Bug 168903

Summary: ip -6 route show dev eth1 via :: segfaults
Product: [Fedora] Fedora Reporter: Matt Domsch <matt_domsch>
Component: iprouteAssignee: Radek Vokál <rvokal>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.14-5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-07 06:19:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ltrace.txt
none
iproute2-ss050901-host_len.patch none

Description Matt Domsch 2005-09-21 02:58:06 UTC 
Description of problem:
ip -6 route show dev eth1 via ::
segfaults.



Version-Release number of selected component (if applicable):
2.6.11-1 (FC4), 2.6.14-3 (FC devel)

How reproducible:
always

Steps to Reproduce:
1. run above line
2.
3.
  
Actual results:
fe80::/64  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
ff00::/8  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
Segmentation fault


Expected results:
no segfault

Additional info:
choose any dev (eth0, eth1, whatever) as long as it exists.
Comment 1 Matt Domsch 2005-09-21 02:58:06 UTC 
Created attachment 119058 [details]
ltrace.txt
Comment 2 Matt Domsch 2005-09-21 02:58:36 UTC 
also, if you drop the 'via ::' part it won't segfault.
Comment 3 Radek Vokál 2005-09-21 06:40:37 UTC 
Hmm, none of my test systems segfaults. It seems to work fine. Which
architecture and kernel are you testing this on? I will look closer at your
trace .. 

Here are my results 
FC4
[root@vepro ~]# rpm -q iproute
iproute-2.6.11-1
[root@vepro ~]# ip -6 route show dev eth0 via ::
fe80::/64  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
ff00::/8  metric 256  mtu 1500 advmss 1440 metric 10 4294967295

FC5
rvokal@garfield devel$ ip -6 route show dev eth1 via ::
fe80::/64  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
ff00::/8  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
rvokal@garfield devel$ rpm -q iproute
iproute-2.6.14-3
Comment 4 Matt Domsch 2005-09-21 13:04:09 UTC 
arch i386, kernel 2.6.12-1.1447_FC4 UP and smp variant.
If built with CFLAGS+= -g  it's not segfaulting on me. :-(
Comment 5 Radek Vokál 2005-09-23 10:05:21 UTC 
Doh, thanks for pointing me to this. The package was not built with
RPM_OPT_FLAGS so some arch specific options weren't in use. I will rebuilt the
package and hopefully this will shed some more light to this issue. iproute-2.6.14-4
Comment 6 Radek Vokál 2005-10-05 07:12:05 UTC 
Have you tried updating to the latest iproute package built with OPT_FLAGS?
Comment 7 Matt Domsch 2005-10-06 13:28:55 UTC 
I rebuilt iproute-2.6.14-4 using mock on FC4 and installed it.  Still fails, but
gives some indication now of why.
$ gdb ip
GNU gdb Red Hat Linux (6.3.0.0-1.21rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) ip -6 route show dev eth1 via ::
Undefined command: "ip".  Try "help".
(gdb) set args -6 route show dev eth1 via ::
(gdb) run
Starting program: /sbin/ip -6 route show dev eth1 via ::
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xffffe000
2001:470:1f01:1867::/80  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
*** buffer overflow detected ***: /sbin/ip terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x945c45]
/sbin/ip[0x804f877]
/sbin/ip[0x806114c]
/sbin/ip[0x804e707]
/sbin/ip[0x8049579]
/sbin/ip[0x8049a90]
/lib/libc.so.6(__libc_start_main+0xdf)[0x87cd5f]
/sbin/ip[0x8049431]
======= Memory map: ========
0084a000-00864000 r-xp 00000000 fd:00 13828114   /lib/ld-2.3.5.so
00864000-00865000 r--p 00019000 fd:00 13828114   /lib/ld-2.3.5.so
00865000-00866000 rw-p 0001a000 fd:00 13828114   /lib/ld-2.3.5.so
00868000-0098b000 r-xp 00000000 fd:00 13828127   /lib/libc-2.3.5.so
0098b000-0098d000 r--p 00123000 fd:00 13828127   /lib/libc-2.3.5.so
0098d000-0098f000 rw-p 00125000 fd:00 13828127   /lib/libc-2.3.5.so
0098f000-00991000 rw-p 0098f000 00:00 0
009fc000-00a0b000 r-xp 00000000 fd:00 13828162   /lib/libresolv-2.3.5.so
00a0b000-00a0c000 r--p 0000e000 fd:00 13828162   /lib/libresolv-2.3.5.so
00a0c000-00a0d000 rw-p 0000f000 fd:00 13828162   /lib/libresolv-2.3.5.so
00a0d000-00a0f000 rw-p 00a0d000 00:00 0
00b68000-00b71000 r-xp 00000000 fd:00 13828190   /lib/libgcc_s-4.0.1-20050727.so.1
00b71000-00b72000 rw-p 00009000 fd:00 13828190   /lib/libgcc_s-4.0.1-20050727.so.1
08048000-0806b000 r-xp 00000000 fd:00 5996663    /sbin/ip
0806b000-0806e000 rw-p 00022000 fd:00 5996663    /sbin/ip
0806e000-0808f000 rw-p 0806e000 00:00 0          [heap]
b7f61000-b7f63000 rw-p b7f61000 00:00 0
b7f6a000-b7f6b000 rw-p b7f6a000 00:00 0
bfa55000-bfa6b000 rw-p bfa55000 00:00 0          [stack]
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x00890118 in raise () from /lib/libc.so.6
#2  0x00891888 in abort () from /lib/libc.so.6
#3  0x008c522a in __libc_message () from /lib/libc.so.6
#4  0x00945c45 in __chk_fail () from /lib/libc.so.6
#5  0x0804f877 in print_route (who=0xbfa67028, n=0xbfa636ac, arg=0x98d5e0) at
iproute.c:219
#6  0x0806114c in rtnl_dump_filter (rth=0x806dc40, filter=0x804f51a
<print_route>, arg1=0x98d5e0, junk=0, arg2=0x0)
    at libnetlink.c:207
#7  0x0804e707 in iproute_list_or_flush (argc=Variable "argc" is not available.
) at iproute.c:1219
#8  0x08049579 in do_cmd (argv0=0xbfa69b34 "route", argc=6, argv=0xbfa6816c) at
ip.c:84
#9  0x08049a90 in main (argc=7, argv=0xbfa68168) at ip.c:225
#10 0x0087cd5f in __libc_start_main () from /lib/libc.so.6
#11 0x08049431 in _start ()
Comment 8 Arjan van de Ven 2005-10-06 14:48:38 UTC 
        if (filter.rvia.bitlen>0) {
                memset(&via, 0, sizeof(via));
                via.family = r->rtm_family;
                if (tb[RTA_GATEWAY])
                        memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len);
        }


that memcpy goes too big
because of
typedef struct
{
        __u8 family;
        __u8 bytelen;
        __s16 bitlen;
        __u32 flags;
        __u32 data[4];
} inet_prefix;


apparently host_len is too big; could you ask gdb what the value of host_len is?
Comment 9 Matt Domsch 2005-10-07 00:23:47 UTC 
(gdb) frame 5
#5  0x0804f877 in print_route (who=0xbf8aef68, n=0xbf8ab558, arg=0x98d5e0) at
iproute.c:219
219                             memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]),
host_len);
(gdb) print host_len
$1 = 128
Comment 10 Matt Domsch 2005-10-07 00:25:42 UTC 
Which comes from:

       if (r->rtm_family == AF_INET6)
                host_len = 128;
Comment 11 Matt Domsch 2005-10-07 02:35:43 UTC 
Created attachment 119698 [details]
iproute2-ss050901-host_len.patch

host_len should be divided by 8, as it's units is bits, where memcpy is using
bytes units.
Comment 12 Matt Domsch 2005-10-07 02:37:38 UTC 
This patch resolves it for me in testing, no more segfaults, tested on 2 FC4
i386 systems that previously failed, and the patch is obviously correct.
Comment 13 Radek Vokál 2005-10-07 06:19:00 UTC 
Thanks. Patch applied on rawhide.