Bug#872507: [ifcico] ifcico segfaults when started

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#872507: [ifcico] ifcico segfaults when started

Ingo Jürgensmann-8
Package: ifcico
Version: 2.14tx8.10-23
Severity: normal

--- Please enter the report below this line. ---

Hi!

I'm trying to get my Fido node running again with modem line.

When invoked by mgetty, ifcico segfaults:

08/17 22:57:03 yS0   got:  12000/ARQ/V42b[0d]
08/17 22:57:03 yS0    CND: CONNECT 12000/ARQ/V42b
08/17 22:57:03 yS0    CND: found: 12000/ARQ/V42b[0a] ** found **
08/17 22:57:03 yS0   waiting for line to clear (VTIME=3), read:  [0d] [0d]
08/17 22:57:03 yS0  warning: carrier signal is ignored
08/17 22:57:03 yS0    looking for utmp entry... (my PID: 23668)
08/17 22:57:04 yS0   tio_set_flow_control( HARD )
08/17 22:57:04 yS0   print welcome banner (/etc/issue.mgetty)
08/17 22:57:04 yS0   getlogname (FIDO AUTO_PPP), read: [0d]
08/17 22:57:04 yS0   input finished with '\r', setting ICRNL ONLCR
08/17 22:57:04 yS0   tio_set_flow_control( HARD )
08/17 22:57:04 yS0   print welcome banner (/etc/issue.mgetty)
08/17 22:57:04 yS0   getlogname (FIDO AUTO_PPP), read: [0d]
08/17 22:57:04 yS0   input finished with '\r', setting ICRNL ONLCR
08/17 22:57:04 yS0   tio_set_flow_control( HARD )
08/17 22:57:04 yS0   print welcome banner (/etc/issue.mgetty)
08/17 22:57:04 yS0   getlogname (FIDO AUTO_PPP), read:**EMSI_
08/17 22:57:04 yS0   got EMSI signature
08/17 22:57:04 yS0   input finished with '\r', setting ICRNL ONLCR
08/17 22:57:04 yS0   tio_get_rs232_lines: status: RTS CTS DSR DTR DCD
08/17 22:57:04 yS0    login: use login config file /etc/mgetty/login.config
08/17 22:57:04 yS0   match: user='_**EMSI_INQC816', key=''
08/17 22:57:04 yS0   match: user='_**EMSI_INQC816', key='/FIDO/'*** hit!
08/17 22:57:04 yS0   login: utmp entry: ftn
08/17 22:57:04 yS0    looking for utmp entry... (my PID: 23668)
08/17 22:57:04 yS0   login: user id: uucp (uid 10, gid 10)
08/17 22:57:04 yS0   calling login: cmd='/usr/lib/ifmail/ifcico',
argv[]='ifcico **EMSI_INQC816'
08/17 22:57:04 yS0   setenv: 'CALLER_ID=none'
08/17 22:57:04 yS0   setenv: 'CONNECT=12000/ARQ/V42b'
08/17 22:57:04 yS0   setenv: 'DEVICE=ttyS0'
08/17 22:57:04 ##### data dev=ttyS0, pid=23668, caller='none',
conn='12000/ARQ/V42b', name='', cmd='/usr/lib/ifmail/ifcico',
user='**EMSI_INQC816'

==> /var/log/syslog <==
Aug 17 22:57:04 muaddib systemd[1]: mgetty.service: Main process exited,
code=killed, status=11/SEGV
Aug 17 22:57:04 muaddib systemd[1]: mgetty.service: Unit entered failed
state.
Aug 17 22:57:04 muaddib systemd[1]: mgetty.service: Failed with result
'signal'.
Aug 17 22:57:04 muaddib kernel: [2389715.757624] ifcico[23668]: segfault
at 0 ip 000055bf88ec2493 sp 00007ffd1d0b2490 error 6 in
ifcico[55bf88eb9000+3e000]
Aug 17 22:57:04 muaddib systemd[1]: mgetty.service: Service hold-off
time over, scheduling restart.
Aug 17 22:57:04 muaddib systemd[1]: Stopped Smart Modem Getty(mgetty).
Aug 17 22:57:04 muaddib systemd[1]: Started Smart Modem Getty(mgetty).


If even segfaults when called from command line:

#  /usr/lib/ifmail/ifcico
Segmentation fault

Strace shows this:

write(2, "creating directory tree for \"/va"..., 54) = 54
mkdir("/var", 0700)                     = -1 EEXIST (File exists)
write(2, "mkdir(\"/var\") errno 17\n", 23) = 23
mkdir("/var/spool", 0700)               = -1 EEXIST (File exists)
write(2, "mkdir(\"/var/spool\") errno 17\n", 29) = 29
mkdir("/var/spool/ftn", 0700)           = -1 EEXIST (File exists)
write(2, "mkdir(\"/var/spool/ftn\") errno 17"..., 33) = 33
mkdir("/var/spool/ftn/inb", 0700)       = -1 EEXIST (File exists)
write(2, "mkdir(\"/var/spool/ftn/inb\") errn"..., 37) = 37
mkdir("/var/spool/ftn/inb/tmp", 0700)   = -1 EEXIST (File exists)
write(2, "mkdir(\"/var/spool/ftn/inb/tmp\") "..., 41) = 41
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
readlink("/proc/self/fd/0", "/dev/pts/4", 4095) = 10
stat("/dev/pts/4", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
readlink("/proc/self/fd/0", "/dev/pts/4", 4095) = 10
stat("/dev/pts/4", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
read(3,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096)
= 2335
lseek(3, -1476, SEEK_CUR)               = 859
read(3,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096)
= 1476
close(3)                                = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault


... and gdb this:

(gdb) r
Starting program: /usr/lib/ifmail/ifcico

Program received signal SIGSEGV, Segmentation fault.
0x000055555555d493 in ?? ()
(gdb) bt
#0  0x000055555555d493 in ?? ()
#1  0x000055555555e5c9 in ?? ()
#2  0x000055555555eb19 in ?? ()
#3  0x000055555555fb0b in ?? ()
#4  0x000055555556ccfc in ?? ()
#5  0x000055555555f997 in ?? ()
#6  0x000055555555b4ec in ?? ()
#7  0x00007ffff78572b1 in __libc_start_main () from
/lib/x86_64-linux-gnu/libc.so.6
#8  0x000055555555b83a in ?? ()
(gdb)

Do you have any idea what might be going on?

Ingo
2:2452/413 ;)

--- System information. ---
Architecture: Kernel:       Linux 4.9.0-3-amd64

Debian Release: buster/sid
  500 unstable        www.deb-multimedia.org   500 unstable
ftp.de.debian.org   500 unstable        download.jitsi.org
--- Package information. ---
Depends               (Version) | Installed
===============================-+-===========
libc6                 (>= 2.14) | libgdbm3             (>= 1.8.3) |
ifmail                          | openbsd-inetd                   |  OR
inet-superserver            |

Package's Recommends field is empty.

Package's Suggests field is empty.




--
Ciao...            //      Fon: 0381-2744150
      Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

Reply | Threaded
Open this post in threaded view
|

Bug#872507: Config option causes segfault

Ingo Jürgensmann-10
Hi Marco!

With the help of Kees in Linux echomail area I found out that the following config option causes the segfault:

options                (time Any0000-2359) NoHold

When commenting this out, ifcico is working as expected. As this is not an easy to find error, I’d like to recommend to change the default config accordingly.

--
Ciao...          //        http://blog.windfluechter.net
      Ingo     \X/     XMPP: [hidden email]
       
gpg pubkey:  http://www.juergensmann.de/ij_public_key.asc

Reply | Threaded
Open this post in threaded view
|

Bug#872507: Config option causes segfault

Björn Wiberg-3
In reply to this post by Ingo Jürgensmann-8

Hello Ingo (& Marco)!

 

On Wed, 30 Aug 2017 22:34:44 +0200 =?utf-8?Q?Ingo_J=C3=BCrgensmann?= <[hidden email]> wrote:

> With the help of Kees in Linux echomail area I found out that the following config option causes the segfault:

>

> options                (time Any0000-2359) NoHold

>

> When commenting this out, ifcico is working as expected. As this is not an easy to find error, I’d like to recommend to change the default config accordingly.

 

I would also like to point out that from the strace output one is led to believe that /etc/localtime appears is a major part of the problem, but having ”options …” without any time-based conditions (e.g.  having only ”options NoHold”) does not always help either. Like Ingo said, removing all ”options …” is a good start, but on my system, it segfaults as soon as I have one or more ”options …” lines AND/OR ”verbose 1” (or a higher verbosity setting).

 

So turning on debug output changes the behavior, too.

 

It sounds very much like some buffer out-of-bounds problem, although to pinpoint it in the source code is easier said than done.

But perhaps adding ”verbose 1” (if this also breaks things for you) might help someone to spot the error.

 

Best regards

Björn

Reply | Threaded
Open this post in threaded view
|

Bug#872507: Config option causes segfault

Marco d'Itri
In reply to this post by Ingo Jürgensmann-10
On Aug 30, Ingo Jürgensmann <[hidden email]> wrote:

> When commenting this out, ifcico is working as expected. As this is not an easy to find error, I’d like to recommend to change the default config accordingly.
It segfaults in the parser, but I know nothing about flex so I cannot
fix it.
I suppose that something changed in flex long ago and broke this ancient
code.

Program received signal SIGSEGV, Segmentation fault.
0x000055555555de4f in yylex () at lex.yy.c:813
813 *yy_cp = (yy_hold_char);
(gdb) where
#0  0x000055555555de4f in yylex () at lex.yy.c:813
#1  0x000055555555d40a in yyparse () at y.tab.c:1218
#2  0x00005555555605f2 in flagexp (expr=0x5555555b34e0 "time Any0000-2359",
    nl=0x5555555a3360 <nodebuf>) at flagexp.y:128
#3  0x0000555555561a47 in get_modem_string (ms=0x5555555b34c0,
    nlent=0x5555555a3360 <nodebuf>) at modemstr.c:11
#4  0x0000555555573844 in rdoptions (nlent=0x5555555a3360 <nodebuf>)
    at rdoptions.c:44
#5  0x00005555555618c8 in answer (stype=0x0) at answer.c:39
#6  0x000055555555c289 in main (argc=3, argv=0x7fffffffdf98,
    envp=0x7fffffffdfb8) at ifcico.c:258

(gdb) frame 2

(gdb) p *nl
$5 = {addr = {name = 0x0, point = 0, node = 0, net = 0, zone = 0,
    domain = 0x0}, hub = 0, type = 0 '\000', pflag = 4 '\004',
  name = 0x5555555905ce "Unknown", location = 0x5555555905d6 "Nowhere",
  sysop = 0x5555555905de "Sysop", phone = 0x0, speed = 2400, flags = 0,
  uflags = {0x0 <repeats 16 times>}}

(gdb) p expr
$7 = 0x5555555b34e0 "time Any0000-2359"

--
ciao,
Marco

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#872507: Config option causes segfault

Göran Weinholt
Marco d'Itri <[hidden email]> writes:

> On Aug 30, Ingo Jürgensmann <[hidden email]> wrote:
>
>> When commenting this out, ifcico is working as expected. As this is not an easy to find error, I’d like to recommend to change the default config accordingly.
> It segfaults in the parser, but I know nothing about flex so I cannot
> fix it.
> I suppose that something changed in flex long ago and broke this ancient
> code.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x000055555555de4f in yylex () at lex.yy.c:813
> 813 *yy_cp = (yy_hold_char);

yy_cp is NULL because of these lines in ifcico/flagexp.y:

| #ifdef FLEX_SCANNER  /* flex requires reinitialization */
| yy_init=1;
| #endif

In the generated flaglex.c, setting yy_init to 1 inhibits
initialization:

| static int yy_init = 0; /* whether we need to initialize */
...
| if ( !(yy_init) )
| {
| (yy_init) = 1;
...

Regards,

--
Göran Weinholt
https://weinholt.se/