public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg()
@ 2021-09-18 6:18 yi.zhao at windriver dot com
2021-11-29 19:50 ` [Bug libc/28349] " rwmacleod at gmail dot com
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: yi.zhao at windriver dot com @ 2021-09-18 6:18 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Bug ID: 28349
Summary: Segfault for ping -R on qemux86 caused by recvmsg()
Product: glibc
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: yi.zhao at windriver dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
We encountered a segfault for ping -R on Yocto qemux86 (i686) with glibc 2.34.
Kernel: 5.10 and 5.13
Glibc: 2.34
ping: iputils-20210722
When the kernel parmameter net.ipv4.ping_group_range is disabled, the ping -R
works well:
root@qemux86:~# cat /proc/sys/net/ipv4/ping_group_range
1 0
root@qemux86:~# uname -a
Linux qemux86 5.10.53-yocto-standard #1 SMP PREEMPT Sun Jul 25 15:15:01 UTC
2021 i686 i686 i386 GNU/Linux
root@qemux86:~#
root@qemux86:~# ping -c1 -R 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(124) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms
RR: 127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
However, the segfault occurs when net.ipv4.ping_group_range is enabled:
root@qemux86:~# echo "0 2147483647" > /proc/sys/net/ipv4/ping_group_range
root@qemux86:~#
root@qemux86:~# cat /proc/sys/net/ipv4/ping_group_range
0 2147483647
root@qemux86:~#
root@qemux86:~# ping -R 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(124) bytes of data.
Segmentation fault
root@qemux86:~#
This issue is introduced by glibc commit
13c51549e2077f2f3bf84e8fd0b46d8b0c615912:
commit 13c51549e2077f2f3bf84e8fd0b46d8b0c615912
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Mon Sep 7 17:08:46 2020 -0300
linux: Add fallback for 64-bit time_t SO_TIMESTAMP{NS}
Here are some gdb outputs:
$ gdb ping
Reading symbols from ping...
Reading symbols from /bin/.debug/ping.iputils...
(gdb) set args -R 127.0.0.1
(gdb) b main_loop
Breakpoint 1 at 0x8510: file ../git/ping/ping_common.c, line 558.
(gdb) r
Starting program: /bin/ping -R 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(124) bytes of data.
Breakpoint 1, main_loop (rts=0xbfffca30, fset=0x414068 <ping4_func_set>,
sock=0xbfffca00, packet=0x416310 "", packlen=192) at
../git/ping/ping_common.c:558
558 {
(gdb) n
572 if (rts->exiting)
(gdb)
574 if (rts->npackets && rts->nreceived + rts->nerrors >=
rts->npackets)
(gdb)
576 if (rts->deadline && rts->nerrors)
(gdb)
579 if (rts->status_snapshot)
(gdb)
584 next = pinger(rts, fset, sock);
(gdb)
585 next = schedule_exit(rts, next);
(gdb)
586 } while (next <= 0);
(gdb)
600 if (rts->opt_adaptive || rts->opt_flood_poll || next <
SCHINT(rts->interval)) {
(gdb)
641 iov.iov_len = packlen;
(gdb)
642 memset(&msg, 0, sizeof(msg));
(gdb)
643 msg.msg_name = addrbuf;
(gdb)
645 msg.msg_iov = &iov;
(gdb)
647 msg.msg_control = ans_data;
(gdb)
650 cc = recvmsg(sock->fd, &msg, polling);
(gdb) p msg
$1 = {msg_name = 0xbfffb3dc, msg_namelen = 128, msg_iov = 0xbfffb3b0,
msg_iovlen = 1, msg_control = 0xbfffb45c, msg_controllen = 4096, msg_flags = 0}
(gdb) s
__libc_recvmsg (fd=3, msg=0xbfffb3c0, flags=0) at
../sysdeps/unix/sysv/linux/recvmsg.c:25
25 {
(gdb) n
28 socklen_t orig_controllen = msg != NULL ? msg->msg_controllen : 0;
(gdb) n
34 r = SOCKETCALL_CANCEL (recvmsg, fd, msg, flags);
(gdb) p *msg
$2 = {msg_name = 0xbfffb3dc, msg_namelen = 128, msg_iov = 0xbfffb3b0,
msg_iovlen = 1, msg_control = 0xbfffb45c, msg_controllen = 4096, msg_flags = 0}
(gdb) n
38 if (r >= 0 && orig_controllen != 0)
(gdb) p *msg
$3 = {msg_name = 0xbfffb3dc, msg_namelen = 16, msg_iov = 0xbfffb3b0, msg_iovlen
= 1, msg_control = 0xbfffb45c, msg_controllen = 88, msg_flags = 0}
(gdb) n
39 __convert_scm_timestamps (msg, orig_controllen);
(gdb) n
42 return r;
(gdb) p *msg
$4 = {msg_name = 0xbfffb3dc, msg_namelen = 16, msg_iov = 0xbfffb3b0, msg_iovlen
= 1, msg_control = 0xbfffb45c, msg_controllen = 116, msg_flags = 0}
(gdb) n
main_loop (rts=0xbfffca30, fset=0x414068 <ping4_func_set>, sock=0xbfffca00,
packet=0x416310 "", packlen=192) at ../git/ping/ping_common.c:653
653 if (cc < 0) {
(gdb) n
674 for (c = CMSG_FIRSTHDR(&msg); c; c =
CMSG_NXTHDR(&msg, c)) {
(gdb) n
675 if (c->cmsg_level != SOL_SOCKET
||
(gdb) p *c
$5 = {cmsg_len = 20, cmsg_level = 1, cmsg_type = 29, __cmsg_data = 0xbfffb468
"$}Ea\327`"}
(gdb) n
678 if (c->cmsg_len <
CMSG_LEN(sizeof(struct timeval)))
(gdb) n
680 recv_timep = (struct timeval
*)CMSG_DATA(c);
(gdb) n
674 for (c = CMSG_FIRSTHDR(&msg); c; c =
CMSG_NXTHDR(&msg, c)) {
(gdb) n
675 if (c->cmsg_level != SOL_SOCKET
||
(gdb) p *c
$6 = {cmsg_len = 28, cmsg_level = 1, cmsg_type = 63, __cmsg_data = 0xbfffb47c
"$}Ea"}
(gdb) n
674 for (c = CMSG_FIRSTHDR(&msg); c; c =
CMSG_NXTHDR(&msg, c)) {
(gdb) n
675 if (c->cmsg_level != SOL_SOCKET
||
(gdb) p *c
$7 = {cmsg_len = 2132027143, cmsg_level = 2130771968, cmsg_type = 2130771968,
__cmsg_data = 0xbfffb498 ""}
(gdb) n
674 for (c = CMSG_FIRSTHDR(&msg); c; c =
CMSG_NXTHDR(&msg, c)) {
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
0x00408925 in __cmsg_nxthdr (__cmsg=0x3f13db94, __mhdr=0xbfffb3c0) at
/usr/include/bits/socket.h:322
322 || ((unsigned char *) __cmsg + CMSG_ALIGN (__cmsg->cmsg_len)
(gdb)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
@ 2021-11-29 19:50 ` rwmacleod at gmail dot com
2021-11-29 20:01 ` rwmacleod at gmail dot com
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: rwmacleod at gmail dot com @ 2021-11-29 19:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Randy Macleod <rwmacleod at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rwmacleod at gmail dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
2021-11-29 19:50 ` [Bug libc/28349] " rwmacleod at gmail dot com
@ 2021-11-29 20:01 ` rwmacleod at gmail dot com
2021-12-15 9:23 ` fabian@ritter-vogt.de
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: rwmacleod at gmail dot com @ 2021-11-29 20:01 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Randy Macleod <rwmacleod at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |adhemerval.zanella at linaro dot o
| |rg
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
2021-11-29 19:50 ` [Bug libc/28349] " rwmacleod at gmail dot com
2021-11-29 20:01 ` rwmacleod at gmail dot com
@ 2021-12-15 9:23 ` fabian@ritter-vogt.de
2021-12-15 10:09 ` fweimer at redhat dot com
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fabian@ritter-vogt.de @ 2021-12-15 9:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Fabian Vogt <fabian@ritter-vogt.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fabian@ritter-vogt.de
--- Comment #1 from Fabian Vogt <fabian@ritter-vogt.de> ---
I encountered the same bug and narrowed it down to recvmsg corrupting the cmsg
buffer due to several bugs in the added __convert_scm_timestamps function. I'm
working on a patch to address those.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (2 preceding siblings ...)
2021-12-15 9:23 ` fabian@ritter-vogt.de
@ 2021-12-15 10:09 ` fweimer at redhat dot com
2021-12-15 10:12 ` fabian@ritter-vogt.de
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-12-15 10:09 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Fabian Vogt from comment #1)
> I encountered the same bug and narrowed it down to recvmsg corrupting the
> cmsg buffer due to several bugs in the added __convert_scm_timestamps
> function. I'm working on a patch to address those.
Would you be able to help reviewing these patches?
[PATCH v3 0/2] Fix 64-bit time_t ancillary socket conversion
https://sourceware.org/pipermail/libc-alpha/2021-December/134088.html
I believe they are related.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (3 preceding siblings ...)
2021-12-15 10:09 ` fweimer at redhat dot com
@ 2021-12-15 10:12 ` fabian@ritter-vogt.de
2021-12-15 10:13 ` fabian@ritter-vogt.de
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fabian@ritter-vogt.de @ 2021-12-15 10:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
--- Comment #3 from Fabian Vogt <fabian@ritter-vogt.de> ---
(In reply to Florian Weimer from comment #2)
> (In reply to Fabian Vogt from comment #1)
> > I encountered the same bug and narrowed it down to recvmsg corrupting the
> > cmsg buffer due to several bugs in the added __convert_scm_timestamps
> > function. I'm working on a patch to address those.
>
> Would you be able to help reviewing these patches?
>
> [PATCH v3 0/2] Fix 64-bit time_t ancillary socket conversion
> https://sourceware.org/pipermail/libc-alpha/2021-December/134088.html
>
> I believe they are related.
The linked patch fixes one of the bugs I found, but not another one. What's the
way to proceed there, send a patch with just the missing fix?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (4 preceding siblings ...)
2021-12-15 10:12 ` fabian@ritter-vogt.de
@ 2021-12-15 10:13 ` fabian@ritter-vogt.de
2021-12-15 10:19 ` fweimer at redhat dot com
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fabian@ritter-vogt.de @ 2021-12-15 10:13 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
--- Comment #4 from Fabian Vogt <fabian@ritter-vogt.de> ---
BTW: After clicking on "Save Changes" to add a comment on this bug, I end up on
the page for bug 28350 for some reason. Does anyone else have that weird
behaviour?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (5 preceding siblings ...)
2021-12-15 10:13 ` fabian@ritter-vogt.de
@ 2021-12-15 10:19 ` fweimer at redhat dot com
2021-12-15 13:53 ` fabian@ritter-vogt.de
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-12-15 10:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Fabian Vogt from comment #3)
> (In reply to Florian Weimer from comment #2)
> > (In reply to Fabian Vogt from comment #1)
> > > I encountered the same bug and narrowed it down to recvmsg corrupting the
> > > cmsg buffer due to several bugs in the added __convert_scm_timestamps
> > > function. I'm working on a patch to address those.
> >
> > Would you be able to help reviewing these patches?
> >
> > [PATCH v3 0/2] Fix 64-bit time_t ancillary socket conversion
> > https://sourceware.org/pipermail/libc-alpha/2021-December/134088.html
> >
> > I believe they are related.
>
> The linked patch fixes one of the bugs I found, but not another one. What's
> the way to proceed there, send a patch with just the missing fix?
Comment on the mailing list thread and take it from there, I would say.
(In reply to Fabian Vogt from comment #4)
> BTW: After clicking on "Save Changes" to add a comment on this bug, I end up
> on the page for bug 28350 for some reason. Does anyone else have that weird
> behaviour?
By default, Bugzilla switches to the next bug in your search results. It's
something you can configure under Preferences (under “After changing a bug”).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (6 preceding siblings ...)
2021-12-15 10:19 ` fweimer at redhat dot com
@ 2021-12-15 13:53 ` fabian@ritter-vogt.de
2021-12-22 18:39 ` adhemerval.zanella at linaro dot org
2022-01-28 21:21 ` adhemerval.zanella at linaro dot org
9 siblings, 0 replies; 11+ messages in thread
From: fabian@ritter-vogt.de @ 2021-12-15 13:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
--- Comment #6 from Fabian Vogt <fabian@ritter-vogt.de> ---
(In reply to Florian Weimer from comment #5)
> (In reply to Fabian Vogt from comment #3)
> > (In reply to Florian Weimer from comment #2)
> > > (In reply to Fabian Vogt from comment #1)
> > > > I encountered the same bug and narrowed it down to recvmsg corrupting the
> > > > cmsg buffer due to several bugs in the added __convert_scm_timestamps
> > > > function. I'm working on a patch to address those.
> > >
> > > Would you be able to help reviewing these patches?
> > >
> > > [PATCH v3 0/2] Fix 64-bit time_t ancillary socket conversion
> > > https://sourceware.org/pipermail/libc-alpha/2021-December/134088.html
> > >
> > > I believe they are related.
> >
> > The linked patch fixes one of the bugs I found, but not another one. What's
> > the way to proceed there, send a patch with just the missing fix?
>
> Comment on the mailing list thread and take it from there, I would say.
Done: https://sourceware.org/pipermail/libc-alpha/2021-December/134193.html
> (In reply to Fabian Vogt from comment #4)
> > BTW: After clicking on "Save Changes" to add a comment on this bug, I end up
> > on the page for bug 28350 for some reason. Does anyone else have that weird
> > behaviour?
>
> By default, Bugzilla switches to the next bug in your search results. It's
> something you can configure under Preferences (under “After changing a bug”).
Thanks! What a strange default. My last search was from a day ago...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (7 preceding siblings ...)
2021-12-15 13:53 ` fabian@ritter-vogt.de
@ 2021-12-22 18:39 ` adhemerval.zanella at linaro dot org
2022-01-28 21:21 ` adhemerval.zanella at linaro dot org
9 siblings, 0 replies; 11+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2021-12-22 18:39 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |adhemerval.zanella at linaro dot o
| |rg
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/28349] Segfault for ping -R on qemux86 caused by recvmsg()
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
` (8 preceding siblings ...)
2021-12-22 18:39 ` adhemerval.zanella at linaro dot org
@ 2022-01-28 21:21 ` adhemerval.zanella at linaro dot org
9 siblings, 0 replies; 11+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2022-01-28 21:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28349
Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Target Milestone|--- |2.35
Resolution|--- |FIXED
--- Comment #7 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Fixed on 2.35.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-01-28 21:21 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-18 6:18 [Bug libc/28349] New: Segfault for ping -R on qemux86 caused by recvmsg() yi.zhao at windriver dot com
2021-11-29 19:50 ` [Bug libc/28349] " rwmacleod at gmail dot com
2021-11-29 20:01 ` rwmacleod at gmail dot com
2021-12-15 9:23 ` fabian@ritter-vogt.de
2021-12-15 10:09 ` fweimer at redhat dot com
2021-12-15 10:12 ` fabian@ritter-vogt.de
2021-12-15 10:13 ` fabian@ritter-vogt.de
2021-12-15 10:19 ` fweimer at redhat dot com
2021-12-15 13:53 ` fabian@ritter-vogt.de
2021-12-22 18:39 ` adhemerval.zanella at linaro dot org
2022-01-28 21:21 ` adhemerval.zanella at linaro dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).