Bug 168903 - ip -6 route show dev eth1 via :: segfaults
ip -6 route show dev eth1 via :: segfaults
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: iproute (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-20 22:58 EDT by Matt Domsch
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.6.14-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-07 02:19:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ltrace.txt (9.19 KB, text/plain)
2005-09-20 22:58 EDT, Matt Domsch
no flags Details
iproute2-ss050901-host_len.patch (775 bytes, patch)
2005-10-06 22:35 EDT, Matt Domsch
no flags Details | Diff

  None (edit)
Description Matt Domsch 2005-09-20 22:58:06 EDT
Description of problem:
ip -6 route show dev eth1 via ::
segfaults.



Version-Release number of selected component (if applicable):
2.6.11-1 (FC4), 2.6.14-3 (FC devel)

How reproducible:
always

Steps to Reproduce:
1. run above line
2.
3.
  
Actual results:
fe80::/64  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
ff00::/8  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
Segmentation fault


Expected results:
no segfault

Additional info:
choose any dev (eth0, eth1, whatever) as long as it exists.
Comment 1 Matt Domsch 2005-09-20 22:58:06 EDT
Created attachment 119058 [details]
ltrace.txt
Comment 2 Matt Domsch 2005-09-20 22:58:36 EDT
also, if you drop the 'via ::' part it won't segfault.
Comment 3 Radek Vokal 2005-09-21 02:40:37 EDT
Hmm, none of my test systems segfaults. It seems to work fine. Which
architecture and kernel are you testing this on? I will look closer at your
trace .. 

Here are my results 
FC4
[root@vepro ~]# rpm -q iproute
iproute-2.6.11-1
[root@vepro ~]# ip -6 route show dev eth0 via ::
fe80::/64  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
ff00::/8  metric 256  mtu 1500 advmss 1440 metric 10 4294967295

FC5
rvokal@garfield devel$ ip -6 route show dev eth1 via ::
fe80::/64  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
ff00::/8  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
rvokal@garfield devel$ rpm -q iproute
iproute-2.6.14-3

Comment 4 Matt Domsch 2005-09-21 09:04:09 EDT
arch i386, kernel 2.6.12-1.1447_FC4 UP and smp variant.
If built with CFLAGS+= -g  it's not segfaulting on me. :-(
Comment 5 Radek Vokal 2005-09-23 06:05:21 EDT
Doh, thanks for pointing me to this. The package was not built with
RPM_OPT_FLAGS so some arch specific options weren't in use. I will rebuilt the
package and hopefully this will shed some more light to this issue. iproute-2.6.14-4
Comment 6 Radek Vokal 2005-10-05 03:12:05 EDT
Have you tried updating to the latest iproute package built with OPT_FLAGS?
Comment 7 Matt Domsch 2005-10-06 09:28:55 EDT
I rebuilt iproute-2.6.14-4 using mock on FC4 and installed it.  Still fails, but
gives some indication now of why.
$ gdb ip
GNU gdb Red Hat Linux (6.3.0.0-1.21rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) ip -6 route show dev eth1 via ::
Undefined command: "ip".  Try "help".
(gdb) set args -6 route show dev eth1 via ::
(gdb) run
Starting program: /sbin/ip -6 route show dev eth1 via ::
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xffffe000
2001:470:1f01:1867::/80  metric 256  mtu 1500 advmss 1440 metric 10 4294967295
*** buffer overflow detected ***: /sbin/ip terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x945c45]
/sbin/ip[0x804f877]
/sbin/ip[0x806114c]
/sbin/ip[0x804e707]
/sbin/ip[0x8049579]
/sbin/ip[0x8049a90]
/lib/libc.so.6(__libc_start_main+0xdf)[0x87cd5f]
/sbin/ip[0x8049431]
======= Memory map: ========
0084a000-00864000 r-xp 00000000 fd:00 13828114   /lib/ld-2.3.5.so
00864000-00865000 r--p 00019000 fd:00 13828114   /lib/ld-2.3.5.so
00865000-00866000 rw-p 0001a000 fd:00 13828114   /lib/ld-2.3.5.so
00868000-0098b000 r-xp 00000000 fd:00 13828127   /lib/libc-2.3.5.so
0098b000-0098d000 r--p 00123000 fd:00 13828127   /lib/libc-2.3.5.so
0098d000-0098f000 rw-p 00125000 fd:00 13828127   /lib/libc-2.3.5.so
0098f000-00991000 rw-p 0098f000 00:00 0
009fc000-00a0b000 r-xp 00000000 fd:00 13828162   /lib/libresolv-2.3.5.so
00a0b000-00a0c000 r--p 0000e000 fd:00 13828162   /lib/libresolv-2.3.5.so
00a0c000-00a0d000 rw-p 0000f000 fd:00 13828162   /lib/libresolv-2.3.5.so
00a0d000-00a0f000 rw-p 00a0d000 00:00 0
00b68000-00b71000 r-xp 00000000 fd:00 13828190   /lib/libgcc_s-4.0.1-20050727.so.1
00b71000-00b72000 rw-p 00009000 fd:00 13828190   /lib/libgcc_s-4.0.1-20050727.so.1
08048000-0806b000 r-xp 00000000 fd:00 5996663    /sbin/ip
0806b000-0806e000 rw-p 00022000 fd:00 5996663    /sbin/ip
0806e000-0808f000 rw-p 0806e000 00:00 0          [heap]
b7f61000-b7f63000 rw-p b7f61000 00:00 0
b7f6a000-b7f6b000 rw-p b7f6a000 00:00 0
bfa55000-bfa6b000 rw-p bfa55000 00:00 0          [stack]
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x00890118 in raise () from /lib/libc.so.6
#2  0x00891888 in abort () from /lib/libc.so.6
#3  0x008c522a in __libc_message () from /lib/libc.so.6
#4  0x00945c45 in __chk_fail () from /lib/libc.so.6
#5  0x0804f877 in print_route (who=0xbfa67028, n=0xbfa636ac, arg=0x98d5e0) at
iproute.c:219
#6  0x0806114c in rtnl_dump_filter (rth=0x806dc40, filter=0x804f51a
<print_route>, arg1=0x98d5e0, junk=0, arg2=0x0)
    at libnetlink.c:207
#7  0x0804e707 in iproute_list_or_flush (argc=Variable "argc" is not available.
) at iproute.c:1219
#8  0x08049579 in do_cmd (argv0=0xbfa69b34 "route", argc=6, argv=0xbfa6816c) at
ip.c:84
#9  0x08049a90 in main (argc=7, argv=0xbfa68168) at ip.c:225
#10 0x0087cd5f in __libc_start_main () from /lib/libc.so.6
#11 0x08049431 in _start ()
Comment 8 Arjan van de Ven 2005-10-06 10:48:38 EDT
        if (filter.rvia.bitlen>0) {
                memset(&via, 0, sizeof(via));
                via.family = r->rtm_family;
                if (tb[RTA_GATEWAY])
                        memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len);
        }


that memcpy goes too big
because of
typedef struct
{
        __u8 family;
        __u8 bytelen;
        __s16 bitlen;
        __u32 flags;
        __u32 data[4];
} inet_prefix;


apparently host_len is too big; could you ask gdb what the value of host_len is?
Comment 9 Matt Domsch 2005-10-06 20:23:47 EDT
(gdb) frame 5
#5  0x0804f877 in print_route (who=0xbf8aef68, n=0xbf8ab558, arg=0x98d5e0) at
iproute.c:219
219                             memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]),
host_len);
(gdb) print host_len
$1 = 128
Comment 10 Matt Domsch 2005-10-06 20:25:42 EDT
Which comes from:

       if (r->rtm_family == AF_INET6)
                host_len = 128;
Comment 11 Matt Domsch 2005-10-06 22:35:43 EDT
Created attachment 119698 [details]
iproute2-ss050901-host_len.patch

host_len should be divided by 8, as it's units is bits, where memcpy is using
bytes units.
Comment 12 Matt Domsch 2005-10-06 22:37:38 EDT
This patch resolves it for me in testing, no more segfaults, tested on 2 FC4
i386 systems that previously failed, and the patch is obviously correct.
Comment 13 Radek Vokal 2005-10-07 02:19:00 EDT
Thanks. Patch applied on rawhide.

Note You need to log in before you can comment on or make changes to this bug.