Bug 683563 - SEGV in snmpd in var_hrswrun() in host/hr_swrun.c.
Summary: SEGV in snmpd in var_hrswrun() in host/hr_swrun.c.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: net-snmp
Version: 6.2
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Safranek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 684167 (view as bug list)
Depends On: 683142 684167
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-09 17:50 UTC by Martin Poole
Modified: 2018-11-14 12:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, the snmpd daemon did not detect errors when accessing the /proc file system. Consequent to this, an attempt to read information about an exited process while gathering information for a HOST-RESOURCES-MIB::hrSWRunTable table caused the daemon to terminate unexpectedly with a segmentation fault. This update adapts the underlying source code to make sure that such errors are now properly detected, and snmpd no longer crashes when populating HOST-RESOURCES-MIB::hrSWRunTable. (BZ#683563).
Clone Of: 683142
Environment:
Last Closed: 2011-12-06 17:11:38 UTC
Target Upstream Version:


Attachments (Terms of Use)
patch for reading pid-based /proc files (8.12 KB, patch)
2011-03-09 17:50 UTC, Martin Poole
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1524 0 normal SHIPPED_LIVE net-snmp bug fix update 2011-12-06 01:02:35 UTC

Description Martin Poole 2011-03-09 17:50:57 UTC
Created attachment 483274 [details]
patch for reading pid-based /proc files

+++ This bug was initially created as a clone of Bug #683142 +++

Description of problem:

Customer is seeing SEGV in var_hrswrun() in host/hr_swrun.c to to failure to check fgets return code.


Version-Release number of selected component (if applicable):

net-snmp-5.3.2.2-5.el5 


How reproducible:

Not easy, it require the tested process to terminate between snmpd opening and reading the status file.

--- Additional comment from mpoole@redhat.com on 2011-03-08 11:43:11 EST ---

-------------------------------------------------------------------------------
Core was generated by `/usr/sbin/snmpd -LS 5d -Lf /dev/null -p /var/run/snmpd.pid -a'.
Program terminated with signal 11, Segmentation fault.
[New process 7428]
[New process 7430]
#0 var_hrswrun (vp=0x7fff2954a070, name=<value optimized out>, length=<value optimized out>,
exact=<value optimized out>, var_len=<value optimized out>, write_method=<value optimized out>)
at host/hr_swrun.c:1152
1152 while (*cp != ' ')
-------------------------------------------------------------------------------

Here is a part of var_hrswrun() to review.
-------------------------------------------------------------------------------
461 u_char *
462 var_hrswrun(struct variable * vp,
463 oid * name,
464 size_t * length,
465 int exact, size_t * var_len, WriteMethod ** write_method)
466 {
<snip>
1143 #elif defined(linux)
1144 sprintf(string, "/proc/%d/stat", pid);
1145 if ((fp = fopen(string, "r")) == NULL) {
1146 long_return = 0;
1147 return (u_char *) & long_return;
1148 }
1149 fgets(buf, sizeof(buf), fp);
1150 cp = buf;
1151 for (i = 0; i < 23; ++i) { /* skip 23 fields */
1152 while (*cp != ' ')
1153 ++cp;
1154 ++cp;
1155 }
1156 long_return = atoi(cp) * (getpagesize() / 1024); /* rss
*/
1157 fclose(fp);
-------------------------------------------------------------------------------

--- Additional comment from mpoole@redhat.com on 2011-03-08 12:27:01 EST ---

Although it is possible to fix just this single error it is but one example of a systemic failure to perform return code checks for a number of other reads of /proc/<pid> files.

I am currently working through the set attempting a composite patch.

--- Additional comment from mpoole@redhat.com on 2011-03-09 10:42:51 EST ---

Created attachment 483247 [details]
patch for reading pid-based /proc files

--- Additional comment from mpoole@redhat.com on 2011-03-09 10:45:23 EST ---

Upstream for a single instance fix of the proc race condition is at

 http://sourceforge.net/tracker/index.php?func=detail&aid=1774612&group_id=12694&atid=312694

The patch I've just attached here fixes all the /proc/<pid>/?  read blocks.

Comment 1 Martin Poole 2011-03-09 17:54:14 UTC
The patch attached here is against net-snmp-5.5-31.el6

Comment 2 Jan Safranek 2011-03-11 11:52:05 UTC
*** Bug 684167 has been marked as a duplicate of this bug. ***

Comment 3 Jan Safranek 2011-03-11 11:52:33 UTC
I've fixed it upstream in net-snmp-5.4 and 5.5 branches, SVN rev. 20115.

Comment 7 Chris Ward 2011-07-29 11:43:37 UTC
@moshiro, Please ask FJ to test 6.2.0 for this fix once bits are available and confirm that things work as expected here. Thanks!

Comment 8 Jan Safranek 2011-08-11 11:32:51 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, the snmpd daemon did not detect errors when accessing the /proc file system. Consequent to this, an attempt to read information about an exited process while gathering information for a HOST-RESOURCES-MIB::hrSWRunTable table caused the daemon to terminate unexpectedly with a segmentation fault. This update adapts the underlying source code to make sure that such errors are now properly detected, and snmpd no longer crashes when populating HOST-RESOURCES-MIB::hrSWRunTable. (BZ#683563).

Comment 13 errata-xmlrpc 2011-12-06 17:11:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1524.html


Note You need to log in before you can comment on or make changes to this bug.