ntpd NULL deref

Alexander Bluhm Tue, 19 Mar 2024 06:06:42 -0700

Hi,

ntpd crashed on my laptop.  cstr->addr is NULL.  According to
accounting it was running for a while.


ntpd[43355]  -       _ntp  __         0.06 secs Thu Mar 14 10:57 (41:41:32.00)
ntpd[81566]  -F      root  __         0.28 secs Thu Mar 14 10:57 (41:39:28.00)
ntpd[5567]   -DXT    _ntp  __         0.02 secs Thu Mar 14 10:57 (41:39:28.00)

-rw-r--r--   1 root  wheel  1583504 Mar 16 03:36 5567.core

constraint.c
   204          cstr->last = now;
   205          cstr->state = STATE_QUERY_SENT;
   206
   207          memset(&am, 0, sizeof(am));
*  208          memcpy(&am.a, cstr->addr, sizeof(am.a));
   209          am.synced = synced;
   210
   211          iov[iov_cnt].iov_base = &am;
   212          iov[iov_cnt++].iov_len = sizeof(am);

Core was generated by `ntpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000006db7eb7fea0 in memcpy (dst0=0x7b224d08a0e8, src0=<optimized out>, 
length=272) at /usr/src/lib/libc/string/memcpy.c:103
103             TLOOP(*(word *)dst = *(word *)src; src += wsize; dst += wsize);
(gdb) bt
#0  0x000006db7eb7fea0 in memcpy (dst0=0x7b224d08a0e8, src0=<optimized out>, 
length=272) at /usr/src/lib/libc/string/memcpy.c:103
#1  0x000006d915308864 in constraint_query (cstr=0x6db756f4000, synced=0) at 
/usr/src/usr.sbin/ntpd/constraint.c:208
#2  0x000006d9152ff753 in ntp_main (nconf=<optimized out>, pw=<optimized out>, 
argc=<optimized out>, argv=<optimized out>)
    at /usr/src/usr.sbin/ntpd/ntp.c:330
#3  0x000006d9152fd07a in main (argc=<optimized out>, argv=<optimized out>) at 
/usr/src/usr.sbin/ntpd/ntpd.c:224
(gdb) frame 1
#1  0x000006d915308864 in constraint_query (cstr=0x6db756f4000, synced=0) at 
/usr/src/usr.sbin/ntpd/constraint.c:208
208             memcpy(&am.a, cstr->addr, sizeof(am.a));

(gdb) print *cstr
value of type `constraint' requires 65704 bytes, which is more than 
max-value-size
(gdb) print cstr->entry
$3 = {tqe_next = 0x0, tqe_prev = 0x6dba8b72000}
(gdb) print cstr->addr_head
$4 = {name = 0x6db60004850 "www.google.com", path = 0x6db600041c0 "/", a = 0x0, 
pool = 2 '\002'}
(gdb) print cstr->addr
$5 = (struct ntp_addr *) 0x0
(gdb) print cstr->senderrors
$6 = 0
(gdb) print cstr->state
$7 = STATE_QUERY_SENT
(gdb) print cstr->id
$11 = 209
(gdb) print cstr->fd
$12 = -1
(gdb) print cstr->pid
$13 = 0
(gdb) print cstr->ibuf
value of type `imsgbuf' requires 65600 bytes, which is more than max-value-size
(gdb) print cstr->last
$14 = 146373
(gdb) print cstr->constraint
$15 = 0
(gdb) print cstr->dnstries
$16 = 0

bluhm

ntpd NULL deref

Reply via email to