LIBUTIL} ${LIBCRYPTO} ${LIBSSL
LINKS= ${BINDIR}/ntpd ${BINDIR}/ntpctl
MAN= ntpd.8 ntpd.conf.5 ntpctl.8

+LDSTATIC= ${STATIC}
.include <bsd.prog.mk>
Index: ntp.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v
retrieving revision 1.146
diff -u -p -r1.146 ntp.c
--- ntp.c 30 May 2017 23:30:48 -0000 1.146
+++ ntp.c 11 Jul 2017 12:28:50 -0000
@@ -331,6 +331,8 @@ ntp_main(struct ntpd_conf *nconf, struct
ctls = i;

TAILQ_FOREACH(cstr, &conf->constraints, entry) {
+ if (arc4random() % 2)
+ cstr = NULL;
if (constraint_query(cstr) == -1)
continue;
}
Mark Kettenis
2017-07-12 17:06:48 UTC
Permalink
Date: Tue, 11 Jul 2017 14:45:36 +0200
Binaries linked with '-static -pie' produce unusable core dumps at least
on amd64. This is a real problem to debug isakmpd(8)/iked(8) crashing on
production machines.
Did you try using the gdb from ports?
With the diff below, I trigger a NULL-dereference in ntpd(8). When
# gdb /sbin/ntpd /var/crash/ntpd/34857.core
#0 0x000010249cd0ca32 in ?? ()
(gdb) bt
#0 0x000010249cd0ca32 in ?? ()
#1 0x000010276a411300 in ?? ()
#2 0x000010249d0e9540 in ?? ()
#3 0x0000000000004000 in ntp_main (nconf=0x3, pw=0x8f5, argc=Variable "argc" is not available.) at /usr/src/usr.sbin/ntpd/ntp.c:215
#4 0x38efae2bb7a38b39 in ?? ()
#5 0x000010270b35ec00 in ?? ()
#6 0x00000000000016f6 in dispatch_imsg (lconf=0x38efae2bb7a38b39, argc=-1664058825, argv=0x10270b35ec00) at /usr/src/usr.sbin/ntpd/ntpd.c:393
#7 0x000000005959fe2b in ?? ()
#8 0x00000000372f8819 in ?? ()
#9 0x000000005959a297 in ?? ()
#10 0x0000000000000000 in ?? ()
When compiled with '-static -nopie' or by default, I obtain the correct
# gdb /sbin/ntpd /var/crash/ntpd/94479.core
(gdb) bt
#0 constraint_query (cstr=0x0) at /usr/src/usr.sbin/ntpd/constraint.c:151
#1 0x000000000040413c in ntp_main (nconf=Variable "nconf" is not available.) at /usr/src/usr.sbin/ntpd/ntp.c:336
#2 0x0000000000402079 in main (argc=0, argv=Variable "argv" is not available.) at /usr/src/usr.sbin/ntpd/ntpd.c:193
Index: Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/Makefile,v
retrieving revision 1.16
diff -u -p -r1.16 Makefile
--- Makefile 20 Nov 2015 18:53:42 -0000 1.16
+++ Makefile 11 Jul 2017 12:33:24 -0000
@@ -16,4 +16,5 @@ DPADD+= ${LIBUTIL} ${LIBCRYPTO} ${LIBSSL
LINKS= ${BINDIR}/ntpd ${BINDIR}/ntpctl
MAN= ntpd.8 ntpd.conf.5 ntpctl.8
+LDSTATIC= ${STATIC}
.include <bsd.prog.mk>
Index: ntp.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v
retrieving revision 1.146
diff -u -p -r1.146 ntp.c
--- ntp.c 30 May 2017 23:30:48 -0000 1.146
+++ ntp.c 11 Jul 2017 12:28:50 -0000
@@ -331,6 +331,8 @@ ntp_main(struct ntpd_conf *nconf, struct
ctls = i;
TAILQ_FOREACH(cstr, &conf->constraints, entry) {
+ if (arc4random() % 2)
+ cstr = NULL;
if (constraint_query(cstr) == -1)
continue;
}
Martin Pieuchot
2017-07-12 17:54:11 UTC
Permalink
Post by Mark Kettenis
Date: Tue, 11 Jul 2017 14:45:36 +0200
Binaries linked with '-static -pie' produce unusable core dumps at least
on amd64. This is a real problem to debug isakmpd(8)/iked(8) crashing on
production machines.
Did you try using the gdb from ports?
It works with egdb. Any idea of the amount of effort to backport the
fix?
Mark Kettenis
2017-07-12 18:11:51 UTC
Permalink
Date: Wed, 12 Jul 2017 19:54:11 +0200
Post by Mark Kettenis
Date: Tue, 11 Jul 2017 14:45:36 +0200
Binaries linked with '-static -pie' produce unusable core dumps at least
on amd64. This is a real problem to debug isakmpd(8)/iked(8) crashing on
production machines.
Did you try using the gdb from ports?
It works with egdb. Any idea of the amount of effort to backport the
fix?
I think I decided that it was too much effort.

Loading...