RE: Crash at Net-snmp due to corrupted double-linked list

Mon, 18 Nov 2019 02:12:55 -0800 

Hi Experts,

Could you please shed some light on this.

Our Dev engineer had analyzed the cores files using the unstripped snmpd binary.
>From the core analysis, we can see both the crashes happened due to memory 
>corruption in snmp.

Attached the core backtrace logs for reference. Could you please help in this 
regard.

CORE1:

/net-snmp/5.7.3-r5.0/net-snmp-5.7.3/agent/mibgroup/ip-mib/data_access/systemstats_linux.c
    /*
     * try to open /proc/net/dev_snmp6 directory. If we can't, that' ok -
     * maybe it is not supported by the current running kernel.
     */
    if ((dev_snmp6_dir = opendir(DEV_SNMP6_DIRNAME)) == NULL) {    <<< opendir 
uses malloc(0 to allocate memory and it is crashing
        DEBUGMSGTL(("access:ifstats",
        "Failed to load IPv6 IfStats Table (linux)\n"));
        return 0;
    }


CORE2:

/net-snmp/5.7.3-r5.0/net-snmp-5.7.3/snmplib/snmp_api.c

/*
* snmp_duplicate_objid: duplicates (mallocs) an objid based on the
* input objid
*/
oid            *
snmp_duplicate_objid(const oid * objToCopy, size_t objToCopyLen)
{
    oid            *returnOid;
    if (objToCopy != NULL && objToCopyLen != 0) {
        returnOid = (oid *) malloc(objToCopyLen * sizeof(oid));                 
        <<< Failing in malloc corruption
        if (returnOid) {
            memcpy(returnOid, objToCopy, objToCopyLen * sizeof(oid));
        }
    } else
        returnOid = NULL;
    return returnOid;
}

Thanks,
Kiran

From: Kiran Kumar Pamula
Sent: 12 November 2019 14:23
To: 
net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net>
Subject: Crash at Net-snmp due to corrupted double-linked list

Hi Net-snmp team,

We are using Net-snmp 5.7.3 in our product and our customer has reported the 
below crash recently, although it was never hit in our internal tests.

Could you please confirm if this is any known issue and if a patch is available 
for the same.

[New LWP 31070]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/snmpd -f -Lsd -M+/sw/unicorn/snmp/mibs -Dtrap 
-Dusm -Dinit_mibs -I-sy'.
Program terminated with signal 6, Aborted.
#0 0x00007fc49e726f57 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:63
#0 0x00007fc49e726f57 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:63
resultvar = 0
pid = 31070
selftid = 31070
#1 0x00007fc49e728418 in __GI_abort () at abort.c:90
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x7ffdf25156ea, sa_sigaction = 
0x7ffdf25156ea}, sa_mask = {__val = {6, 140482449860288, 2, 140728668870398, 2, 
140482449851372, 1, 140482449860284, 3, 140728668870372, 12, 140482449860288, 
2, 140728668871184, 15, 140728668872944}}, sa_flags = 93, sa_restorer = 0x7}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fc49e764e3b in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7fc49e8588a0 "*** glibc detected *** %s: %s: 0x%s ***\n") at 
../sysdeps/unix/sysv/linux/libc_fatal.c:197
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffdf2516100, 
reg_save_area = 0x7ffdf2516010}}
ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7ffdf2516100, 
reg_save_area = 0x7ffdf2516010}}
fd = 2
on_2 = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#3 0x00007fc49e76a9be in malloc_printerr (ptr=<optimized out>, 
str=0x7fc49e855129 "corrupted double-linked list", action=3, ar_ptr=<optimized 
out>) at malloc.c:4855
buf = "00000000009cf690"
cp = <optimized out>
#4 malloc_printerr (action=3, str=0x7fc49e855129 "corrupted double-linked 
list", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:4836
No locals.
#5 0x00007fc49e76abc3 in malloc_consolidate (av=av@entry=0x7fc49ea93660 
<main_arena>) at malloc.c:4078
fb = <optimized out>
maxfb = 0x7fc49ea936b0 <main_arena+80>
p = 0x9cf690
nextp = 0x9cd1d0
unsorted_bin = 0x7fc49ea936b8 <main_arena+88>
first_unsorted = <optimized out>
nextchunk = 0x9cf8d0
size = 576
nextsize = 128
prevsize = <optimized out>
nextinuse = <optimized out>
bck = <optimized out>
fwd = <optimized out>
#6 0x00007fc49e76cb78 in _int_malloc (av=0x7fc49ea93660 <main_arena>, 
bytes=32816) at malloc.c:3374
nb = 32832
idx = <optimized out>
bin = <optimized out>
victim = <optimized out>
size = <optimized out>
victim_index = <optimized out>
remainder = <optimized out>
remainder_size = <optimized out>
block = <optimized out>
bit = <optimized out>
map = <optimized out>
fwd = <optimized out>
bck = <optimized out>
errstr = 0x0
__func__ = "_int_malloc"
#7 0x00007fc49e76e1ac in __GI___libc_malloc (bytes=32816) at malloc.c:2874
ar_ptr = 0x7fc49ea93660 <main_arena>
victim = 0x6
__func__ = "__libc_malloc"
#8 0x00007fc49e7a5caa in __alloc_dir (fd=14, close_fd=<optimized out>, 
flags=<optimized out>, statp=<optimized out>) at ../sysdeps/unix/opendir.c:199
default_allocation = 32768
small_allocation = 8192
allocation = 32768
dirp = <optimized out>
#9 0x00007fc4a0018666 in ?? () from /usr/lib64/libnetsnmpmibs.so.30
No symbol table info available.
#10 0x00007fc4a0018a00 in netsnmp_access_systemstats_container_arch_load () 
from /usr/lib64/libnetsnmpmibs.so.30
No symbol table info available.
#11 0x00007fc4a0015ec7 in netsnmp_access_systemstats_container_load () from 
/usr/lib64/libnetsnmpmibs.so.30
No symbol table info available.
#12 0x00007fc49ffeeabe in ipIfStatsTable_container_load () from 
/usr/lib64/libnetsnmpmibs.so.30
No symbol table info available.
#13 0x00007fc4a03d6100 in ?? () from /usr/lib64/libnetsnmpagent.so.30
No symbol table info available.
#14 0x00007fc49fcd0357 in run_alarms () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#15 0x0000000000403d85 in ?? ()
No symbol table info available.
#16 0x00007fc49e713865 in __libc_start_main (main=0x4028f0, argc=20, 
ubp_av=0x7ffdf2516b88, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7ffdf2516b78) at libc-start.c:274
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -764479061368474344, 4212360, 
140728668875648, 0, 0, 765580028292920600, 787350082089547032}, mask_was_saved 
= 0}}, priv = {pad = {0x0, 0x0, 0x404950, 0x7ffdf2516b88}, data = {prev = 0x0, 
cleanup = 0x0, canceltype = 4213072}}}
not_first_call = <optimized out>
#17 0x00000000004046b1 in ?? ()
No symbol table info available.

Thanks,
Kiran

_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users














    

  • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
    • 

    • 

    • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
      • 

      • 

      • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
        • 

      

    










					Reply via email to