Bug 1668812
Summary: | Radvd crash when config file contains duplicate interfaces | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Slawek Kaplonski <skaplons> | |
Component: | radvd | Assignee: | Pavel Zhukov <pzhukov> | |
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.6 | CC: | bcafarel, bhaley, dmoppert, pzhukov, thozza | |
Target Milestone: | rc | Keywords: | Patch, Reproducer, TestCaseProvided | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1669177 (view as bug list) | Environment: | ||
Last Closed: | 2020-02-11 09:19:23 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1669177, 1709724 |
Description
Slawek Kaplonski
2019-01-23 16:01:03 UTC
When I compiled radvd locally with debugging symbols it still crashed, this was based on upstream git commit 76ca0de5e0d08e891ce4c5b13cb76dacf597ed64. Here's a backtrace: # ip netns exec foo gdb ./radvd/radvd GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/bhaley/radvd/radvd...done. (gdb) run -C ./junk.conf -p ./radvd.pid --debug=10 Starting program: /home/bhaley/./radvd/radvd -C ./junk.conf -p ./radvd.pid --debug=10 [Jan 23 10:48:08] radvd (99862): version 2.17 started [Jan 23 10:48:08] radvd (99862): veth1 interface definition ok [Jan 23 10:48:08] radvd (99862): duplicate interface definition for veth1 [Jan 23 10:48:08] radvd (99862): Freeing Interfaces [Jan 23 10:48:08] radvd (99862): freeing interface veth1 [Jan 23 10:48:08] radvd (99862): Freeing Interfaces [Jan 23 10:48:08] radvd (99862): IPv6 forwarding setting is: 0, should be 1 or 2 [Jan 23 10:48:08] radvd (99862): IPv6 forwarding seems to be disabled, but continuing anyway [Jan 23 10:48:08] radvd (99862): radvd startup PID is 99862 [Jan 23 10:48:08] radvd (99862): opened pid file ./radvd.pid [Jan 23 10:48:08] radvd (99862): locked pid file ./radvd.pid Detaching after fork from child process 99866. [Jan 23 10:48:08] radvd (99866): opened pid file ./radvd.pid [Jan 23 10:48:08] radvd (99866): radvd PID is 99866 [Jan 23 10:48:08] radvd (99866): wrote pid 99866 to pid file: ./radvd.pid [Jan 23 10:48:08] radvd (99862): child signaled pid file written: 99866 [Jan 23 10:48:08] radvd (99862): Freeing Interfaces [Jan 23 10:48:08] radvd (99862): freeing interface *** Error in `/home/bhaley/./radvd/radvd': double free or corruption (out): 0x00007ffff7a93580 *** warning: Corrupted shared library list: 0x7ffff00008e0 != 0x619ff0 ======= Backtrace: ========= /lib64/libc.so.6(+0x81489)[0x7ffff7a8f489] /home/bhaley/./radvd/radvd[0x40538c] /home/bhaley/./radvd/radvd[0x402a14] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a303d5] /home/bhaley/./radvd/radvd[0x402d22] ======= Memory map: ======== 00400000-00417000 r-xp 00000000 fd:02 859 /home/bhaley/radvd/radvd 00617000-00618000 r--p 00017000 fd:02 859 /home/bhaley/radvd/radvd 00618000-00619000 rw-p 00018000 fd:02 859 /home/bhaley/radvd/radvd 00619000-0063a000 rw-p 00000000 00:00 0 [heap] 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 7ffff75e5000-7ffff75fa000 r-xp 00000000 fd:00 135179675 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7ffff75fa000-7ffff77f9000 ---p 00015000 fd:00 135179675 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7ffff77f9000-7ffff77fa000 r--p 00014000 fd:00 135179675 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7ffff77fa000-7ffff77fb000 rw-p 00015000 fd:00 135179675 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7ffff77fb000-7ffff7807000 r-xp 00000000 fd:00 134261627 /usr/lib64/libnss_files-2.17.so 7ffff7807000-7ffff7a06000 ---p 0000c000 fd:00 134261627 /usr/lib64/libnss_files-2.17.so 7ffff7a06000-7ffff7a07000 r--p 0000b000 fd:00 134261627 /usr/lib64/libnss_files-2.17.so 7ffff7a07000-7ffff7a08000 rw-p 0000c000 fd:00 134261627 /usr/lib64/libnss_files-2.17.so 7ffff7a08000-7ffff7a0e000 rw-p 00000000 00:00 0 7ffff7a0e000-7ffff7bd0000 r-xp 00000000 fd:00 134261609 /usr/lib64/libc-2.17.so 7ffff7bd0000-7ffff7dd0000 ---p 001c2000 fd:00 134261609 /usr/lib64/libc-2.17.so 7ffff7dd0000-7ffff7dd4000 r--p 001c2000 fd:00 134261609 /usr/lib64/libc-2.17.so 7ffff7dd4000-7ffff7dd6000 rw-p 001c6000 fd:00 134261609 /usr/lib64/libc-2.17.so 7ffff7dd6000-7ffff7ddb000 rw-p 00000000 00:00 0 7ffff7ddb000-7ffff7dfd000 r-xp 00000000 fd:00 134261602 /usr/lib64/ld-2.17.so 7ffff7fed000-7ffff7ff0000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 rw-p 00000000 00:00 0 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00021000 fd:00 134261602 /usr/lib64/ld-2.17.so 7ffff7ffd000-7ffff7ffe000 rw-p 00022000 fd:00 134261602 /usr/lib64/ld-2.17.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007ffff7a44207 in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install glibc-2.17-260.el7.x86_64 libgcc-4.8.5-36.el7.x86_64 (gdb) bt #0 0x00007ffff7a44207 in raise () from /lib64/libc.so.6 #1 0x00007ffff7a458f8 in abort () from /lib64/libc.so.6 #2 0x00007ffff7a86d27 in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff7a8f489 in _int_free () from /lib64/libc.so.6 #4 0x000000000040538c in free_iface_list (iface=0x61a4f0) at interface.c:390 #5 free_ifaces (ifaces=ifaces@entry=0x61a4f0) at interface.c:441 #6 0x0000000000402a14 in main (argc=<optimized out>, argv=<optimized out>) at radvd.c:363 That's right at the free() call here in interface.c: static void free_iface_list(struct Interface *iface) { while (iface) { struct Interface *next_iface = iface->next; dlog(LOG_DEBUG, 4, "freeing interface %s", iface->props.name); struct AdvPrefix *prefix = iface->AdvPrefixList; while (prefix) { struct AdvPrefix *next_prefix = prefix->next; --> free(prefix); prefix = next_prefix; } My guess is because of the duplication in the config file the same prefix struct was linked into the list twice, causing the double-free condition. It's even more simple. ==22820== Invalid free() / delete / delete[] / realloc() ==22820== at 0x4C2ACBD: free (vg_replace_malloc.c:530) ==22820== by 0x10E501: free_iface_list (interface.c:427) ==22820== by 0x10E501: free_ifaces (interface.c:436) ==22820== by 0x10B775: main (radvd.c:442) ==22820== Address 0x520cca0 is 0 bytes inside a block of size 352 free'd ==22820== at 0x4C2ACBD: free (vg_replace_malloc.c:530) ==22820== by 0x10E501: free_iface_list (interface.c:427) ==22820== by 0x10E501: free_ifaces (interface.c:436) ==22820== by 0x111714: cleanup (gram.y:907) ==22820== by 0x113465: yyparse (gram.y:197) ==22820== by 0x113CA5: readin_config (gram.y:956) ==22820== by 0x10B3AB: main (radvd.c:327) ==22820== Block was alloc'd at ==22820== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==22820== by 0x1136DF: yyparse (gram.y:202) ==22820== by 0x113CA5: readin_config (gram.y:956) ==22820== by 0x10B3AB: main (radvd.c:327) RHEL-7 is already in Maintenance Support Phase , which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available . Please see https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_1_Phase for further information. Since this bug does not meet the criteria, we'll close it as WONTFIX. Feel free to discuss this Bug with Product Management, if this is a critical issue for the for you. Please provide business justification in such case. This issue is fixed in Fedora and is being tracked in Red Hat Enterprise Linux 8 https://bugzilla.redhat.com/show_bug.cgi?id=1669177 |