1668812 – Radvd crash when config file contains duplicate interfaces

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1668812 - Radvd crash when config file contains duplicate interfaces

Summary: Radvd crash when config file contains duplicate interfaces

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	radvd
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Zhukov
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1669177 1709724
TreeView+	depends on / blocked

Reported:	2019-01-23 16:01 UTC by Slawek Kaplonski
Modified:	2020-03-19 07:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1669177 (view as bug list)
Environment:
Last Closed:	2020-02-11 09:19:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Slawek Kaplonski 2019-01-23 16:01:03 UTC

Description of problem:
During debugging some CI issues in OpenStack Neutron (bz1630167) I found that sometimes config file contains duplicated definition of interfaces and in such case radvd crash during start.

Bad config looks like below:
interface qr-29c030a8-26
{
   AdvSendAdvert on;
   MinRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   AdvLinkMTU 1500;
   AdvOtherConfigFlag on;

   prefix 2003:0:0:1::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
   };

   prefix 2003::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
   };

};interface qr-29c030a8-26
{
   AdvSendAdvert on;
   MinRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   AdvLinkMTU 1500;
   AdvOtherConfigFlag on;

   prefix 2003::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
   };
};


Version-Release number of selected component (if applicable):
radvd-2.17-3.el7.x86_64

How reproducible:
100% times on RHEL 7.6 with radvd-2.17-3.el7.x86_64

Steps to Reproduce:
1. Prepare bad config file for radvd
2. Start radvd with command:
   radvd -C /tmp/radvd.conf -p /tmp/radvd.pid

Actual results:
radvd crash

Expected results:
radvd is running properly

Comment 2 Brian Haley 2019-01-23 16:30:07 UTC

When I compiled radvd locally with debugging symbols it still crashed, this
was based on upstream git commit 76ca0de5e0d08e891ce4c5b13cb76dacf597ed64.
Here's a backtrace:

# ip netns exec foo gdb ./radvd/radvd
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/bhaley/radvd/radvd...done.
(gdb) run -C ./junk.conf -p ./radvd.pid --debug=10
Starting program: /home/bhaley/./radvd/radvd -C ./junk.conf -p ./radvd.pid --debug=10
[Jan 23 10:48:08] radvd (99862): version 2.17 started
[Jan 23 10:48:08] radvd (99862): veth1 interface definition ok
[Jan 23 10:48:08] radvd (99862): duplicate interface definition for veth1
[Jan 23 10:48:08] radvd (99862): Freeing Interfaces
[Jan 23 10:48:08] radvd (99862): freeing interface veth1
[Jan 23 10:48:08] radvd (99862): Freeing Interfaces
[Jan 23 10:48:08] radvd (99862): IPv6 forwarding setting is: 0, should be 1 or 2
[Jan 23 10:48:08] radvd (99862): IPv6 forwarding seems to be disabled, but continuing anyway
[Jan 23 10:48:08] radvd (99862): radvd startup PID is 99862
[Jan 23 10:48:08] radvd (99862): opened pid file ./radvd.pid
[Jan 23 10:48:08] radvd (99862): locked pid file ./radvd.pid
Detaching after fork from child process 99866.
[Jan 23 10:48:08] radvd (99866): opened pid file ./radvd.pid
[Jan 23 10:48:08] radvd (99866): radvd PID is 99866
[Jan 23 10:48:08] radvd (99866): wrote pid 99866 to pid file: ./radvd.pid
[Jan 23 10:48:08] radvd (99862): child signaled pid file written: 99866
[Jan 23 10:48:08] radvd (99862): Freeing Interfaces
[Jan 23 10:48:08] radvd (99862): freeing interface 
*** Error in `/home/bhaley/./radvd/radvd': double free or corruption (out): 0x00007ffff7a93580 ***
warning: Corrupted shared library list: 0x7ffff00008e0 != 0x619ff0
======= Backtrace: =========
/lib64/libc.so.6(+0x81489)[0x7ffff7a8f489]
/home/bhaley/./radvd/radvd[0x40538c]
/home/bhaley/./radvd/radvd[0x402a14]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a303d5]
/home/bhaley/./radvd/radvd[0x402d22]
======= Memory map: ========
00400000-00417000 r-xp 00000000 fd:02 859                                /home/bhaley/radvd/radvd
00617000-00618000 r--p 00017000 fd:02 859                                /home/bhaley/radvd/radvd
00618000-00619000 rw-p 00018000 fd:02 859                                /home/bhaley/radvd/radvd
00619000-0063a000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff75e5000-7ffff75fa000 r-xp 00000000 fd:00 135179675                  /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7ffff75fa000-7ffff77f9000 ---p 00015000 fd:00 135179675                  /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7ffff77f9000-7ffff77fa000 r--p 00014000 fd:00 135179675                  /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7ffff77fa000-7ffff77fb000 rw-p 00015000 fd:00 135179675                  /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7ffff77fb000-7ffff7807000 r-xp 00000000 fd:00 134261627                  /usr/lib64/libnss_files-2.17.so
7ffff7807000-7ffff7a06000 ---p 0000c000 fd:00 134261627                  /usr/lib64/libnss_files-2.17.so
7ffff7a06000-7ffff7a07000 r--p 0000b000 fd:00 134261627                  /usr/lib64/libnss_files-2.17.so
7ffff7a07000-7ffff7a08000 rw-p 0000c000 fd:00 134261627                  /usr/lib64/libnss_files-2.17.so
7ffff7a08000-7ffff7a0e000 rw-p 00000000 00:00 0 
7ffff7a0e000-7ffff7bd0000 r-xp 00000000 fd:00 134261609                  /usr/lib64/libc-2.17.so
7ffff7bd0000-7ffff7dd0000 ---p 001c2000 fd:00 134261609                  /usr/lib64/libc-2.17.so
7ffff7dd0000-7ffff7dd4000 r--p 001c2000 fd:00 134261609                  /usr/lib64/libc-2.17.so
7ffff7dd4000-7ffff7dd6000 rw-p 001c6000 fd:00 134261609                  /usr/lib64/libc-2.17.so
7ffff7dd6000-7ffff7ddb000 rw-p 00000000 00:00 0 
7ffff7ddb000-7ffff7dfd000 r-xp 00000000 fd:00 134261602                  /usr/lib64/ld-2.17.so
7ffff7fed000-7ffff7ff0000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 rw-p 00000000 00:00 0 
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00021000 fd:00 134261602                  /usr/lib64/ld-2.17.so
7ffff7ffd000-7ffff7ffe000 rw-p 00022000 fd:00 134261602                  /usr/lib64/ld-2.17.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a44207 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.17-260.el7.x86_64 libgcc-4.8.5-36.el7.x86_64
(gdb) bt
#0  0x00007ffff7a44207 in raise () from /lib64/libc.so.6
#1  0x00007ffff7a458f8 in abort () from /lib64/libc.so.6
#2  0x00007ffff7a86d27 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff7a8f489 in _int_free () from /lib64/libc.so.6
#4  0x000000000040538c in free_iface_list (iface=0x61a4f0) at interface.c:390
#5  free_ifaces (ifaces=ifaces@entry=0x61a4f0) at interface.c:441
#6  0x0000000000402a14 in main (argc=<optimized out>, argv=<optimized out>)
    at radvd.c:363

That's right at the free() call here in interface.c:

static void free_iface_list(struct Interface *iface)
{
        while (iface) {
                struct Interface *next_iface = iface->next;

                dlog(LOG_DEBUG, 4, "freeing interface %s", iface->props.name);

                struct AdvPrefix *prefix = iface->AdvPrefixList;
                while (prefix) {
                        struct AdvPrefix *next_prefix = prefix->next;

-->                     free(prefix);
                        prefix = next_prefix;
                }

My guess is because of the duplication in the config file the same
prefix struct was linked into the list twice, causing the double-free
condition.

Comment 3 Pavel Zhukov 2019-01-23 17:40:08 UTC

It's even more simple.

==22820== Invalid free() / delete / delete[] / realloc()
==22820==    at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==22820==    by 0x10E501: free_iface_list (interface.c:427)
==22820==    by 0x10E501: free_ifaces (interface.c:436)
==22820==    by 0x10B775: main (radvd.c:442)
==22820==  Address 0x520cca0 is 0 bytes inside a block of size 352 free'd
==22820==    at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==22820==    by 0x10E501: free_iface_list (interface.c:427)
==22820==    by 0x10E501: free_ifaces (interface.c:436)
==22820==    by 0x111714: cleanup (gram.y:907)
==22820==    by 0x113465: yyparse (gram.y:197)
==22820==    by 0x113CA5: readin_config (gram.y:956)
==22820==    by 0x10B3AB: main (radvd.c:327)
==22820==  Block was alloc'd at
==22820==    at 0x4C29BC3: malloc (vg_replace_malloc.c:299)
==22820==    by 0x1136DF: yyparse (gram.y:202)
==22820==    by 0x113CA5: readin_config (gram.y:956)
==22820==    by 0x10B3AB: main (radvd.c:327)

Comment 10 Pavel Zhukov 2020-02-11 09:19:23 UTC

RHEL-7 is already in Maintenance Support Phase , which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available . Please see https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_1_Phase for further information.

Since this bug does not meet the criteria, we'll close it as WONTFIX. Feel free to discuss this Bug with Product Management, if this is a critical issue for the for you. Please provide business justification in such case.

This issue is fixed in Fedora and  is being tracked in Red Hat Enterprise Linux 8 https://bugzilla.redhat.com/show_bug.cgi?id=1669177

Note You need to log in before you can comment on or make changes to this bug.