Bug 2262996
| Summary: | dhcpcd core dumps every 5 days | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Chad <chad.schroeder> |
| Component: | dhcpcd | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 38 | CC: | chad.schroeder, mosvald, pemensik, pzacik |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | dhcpcd-10.0.6-2.el9 dhcpcd-10.0.6-2.fc38 dhcpcd-10.0.6-2.el8 dhcpcd-10.0.6-2.fc39 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-02-25 00:39:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2236298 | ||
|
Description
Chad
2024-02-06 13:28:51 UTC
$ uname -a Linux host1 6.5.5-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Sep 24 15:52:44 UTC 2023 x86_64 GNU/Linux $ rpm -qi dhcpcd Name : dhcpcd Version : 10.0.6 Release : 1.fc38 Architecture: x86_64 Install Date: Thu 11 Jan 2024 03:35:40 PM MST Group : Unspecified Size : 495613 License : BSD-2-Clause AND ISC AND MIT Signature : RSA/SHA256, Thu 21 Dec 2023 08:28:29 AM MST, Key ID 809a8d7ceb10b464 Source RPM : dhcpcd-10.0.6-1.fc38.src.rpm Build Date : Thu 21 Dec 2023 08:04:59 AM MST Build Host : buildvm-x86-13.iad2.fedoraproject.org Packager : Fedora Project Vendor : Fedora Project URL : http://roy.marples.name/projects/dhcpcd/ Bug URL : https://bugz.fedoraproject.org/dhcpcd Summary : A minimalistic network configuration daemon with DHCPv4, rdisc and DHCPv6 support Description : The dhcpcd package provides a minimalistic network configuration daemon that supports IPv4 and IPv6 configuration including configuration discovery through NDP, DHCPv4 and DHCPv6 protocols. $ dhcpcd --version dhcpcd 10.0.6 Copyright (c) 2006-2023 Roy Marples Compiled in features: INET ARP ARPing IPv4LL INET6 DHCPv6 AUTH PRIVSEP $ cat /etc/dhcpcd.conf # A sample configuration for dhcpcd. # See dhcpcd.conf(5) for details. # Allow users of this group to interact with dhcpcd via the control socket. controlgroup wheel # Inform the DHCP server of our hostname for DDNS. hostname # Use the hardware address of the interface for the Client ID. #clientid # or # Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361. # Some non-RFC compliant DHCP servers do not reply with this set. # In this case, comment out duid and enable clientid above. duid # Persist interface configuration when dhcpcd exits. #persistent # Rapid commit support. # Safe to enable by default because it requires the equivalent option set # on the server to actually work. option rapid_commit # A list of options to request from the DHCP server. option domain_name_servers, domain_name, domain_search, host_name option classless_static_routes # Most distributions have NTP support. option ntp_servers # Respect the network MTU. This is applied to DHCP routes. option interface_mtu # A ServerID is required by RFC2131. require dhcp_server_identifier # Generate Stable Private IPv6 Addresses instead of hardware based ones #slaac private debug dhcp nogateway nohook ntp.conf nohook resolv.conf noipv4ll noipv6 timeout 180 allowinterfaces eno1 denyinterfaces eno2 eno3 eno4 profile static_management_eno1 static host_name=host1 static ip_address=10.20.1.162/21 static domainname_server=127.0.0.1 interface eno1 hostname MY-SERVER userclass MY-SERVER vendorclassid MY-SERVER fallback static_management_eno1 $ ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 0c:c4:7a:95:08:64 brd ff:ff:ff:ff:ff:ff altname enp1s0 inet 10.20.1.162/21 brd 10.20.7.255 scope global dynamic noprefixroute eno1 valid_lft 1839sec preferred_lft 1389sec 3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 0c:c4:7a:95:08:65 brd ff:ff:ff:ff:ff:ff altname enp2s0 inet 10.1.0.100/16 brd 10.1.255.255 scope global noprefixroute eno2 valid_lft forever preferred_lft forever inet6 fe80::ec4:7aff:fe95:865/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 0c:c4:7a:95:08:66 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.3.254/22 brd 192.168.3.255 scope global noprefixroute eno3 valid_lft forever preferred_lft forever inet6 fe80::ec4:7aff:fe95:866/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 5: eno4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 0c:c4:7a:95:08:67 brd ff:ff:ff:ff:ff:ff altname enp4s0 inet 70.167.109.242/28 brd 70.167.109.255 scope global noprefixroute eno4 valid_lft forever preferred_lft forever inet6 fe80::ec4:7aff:fe95:867/64 scope link proto kernel_ll valid_lft forever preferred_lft forever $ journalctl -b -u dhcpcd.service <snip> Jan 11 21:41:34 host1 dhcpcd[1220]: eno1: ARP announcing 10.20.1.162 (2 of 2) Jan 11 21:41:34 host1 dhcpcd[1220]: eno1: ARP announcing 10.20.1.162 (2 of 2) Jan 11 21:59:23 host1 systemd[1]: dhcpcd.service: Main process exited, code=dumped, status=11/SEGV <snip> $ gdb -c ./core.dhcpcd.10.0.6.973.f5d910d813b54cc7b29e3f86d857313d.1218.1705035562000000 <snip> Core was generated by `dhcpcd: [manager] [ip4] '. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055ab82a570d4 in __bswap_32 (__bsx=<optimized out>) at /usr/include/bits/byteswap.h:52 52 return __builtin_bswap32 (__bsx); (gdb) bt #0 0x000055ab82a570d4 in __bswap_32 (__bsx=<optimized out>) at /usr/include/bits/byteswap.h:52 #1 dhcp_redirect_dhcp (ifp=0x55ab83088600, bootp=0x0, bootp_len=0, from=0x7fffc38dd854) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/dhcp.c:2951 #2 0x000055ab82a711a8 in ps_inet_dispatch (arg=arg@entry=0x7fffc38eda10, psm=psm@entry=0x7fffc38dd810, msg=msg@entry=0x7fffc38dd7c0) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/privsep-inet.c:323 #3 0x000055ab82a6968c in ps_recvpsmsg (ctx=<optimized out>, fd=<optimized out>, events=<optimized out>, callback=callback@entry=0x55ab82a71180 <ps_inet_dispatch>, cbctx=0x7fffc38eda10) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/privsep.c:1177 #4 0x000055ab82a69934 in ps_inet_dodispatch (arg=<optimized out>, events=<optimized out>) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/privsep-inet.c:348 #5 0x000055ab82a37b13 in eloop_run_ppoll (signals=0x7fffc38edc50, ts=<optimized out>, eloop=<optimized out>) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/eloop.c:1106 #6 eloop_start (eloop=0x55ab830867d0, signals=signals@entry=0x7fffc38edc50) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/eloop.c:1228 #7 0x000055ab82a34e76 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/dhcpcd.c:2611 (gdb) f 1 #1 dhcp_redirect_dhcp (ifp=0x55ab83088600, bootp=0x0, bootp_len=0, from=0x7fffc38dd854) at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/dhcp.c:2951 2951 xid = ntohl(bootp->xid); (gdb) p ifp $4 = (struct interface *) 0x55ab83088600 (gdb) p *ifp $5 = {ctx = 0x7fffc38eda10, next = {tqe_next = 0x0, tqe_prev = 0x55ab830884f8}, name = "eno4", '\000' <repeats 11 times>, index = 5, active = 0, flags = 69699, hwtype = 1, hwaddr = "\f\304z\225\bg", '\000' <repeats 13 times>, hwlen = 6 '\006', vlanid = 0, metric = 1005, carrier = 1, wireless = false, ssid = '\000' <repeats 31 times>, ssid_len = 0, profile = '\000' <repeats 63 times>, options = 0x0, if_data = { 0x55ab83099100, 0x0, 0x0, 0x0, 0x55ab83099570, 0x0, 0x0}} (gdb) p bootp $1 = (struct bootp *) 0x0 (gdb) The issue derives from dhcp_redirect_dhcp on **eno4** Thank you for reporting it upstream directly. Indeed, dhcp_redirect_dhcp does not have minimal packet size check and it should have it. Created PR #295 [1], which should fix it. Yes, it seems it is related to the original issue vulnerability bug #2236298. It seems one code path avoided proper fixing. 1. https://github.com/NetworkConfiguration/dhcpcd/pull/295 I have created PR for testing: Fedora 38 based: https://src.fedoraproject.org/rpms/dhcpcd/pull-request/4 Rawhide based: https://src.fedoraproject.org/rpms/dhcpcd/pull-request/3 FEDORA-2024-2bb2bb2467 (dhcpcd-10.0.6-2.fc38) has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bb2bb2467 FEDORA-2024-e1fc365e53 (dhcpcd-10.0.6-2.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-e1fc365e53 FEDORA-EPEL-2024-2c8efd45a9 (dhcpcd-10.0.6-2.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-2c8efd45a9 FEDORA-EPEL-2024-2c8efd45a9 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-2c8efd45a9 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-2bb2bb2467 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-2bb2bb2467` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bb2bb2467 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-e1fc365e53 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-e1fc365e53` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e1fc365e53 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2024-19fff4a604 (dhcpcd-10.0.6-2.el8) has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-19fff4a604 FEDORA-EPEL-2024-19fff4a604 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-19fff4a604 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2024-2c8efd45a9 (dhcpcd-10.0.6-2.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-2bb2bb2467 (dhcpcd-10.0.6-2.fc38) has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2024-19fff4a604 (dhcpcd-10.0.6-2.el8) has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-e1fc365e53 (dhcpcd-10.0.6-2.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. |