[pkg-ntp-maintainers] Bug#887385: ntpd segfaults with libc6 from stretch-proposed-updates

Frederic Endner-Dühr fendner+debian at mpi-klsb.mpg.de
Mon Jan 15 19:30:02 UTC 2018 

Package: ntp
Version: 1:4.2.8p10+dfsg-3+deb9u1
Severity: important

Dear Maintainers,

Running ntpd with stretch-proposed-updates configured in APT's sources can
cause an immediate segfault on certain machines. Inspecting a core dump as
well as the kernel log hints that the error actually happens somewhere in
libc, rather than ntpd's own code.

I suppose that the current version of libc6 from stretch-proposed-updates
somehow triggers a bug in ntpd which has already been handled upstream [1].
Applying the upstream patch [2] to the current ntp source package from stable
seems to provide a remedy. However, I did not yet have the chance to fully
evaluate the fix on a large scale, so I can't comment on security or stability
aspects.

Please also note that the issue might be dependent on specific platform
details (e.g. "cpu features", as discussed upstream [1]), which probably
explains why I found machines where ntpd started normally, instead of behaving
as described above.

Best,
   Frederic


[1]: <http://bugs.ntp.org/show_bug.cgi?id=3391>
[2]: <http://bugs.ntp.org/attachment.cgi?id=1512>



# ulimit -c unlimited
# /usr/sbin/ntpd
Segmentation fault (core dumped)

# dmesg | tail -n 1
[   66.788751] ntpd[1502]: segfault at 7fb5623e5fa0 ip 00007fb5621d23e5 sp 00007fb5623e5fa0 error 6 in ld-2.24.so[7fb5621c9000+23000]

# gdb /usr/sbin/ntpd core

...

Reading symbols from /usr/sbin/ntpd...(no debugging symbols found)...done.
[New LWP 1502]
[New LWP 1501]

warning: Unexpected size of section `.reg-xstate/1502' in core file.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/ntpd'.
Program terminated with signal SIGSEGV, Segmentation fault.

warning: Unexpected size of section `.reg-xstate/1502' in core file.
#0  do_lookup_x (undef_name=undef_name at entry=0x7fb560c35ca2 "strlen", new_hash=new_hash at entry=479443869, old_hash=old_hash at entry=0x7fb5623e60e0, ref=0x7fb560c34770, result=result at entry=0x7fb5623e60f0, scope=0x7fb5623ee428, i=0, version=0x55662cdce7b8, flags=5, skip=0x0, type_class=1, undef_map=0x55662cdce160)
    at dl-lookup.c:355
355	dl-lookup.c: No such file or directory.
[Current thread is 1 (Thread 0x7fb5623e8700 (LWP 1502))]
(gdb) backtrace
#0  do_lookup_x (undef_name=undef_name at entry=0x7fb560c35ca2 "strlen", new_hash=new_hash at entry=479443869, old_hash=old_hash at entry=0x7fb5623e60e0, ref=0x7fb560c34770, result=result at entry=0x7fb5623e60f0, scope=0x7fb5623ee428, i=0, version=0x55662cdce7b8, flags=5, skip=0x0, type_class=1, undef_map=0x55662cdce160)
    at dl-lookup.c:355
#1  0x00007fb5621d30c1 in _dl_lookup_symbol_x (undef_name=0x7fb560c35ca2 "strlen", undef_map=0x55662cdce160, ref=ref at entry=0x7fb5623e61a8, symbol_scope=0x55662cdce4b8, version=0x55662cdce7b8, type_class=type_class at entry=1, flags=5, skip_map=0x0) at dl-lookup.c:833
#2  0x00007fb5621d7c54 in _dl_fixup (l=<optimized out>, reloc_arg=<optimized out>) at ../elf/dl-runtime.c:111
#3  0x00007fb5621df35a in _dl_runtime_resolve_xsavec () at ../sysdeps/x86_64/dl-trampoline.h:125
#4  0x00007fb560c44ae5 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#5  0x00007fb560c451da in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#6  0x00007fb56116dc04 in __GI___dl_iterate_phdr (callback=0x7fb560c44da0, data=0x7fb5623e6d40) at dl-iteratephdr.c:76
#7  0x00007fb560c4611e in _Unwind_Find_FDE () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#8  0x00007fb560c42b13 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#9  0x00007fb560c43d30 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#10 0x00007fb560c44336 in _Unwind_ForcedUnwind () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#11 0x00007fb5613fdd60 in __GI___pthread_unwind (buf=<optimized out>) at unwind.c:121
#12 0x00007fb5613f3c5a in __do_cancel () at ./pthreadP.h:283
#13 sigcancel_handler (sig=<optimized out>, si=0x7fb5623e7370, ctx=<optimized out>) at nptl-init.c:220
#14 <signal handler called>
#15 0x00007fb56110728d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
#16 0x00007fb5611071da in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#17 0x000055662ba1d762 in ?? ()
#18 0x00007fb5613f5494 in start_thread (arg=0x7fb5623e8700) at pthread_create.c:333
#19 0x00007fb561137acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97




-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/64 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ntp depends on:
ii  adduser    3.115
ii  dpkg       1.18.24
ii  libc6      2.24-11+deb9u2
ii  libcap2    1:2.25-1
ii  libedit2   3.1-20160903-3
ii  libopts25  1:5.18.12-3
ii  libssl1.1  1.1.0f-3+deb9u1
ii  lsb-base   9.20161125
ii  netbase    5.4

Versions of packages ntp recommends:
ii  perl  5.24.1-3+deb9u2

Versions of packages ntp suggests:
pn  ntp-doc  <none>

-- no debconf information

More information about the pkg-ntp-maintainers mailing list