LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: LEDE Project
Opened by Marcin Jurkowski - 01.09.2017
Last edited by Hans Dedecker - 16.10.2017

FS#994 - dnsmasq repeatedly crashes due to invalid write access

This happens repeatedly on ramips target (Nexx WT3020) with dnsmasq version 2.77-9:

do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 009d5000
epc = 7766aae4 in libc.so[775f8000+92000]
ra  = 00406e05 in dnsmasq[400000+21000]

Return address 0x00406e05 corresponds to line 1231 in src/rfc1035.c:

1231   if (ntohs(header->ancount) != 0 ||
1232       ntohs(header->nscount) != 0 ||
1233       ntohs(header->qdcount) == 0 ||
1234       OPCODE(header) != QUERY )
1235     return 0;

It’s impossible to identify line number for program counter 0x7766aae4 (EPC seems invalid) however the only MUSL function called is ntohs:

uint16_t ntohs(uint16_t n)
{
        union { int i; char c; } u = { 1 };
        return u.c ? bswap_16(n) : n;
}

This issue has been reported in bug #251.

Is it a bug in dnsmasq itself, gcc, MUSL or some linking issue?

Closed by  Hans Dedecker
16.10.2017 09:05
Reason for closing:  Fixed
Additional comments about closing:  

Fixed in dnsmasq v2.78

Baptiste Jonglez commented on 02.09.2017 06:41

I think this is fixed by https://git.lede-project.org/ca7933730681bf3a42261fdf045dc1d929cbee48

Please try dnsmasq 2.77-10

Christian Kujau commented on 02.09.2017 07:29

As mentioned in  FS#251 , this was indeed a bug in dnsmasq and dnsmasq 2.77-10 does indeed fix the issue for me. Thanks for commiting the fix so quickly!

Marcin Jurkowski commented on 02.09.2017 10:35

Then it's yet another issue. In my case return address is src/rfc1035.c:1231, not src/rfc1035.c:1228 and the problem still exists in release 10:

[24765.577349] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00a3f000
[24765.594344] epc = 77bedec0 in libc.so[77b7b000+92000]
[24765.604458] ra  = 00406e05 in dnsmasq[400000+21000]
[24769.206101] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 0088e000
[24769.223124] epc = 779b9ec0 in libc.so[77947000+92000]
[24769.233240] ra  = 00406e05 in dnsmasq[400000+21000]
[24896.049121] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 006f4000
[24896.066035] epc = 77d50eb8 in libc.so[77cde000+92000]
[24896.076129] ra  = 00406e05 in dnsmasq[400000+21000]
[25012.530166] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00b07000
[25012.547072] epc = 77435ed0 in libc.so[773c3000+92000]
[25012.557170] ra  = 00406e05 in dnsmasq[400000+21000]
[25213.195928] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 006f9000
[25213.212813] epc = 779c0ec0 in libc.so[7794e000+92000]
[25213.222940] ra  = 00406e05 in dnsmasq[400000+21000]
[25217.511738] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00b06000
[25217.528643] epc = 770c2ec0 in libc.so[77050000+92000]
[25217.538749] ra  = 00406e05 in dnsmasq[400000+21000]
[25351.294752] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00a00000
[25351.311763] epc = 77f52ed0 in libc.so[77ee0000+92000]
[25351.321881] ra  = 00406e05 in dnsmasq[400000+21000]
[25357.126580] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00beb000
[25357.143485] epc = 7784cec0 in libc.so[777da000+92000]
[25357.153585] ra  = 00406e05 in dnsmasq[400000+21000]
[25573.914415] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00930000
[25573.931322] epc = 775f9ec0 in libc.so[77587000+92000]
[25573.941423] ra  = 00406e05 in dnsmasq[400000+21000]
[25577.487255] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00a3c000
[25577.504169] epc = 7753fed0 in libc.so[774cd000+92000]
[25577.514282] ra  = 00406e05 in dnsmasq[400000+21000]

Unfortunately I don't know how to reproduce it. I'll try to comment out memset and see if it helps.

Marcin Jurkowski commented on 02.09.2017 13:57

Added some logging and looks like a dnsmasq issue. It's trying to memset a negative number of bytes.
I'll report the problem upstream.

Christian Kujau commented on 13.10.2017 04:26

I think the remaining issues are now fixed with dnsmasq v2.78.

Project Manager
Hans Dedecker commented on 13.10.2017 06:42

@Marcin Jurkowski Can you confirm no dnsmasq crashes are observed anymore with version 2.78 ?

Marcin Jurkowski commented on 16.10.2017 08:36

After several days of testing I can confirm that the problem is solved.

As a side note: the code that caused memory corruption seems to be completely removed in version 2.78.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing