Bug 2262996 - dhcpcd core dumps every 5 days
Summary: dhcpcd core dumps every 5 days
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dhcpcd
Version: 38
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2236298
TreeView+ depends on / blocked
 
Reported: 2024-02-06 13:28 UTC by Chad
Modified: 2024-03-03 00:42 UTC (History)
4 users (show)

Fixed In Version: dhcpcd-10.0.6-2.el9 dhcpcd-10.0.6-2.fc38 dhcpcd-10.0.6-2.el8 dhcpcd-10.0.6-2.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-02-25 00:39:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources dhcpcd pull-request 3 0 None None None 2024-02-07 11:48:12 UTC
Fedora Package Sources dhcpcd pull-request 4 0 None None None 2024-02-07 11:48:12 UTC
Github NetworkConfiguration dhcpcd issues 283 0 None open dhcpcd core dumps every 5 days 2024-02-07 11:27:09 UTC
Github NetworkConfiguration dhcpcd pull 295 0 None open Move dhcp(v4) packet size check earlier 2024-02-07 11:27:09 UTC

Description Chad 2024-02-06 13:28:51 UTC
Since upgrading to Fedora 38, dhcpcd has been core dumping every 5 days.

This issue is similar to [#179](https://github.com/NetworkConfiguration/dhcpcd/issues/179), but v10.0.6 doesn't resolve this particular problem.  To resolve, the service must be started.

Bug submitted to upstream as well:
https://github.com/NetworkConfiguration/dhcpcd/issues/283

Reproducible: Always

Actual Results:  
Segfault

Expected Results:  
No segfaults

Comment 1 Chad 2024-02-06 13:30:36 UTC
$ uname -a
Linux host1 6.5.5-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Sep 24 15:52:44 UTC 2023 x86_64 GNU/Linux



$ rpm -qi dhcpcd
Name        : dhcpcd
Version     : 10.0.6
Release     : 1.fc38
Architecture: x86_64
Install Date: Thu 11 Jan 2024 03:35:40 PM MST
Group       : Unspecified
Size        : 495613
License     : BSD-2-Clause AND ISC AND MIT
Signature   : RSA/SHA256, Thu 21 Dec 2023 08:28:29 AM MST, Key ID 809a8d7ceb10b464
Source RPM  : dhcpcd-10.0.6-1.fc38.src.rpm
Build Date  : Thu 21 Dec 2023 08:04:59 AM MST
Build Host  : buildvm-x86-13.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://roy.marples.name/projects/dhcpcd/
Bug URL     : https://bugz.fedoraproject.org/dhcpcd
Summary     : A minimalistic network configuration daemon with DHCPv4, rdisc and DHCPv6 support
Description :
The dhcpcd package provides a minimalistic network configuration daemon
that supports IPv4 and IPv6 configuration including configuration discovery
through NDP, DHCPv4 and DHCPv6 protocols.



$ dhcpcd --version
dhcpcd 10.0.6
Copyright (c) 2006-2023 Roy Marples
Compiled in features: INET ARP ARPing IPv4LL INET6 DHCPv6 AUTH PRIVSEP



$ cat /etc/dhcpcd.conf
# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname

# Use the hardware address of the interface for the Client ID.
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
duid

# Persist interface configuration when dhcpcd exits.
#persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Most distributions have NTP support.
option ntp_servers
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate Stable Private IPv6 Addresses instead of hardware based ones
#slaac private

debug
dhcp
nogateway
nohook ntp.conf
nohook resolv.conf
noipv4ll
noipv6
timeout 180

allowinterfaces eno1
denyinterfaces eno2 eno3 eno4

profile static_management_eno1
   static host_name=host1
   static ip_address=10.20.1.162/21
   static domainname_server=127.0.0.1

interface eno1
   hostname      MY-SERVER
   userclass     MY-SERVER
   vendorclassid MY-SERVER
   fallback      static_management_eno1



$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:95:08:64 brd ff:ff:ff:ff:ff:ff
    altname enp1s0
    inet 10.20.1.162/21 brd 10.20.7.255 scope global dynamic noprefixroute eno1
       valid_lft 1839sec preferred_lft 1389sec
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:95:08:65 brd ff:ff:ff:ff:ff:ff
    altname enp2s0
    inet 10.1.0.100/16 brd 10.1.255.255 scope global noprefixroute eno2
       valid_lft forever preferred_lft forever
    inet6 fe80::ec4:7aff:fe95:865/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:95:08:66 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.3.254/22 brd 192.168.3.255 scope global noprefixroute eno3
       valid_lft forever preferred_lft forever
    inet6 fe80::ec4:7aff:fe95:866/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
5: eno4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:95:08:67 brd ff:ff:ff:ff:ff:ff
    altname enp4s0
    inet 70.167.109.242/28 brd 70.167.109.255 scope global noprefixroute eno4
       valid_lft forever preferred_lft forever
    inet6 fe80::ec4:7aff:fe95:867/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever



$ journalctl -b -u dhcpcd.service
<snip>
Jan 11 21:41:34 host1 dhcpcd[1220]: eno1: ARP announcing 10.20.1.162 (2 of 2)
Jan 11 21:41:34 host1 dhcpcd[1220]: eno1: ARP announcing 10.20.1.162 (2 of 2)
Jan 11 21:59:23 host1 systemd[1]: dhcpcd.service: Main process exited, code=dumped, status=11/SEGV
<snip>



$ gdb -c ./core.dhcpcd.10.0.6.973.f5d910d813b54cc7b29e3f86d857313d.1218.1705035562000000
<snip>
Core was generated by `dhcpcd: [manager] [ip4]           '.                     
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055ab82a570d4 in __bswap_32 (__bsx=<optimized out>)
    at /usr/include/bits/byteswap.h:52
52	  return __builtin_bswap32 (__bsx);

(gdb) bt
#0  0x000055ab82a570d4 in __bswap_32 (__bsx=<optimized out>)
    at /usr/include/bits/byteswap.h:52
#1  dhcp_redirect_dhcp (ifp=0x55ab83088600, bootp=0x0, bootp_len=0, 
    from=0x7fffc38dd854)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/dhcp.c:2951
#2  0x000055ab82a711a8 in ps_inet_dispatch (arg=arg@entry=0x7fffc38eda10, 
    psm=psm@entry=0x7fffc38dd810, msg=msg@entry=0x7fffc38dd7c0)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/privsep-inet.c:323
#3  0x000055ab82a6968c in ps_recvpsmsg (ctx=<optimized out>, 
    fd=<optimized out>, events=<optimized out>, 
    callback=callback@entry=0x55ab82a71180 <ps_inet_dispatch>, 
    cbctx=0x7fffc38eda10)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/privsep.c:1177
#4  0x000055ab82a69934 in ps_inet_dodispatch (arg=<optimized out>, 
    events=<optimized out>)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/privsep-inet.c:348
#5  0x000055ab82a37b13 in eloop_run_ppoll (signals=0x7fffc38edc50, 
    ts=<optimized out>, eloop=<optimized out>)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/eloop.c:1106
#6  eloop_start (eloop=0x55ab830867d0, signals=signals@entry=0x7fffc38edc50)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/eloop.c:1228
#7  0x000055ab82a34e76 in main (argc=<optimized out>, argv=<optimized out>, 
    envp=<optimized out>)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/dhcpcd.c:2611

(gdb) f 1
#1  dhcp_redirect_dhcp (ifp=0x55ab83088600, bootp=0x0, bootp_len=0, 
    from=0x7fffc38dd854)
    at /usr/src/debug/dhcpcd-10.0.6-1.fc38.x86_64/src/dhcp.c:2951
2951            xid = ntohl(bootp->xid);                                        

(gdb) p ifp
$4 = (struct interface *) 0x55ab83088600

(gdb) p *ifp
$5 = {ctx = 0x7fffc38eda10, next = {tqe_next = 0x0, 
    tqe_prev = 0x55ab830884f8}, name = "eno4", '\000' <repeats 11 times>, 
  index = 5, active = 0, flags = 69699, hwtype = 1, 
  hwaddr = "\f\304z\225\bg", '\000' <repeats 13 times>, hwlen = 6 '\006', 
  vlanid = 0, metric = 1005, carrier = 1, wireless = false, 
  ssid = '\000' <repeats 31 times>, ssid_len = 0, 
  profile = '\000' <repeats 63 times>, options = 0x0, if_data = {
    0x55ab83099100, 0x0, 0x0, 0x0, 0x55ab83099570, 0x0, 0x0}}

(gdb) p bootp
$1 = (struct bootp *) 0x0

(gdb) 


The issue derives from dhcp_redirect_dhcp on **eno4**

Comment 2 Petr Menšík 2024-02-07 11:27:09 UTC
Thank you for reporting it upstream directly. Indeed, dhcp_redirect_dhcp does not have minimal packet size check and it should have it. Created PR #295 [1], which should fix it.
Yes, it seems it is related to the original issue vulnerability bug #2236298. It seems one code path avoided proper fixing.

1. https://github.com/NetworkConfiguration/dhcpcd/pull/295

Comment 3 Petr Menšík 2024-02-07 11:48:12 UTC
I have created PR for testing:
Fedora 38 based:
https://src.fedoraproject.org/rpms/dhcpcd/pull-request/4
Rawhide based:
https://src.fedoraproject.org/rpms/dhcpcd/pull-request/3

Comment 4 Fedora Update System 2024-02-16 21:00:05 UTC
FEDORA-2024-2bb2bb2467 (dhcpcd-10.0.6-2.fc38) has been submitted as an update to Fedora 38.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bb2bb2467

Comment 5 Fedora Update System 2024-02-16 21:00:44 UTC
FEDORA-2024-e1fc365e53 (dhcpcd-10.0.6-2.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e1fc365e53

Comment 6 Fedora Update System 2024-02-16 21:01:13 UTC
FEDORA-EPEL-2024-2c8efd45a9 (dhcpcd-10.0.6-2.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-2c8efd45a9

Comment 7 Fedora Update System 2024-02-17 01:08:27 UTC
FEDORA-EPEL-2024-2c8efd45a9 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-2c8efd45a9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2024-02-17 01:58:04 UTC
FEDORA-2024-2bb2bb2467 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-2bb2bb2467`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bb2bb2467

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2024-02-17 02:05:38 UTC
FEDORA-2024-e1fc365e53 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-e1fc365e53`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e1fc365e53

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2024-02-18 00:07:24 UTC
FEDORA-EPEL-2024-19fff4a604 (dhcpcd-10.0.6-2.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-19fff4a604

Comment 11 Fedora Update System 2024-02-18 01:55:48 UTC
FEDORA-EPEL-2024-19fff4a604 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-19fff4a604

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2024-02-25 00:39:41 UTC
FEDORA-EPEL-2024-2c8efd45a9 (dhcpcd-10.0.6-2.el9) has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Fedora Update System 2024-02-25 01:25:37 UTC
FEDORA-2024-2bb2bb2467 (dhcpcd-10.0.6-2.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Fedora Update System 2024-02-26 00:31:16 UTC
FEDORA-EPEL-2024-19fff4a604 (dhcpcd-10.0.6-2.el8) has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2024-03-03 00:42:48 UTC
FEDORA-2024-e1fc365e53 (dhcpcd-10.0.6-2.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.