NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/59504: dhcpd crashes on arm64eb regularly, now an ASAN enabled one has some details
>Number: 59504
>Category: bin
>Synopsis: dhcpd crashes on arm64eb regularly, now an ASAN enabled one has some details
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 03 01:50:00 +0000 2025
>Originator: matthew green
>Release: netbsd 10.1
>Organization:
>Environment:
rockpro64 running arm64eb
>Description:
i've seen occasional crashes in dhcpd for a while now and i've patched
mine sources to avoid the crashes, but more recently, the latest hack
appears to cause it to become non-functional without crashing, so i
built the dhcp code with ASAN enabled, and while it took a while for
the problem to occur, it has reported a use-after-free that occurs in
the code area i've seen crashes.
the patch i've most recently been using is, and i think it is the
second NULL check in the last chunk that is the most recent addition
here, that seems to lead to hangs not crashes. the weird part is that
the logs i've added don't seem to be triggering -- at least, i'm not
seeing anything on stderr/out or syslog (i've been running it with -f
in a shell window lately.)
Index: dist/common/options.c
===================================================================
RCS file: /cvsroot/src/external/mpl/dhcp/dist/common/options.c,v
retrieving revision 1.7.2.1
diff -p -r1.7.2.1 options.c
*** dist/common/options.c 2 Feb 2025 15:03:46 -0000 1.7.2.1
--- dist/common/options.c 25 Jun 2025 04:19:02 -0000
*************** cons_options(struct packet *inpacket, st
*** 768,773 ****
--- 768,778 ----
if (hash) {
for (pp = hash[i]; pp; pp = pp->cdr) {
op = (struct option_cache *)(pp->car);
+ if (op == NULL) {
+ log_error ("Null pointer in op: %s(%d)",
+ __func__, __LINE__);
+ continue;
+ }
if (op->option->code <
cfg_options->site_code_min &&
priority_len < PRIORITY_COUNT &&
*************** cons_options(struct packet *inpacket, st
*** 789,794 ****
--- 794,804 ----
if (hash != NULL)
for (pp = hash[i]; pp; pp = pp->cdr) {
op = (struct option_cache *)(pp->car);
+ if (op == NULL) {
+ log_error ("Null pointer in op: %s(%d)",
+ __func__, __LINE__);
+ continue;
+ }
if (op->option->code >=
cfg_options->site_code_min &&
priority_len < PRIORITY_COUNT &&
*************** struct option_cache *lookup_hashed_optio
*** 2500,2505 ****
--- 2510,2525 ----
hashix = compute_option_hash (code);
for (bptr = hash [hashix]; bptr; bptr = bptr -> cdr) {
+ if (bptr -> car == NULL) {
+ log_error ("Null pointer in bptr -> cdr: %s(%d)",
+ __func__, __LINE__);
+ continue;
+ }
+ if (((struct option_cache *)(bptr -> car)) -> option == NULL) {
+ log_error ("Null pointer in bptr -> cdr -> option: %s(%d)",
+ __func__, __LINE__);
+ continue;
+ }
if (((struct option_cache *)(bptr -> car)) -> option -> code ==
code)
return (struct option_cache *)(bptr -> car);
---
here's what ASAN has to say about the crash that happened earlier today:
=================================================================
==11198==ERROR: AddressSanitizer: heap-use-after-free on address 0xfffff7214d14 at pc 0xfffffb410a3c bp 0xffffedbb31e0 sp 0xffffedbb3258
READ of size 4 at 0xfffff7214d14 thread T11
#0 0xfffffb410a38 in __interceptor_memcpy /usr/10/src/external/gpl3/gcc/dist/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:808
#1 0xe3274 in evaluate_data_expression /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/tree.c:1532
#2 0xe7ff8 in store_options /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/options.c:1458
#3 0xe8d34 in cons_options /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/options.c:840
#4 0x4ebbc in dhcp_reply /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:3973
#5 0x5c6ac in ack_lease /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:3587
#6 0x627d0 in dhcprequest /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:768
#7 0x63d08 in dhcp /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:261
#8 0xec0bc in do_packet /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/options.c:4101
#9 0xd621c in got_one /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/discover.c:1159
#10 0x10a234 in omapi_iscsock_cb /usr/10/src/external/mpl/dhcp/lib/omapip/../../dist/omapip/dispatch.c:172
#11 0x26cdd8 in internal_fdwatch_read /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3208
#12 0x26cdd8 in dispatch_recv /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:2718
#13 0x26cdd8 in process_fd /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3279
#14 0x26cdd8 in process_fds /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3326
#15 0x26cdd8 in netthread /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3613
#16 0x2994c8 in isc__trampoline_run /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/trampoline.c:215
#17 0xfffffb35db50 in pthread__create_tramp /usr/10/src/lib/libpthread/pthread.c:595
#18 0xfffffa9f9528 in __mknod50 ??:?
0xfffff7214d14 is located 4 bytes inside of 12-byte region [0xfffff7214d10,0xfffff7214d1c)
freed by thread T8 here:
==11198==AddressSanitizer CHECK failed: /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_descriptions.cc:176 "((res.trace)) != (0)" (0x0, 0x0)
#0 0xfffffb3fe31c in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_rtl.cc:72
#1 0xfffffb4e40d0 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /usr/10/src/external/gpl3/gcc/dist/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
#2 0xfffffb409808 in __asan::GetStackTraceFromId(unsigned int) /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_descriptions.cc:176 (discriminator 1)
#3 0xfffffb40b198 in __asan::HeapAddressDescription::Print() const /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_descriptions.cc:424
#4 0xfffffb4092b4 in __asan::AddressDescription::Print(char const*) const /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_descriptions.h:233
#5 0xfffffb4092b4 in __asan::ErrorGeneric::Print() /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_errors.cc:576
#6 0xfffffb4f0d64 in __asan::ScopedInErrorReport::~ScopedInErrorReport() /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_report.cc:140 (discriminator 1)
#7 0xfffffb405ebc in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) /usr/10/src/external/gpl3/gcc/dist/libsanitizer/asan/asan_report.cc:458
#8 0xfffffb410a58 in __interceptor_memcpy /usr/10/src/external/gpl3/gcc/dist/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:808
#9 0xe3274 in evaluate_data_expression /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/tree.c:1532
#10 0xe7ff8 in store_options /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/options.c:1458
#11 0xe8d34 in cons_options /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/options.c:840
#12 0x4ebbc in dhcp_reply /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:3973
#13 0x5c6ac in ack_lease /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:3587
#14 0x627d0 in dhcprequest /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:768
#15 0x63d08 in dhcp /usr/10/src/external/mpl/dhcp/bin/server/../../dist/server/dhcp.c:261
#16 0xec0bc in do_packet /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/options.c:4101
#17 0xd621c in got_one /usr/10/src/external/mpl/dhcp/lib/common/../../dist/common/discover.c:1159
#18 0x10a234 in omapi_iscsock_cb /usr/10/src/external/mpl/dhcp/lib/omapip/../../dist/omapip/dispatch.c:172
#19 0x26cdd8 in internal_fdwatch_read /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3208
#20 0x26cdd8 in dispatch_recv /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:2718
#21 0x26cdd8 in process_fd /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3279
#22 0x26cdd8 in process_fds /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3326
#23 0x26cdd8 in netthread /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/unix/socket.c:3613
#24 0x2994c8 in isc__trampoline_run /usr/10/src/external/mpl/dhcp/bind/lib/libisc/../../dist/lib/isc/trampoline.c:215
#25 0xfffffb35db50 in pthread__create_tramp /usr/10/src/lib/libpthread/pthread.c:595
#26 0xfffffa9f9528 in __mknod50 ??:?
>How-To-Repeat:
run dhcpd on arm64eb.
>Fix:
not yet known. i've been seeing this problem for a while but this is the
first real info i have about what is going wrong. (the code itself is kind
of obtuse, though lisp-people may have a better time? :-)
Home |
Main Index |
Thread Index |
Old Index