Bug 1534340 - ntpd seg faults at startup
Summary: ntpd seg faults at startup
Keywords:
Status: CLOSED DUPLICATE of bug 1527887
Alias: None
Product: Fedora
Classification: Fedora
Component: ntp
Version: 27
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-15 04:20 UTC by Ian Donaldson
Modified: 2018-01-15 08:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-15 08:37:05 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Ian Donaldson 2018-01-15 04:20:50 UTC 
Description of problem:

ntpd won't start; segfaults in libc _dl_name_match_p


Version-Release number of selected component (if applicable):

ntp-4.2.8p10-3.fc27.x86_64
glibc-2.26-21.fc27.x86_64


How reproducible:

100% on one system; works fine on others

Steps to Reproduce:
1. systemctl start ntpd
2. won't start; systemctl returns errors
Job for ntpd.service failed because a fatal signal was delivered to the control process.

3.journalctl -x -e   shows backtrace, below


Actual results:


Jan 15 04:09:10 HOST systemd-coredump[4814]: Process 4811 (ntpd) of user 0 dumped core.
                                                             
                                                             Stack trace of thread 4812:
                                                             #0  0x00007f5942d0d0c1 _dl_name_match_p (ld-linux-x86-64.so.2)
                                                             #1  0x00007f5942d0549c do_lookup_x (ld-linux-x86-64.so.2)
                                                             #2  0x00007f5942d0633f _dl_lookup_symbol_x (ld-linux-x86-64.so
                                                             #3  0x00007f5942d0b5b3 _dl_fixup (ld-linux-x86-64.so.2)
                                                             #4  0x00007f5942d1348a _dl_runtime_resolve_xsavec (ld-linux-x8
                                                             #5  0x00007f594126a531 _Unwind_Find_FDE (libgcc_s.so.1)
                                                             #6  0x00007f5941266a73 uw_frame_state_for (libgcc_s.so.1)
                                                             #7  0x00007f5941267ce0 uw_init_context_1 (libgcc_s.so.1)
                                                             #8  0x00007f5941268486 _Unwind_ForcedUnwind (libgcc_s.so.1)
                                                             #9  0x00007f59418631c0 __GI___pthread_unwind (libpthread.so.0)
                                                             #10 0x00007f5941857ca2 __do_cancel (libpthread.so.0)
                                                             #11 0x00007f5941864a80 __restore_rt (libpthread.so.0)
                                                             #12 0x00007f594154aad0 __GI___nanosleep (libc.so.6)
                                                             #13 0x00007f594154a9da __sleep (libc.so.6)
                                                             #14 0x000055c621603df2 my_pthread_warmup_worker (ntpd)
                                                             #15 0x00007f594185961b start_thread (libpthread.so.0)
                                                             #16 0x00007f594158691f __clone (libc.so.6)
                                                             
                                                             Stack trace of thread 4811:
                                                             #0  0x00007f594185ab7d __pthread_join (libpthread.so.0)
                                                             #1  0x000055c621603fd4 my_pthread_warmup (ntpd)
                                                             #2  0x00007f594149000a __libc_start_main (libc.so.6)
                                                             #3  0x000055c6215f417a _start (ntpd)
-- Subject: Process 4811 (ntpd) dumped core
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: man:core(5)
-- 
-- Process 4811 (ntpd) crashed and dumped core.


Expected results:

  runs

Additional info:

This started happening today on one system I dnf updated'd.
The version of ntp package didn't receive any updates; the kernel and glibc did though,
along with lots of other packages.

glibc-2.26-16.fc27.x86_64     -> glibc-2.26-21.fc27.x86_64
kernel-4.14.3-300.fc27.x86_64 -> kernel-4.14.13-300.fc27.x86_64

I also updated about 10 other systems similarly but they had no issue with ntpd.

This is the first System with this CPU that I've updated though:

model name      : Intel(R) Xeon(R) Silver 4114 CPU @ 2.20GHz

Booting the prior kernel didn't help.

gdb shows this:

(gdb) run /usr/sbin/ntpd -u ntp:ntp -g
Starting program: /usr/sbin/ntpd /usr/sbin/ntpd -u ntp:ntp -g
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7ffff7ff6700 (LWP 2562)]

Thread 2 "ntpd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7ff6700 (LWP 2562)]
0x00007ffff7de70c1 in _dl_name_match_p (name=0x7ffff6333f0f "libc.so.6", map=map@entry=0x7ffff7ffe130) at dl-misc.c:284
284     {
(gdb) where
#0  0x00007ffff7de70c1 in _dl_name_match_p (name=0x7ffff6333f0f "libc.so.6", map=map@entry=0x7ffff7ffe130)
    at dl-misc.c:284
#1  0x00007ffff7ddf49c in do_lookup_x (undef_name=undef_name@entry=0x7ffff6333e4f "dl_iterate_phdr",
    new_hash=new_hash@entry=649489807, old_hash=old_hash@entry=0x7ffff7ff4160, ref=0x7ffff6332700,
    result=result@entry=0x7ffff7ff4170, scope=<optimized out>, i=<optimized out>, version=0x55555586aa00, flags=5,
    skip=0x0, type_class=1, undef_map=0x55555586a3a0) at dl-lookup.c:558
#2  0x00007ffff7de033f in _dl_lookup_symbol_x (undef_name=0x7ffff6333e4f "dl_iterate_phdr", undef_map=0x55555586a3a0,
    ref=ref@entry=0x7ffff7ff4228, symbol_scope=0x55555586a6f8, version=0x55555586aa00, type_class=type_class@entry=1,
    flags=5, skip_map=0x0) at dl-lookup.c:833
#3  0x00007ffff7de55b3 in _dl_fixup (l=<optimized out>, reloc_arg=<optimized out>) at ../elf/dl-runtime.c:112
#4  0x00007ffff7ded48a in _dl_runtime_resolve_xsavec () at ../sysdeps/x86_64/dl-trampoline.h:125
#5  0x00007ffff6344531 in _Unwind_Find_FDE (pc=0x7ffff6342485 <_Unwind_ForcedUnwind+53>, bases=bases@entry=0x7ffff7ff4fc8)
    at ../../../libgcc/unwind-dw2-fde-dip.c:469
#6  0x00007ffff6340a73 in uw_frame_state_for (context=context@entry=0x7ffff7ff4f20, fs=fs@entry=0x7ffff7ff4d70)
    at ../../../libgcc/unwind-dw2.c:1249
#7  0x00007ffff6341ce0 in uw_init_context_1 (context=context@entry=0x7ffff7ff4f20,
    outer_cfa=outer_cfa@entry=0x7ffff7ff5150, outer_ra=0x7ffff693d1c0 <__GI___pthread_unwind+64>)
    at ../../../libgcc/unwind-dw2.c:1578
#8  0x00007ffff6342486 in _Unwind_ForcedUnwind (exc=0x7ffff7ff6d70, stop=stop@entry=0x7ffff693d030 <unwind_stop>,
    stop_argument=0x7ffff7ff5f10) at ../../../libgcc/unwind.inc:201
#9  0x00007ffff693d1c0 in __GI___pthread_unwind (buf=<optimized out>) at unwind.c:121
#10 0x00007ffff6931ca2 in __do_cancel () at ./pthreadP.h:297
#11 sigcancel_handler (sig=<optimized out>, si=0x7ffff7ff52b0, ctx=<optimized out>) at nptl-init.c:216
#12 <signal handler called>
#13 0x00007ffff6624ad0 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffff7ff5eb0,
    remaining=remaining@entry=0x7ffff7ff5eb0) at ../sysdeps/unix/sysv/linux/nanosleep.c:27
#14 0x00007ffff66249da in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#15 0x0000555555576df2 in my_pthread_warmup_worker (thread_args=<optimized out>) at ntpd.c:298
#16 0x00007ffff693361b in start_thread (arg=0x7ffff7ff6700) at pthread_create.c:465
#17 0x00007ffff666091f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(gdb) info reg
rax            0x55555586aa00   93824995469824
rbx            0x7ffff7ffe130   140737354129712
rcx            0x26b66d8f       649489807
rdx            0x1      1
rsi            0x7ffff7ffe130   140737354129712
rdi            0x7ffff6333f0f   140737323941647
rbp            0x0      0x0
rsp            0x7ffff7ff4000   0x7ffff7ff4000
r8             0x5555555542d0   93824992232144
r9             0x7ffff7ffe3e8   140737354130408
r10            0xb      11
r11            0x0      0
r12            0x7ffff7fe7130   140737354035504
r13            0x1      1
r14            0x0      0
r15            0x5555555542cc   93824992232140
rip            0x7ffff7de70c1   0x7ffff7de70c1 <_dl_name_match_p+1>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
k0             0x0      0
k1             0x0      0
k2             0x0      0
k3             0x0      0
k4             0x0      0
k5             0x0      0
k6             0x0      0
k7             0x0      0


which looks like the stack has been smashed given the odd rip.

Running under valgrind with a large redzone shows it running OK though:

valgrind --redzone-size=1024 --trace-children=yes /usr/sbin/ntpd -u ntp:ntp -g

probably as its shifted things around a bit, possibly hiding the stack overwrite
Comment 1 Miroslav Lichvar 2018-01-15 08:37:05 UTC 
This is apparently a glibc issue. Closing as a duplicate.

*** This bug has been marked as a duplicate of bug 1527887 ***
Note You need to log in before you can comment on or make changes to this bug.