FS#994 - dnsmasq repeatedly crashes due to invalid write access #5998
Comments
|
bjonglez: I think this is fixed by https://git.lede-project.org/ca7933730681bf3a42261fdf045dc1d929cbee48 Please try dnsmasq 2.77-10 |
|
ckujau: As mentioned in FS#251, this was indeed a [[http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011704.html|bug in dnsmasq]] and dnsmasq 2.77-10 does indeed fix the issue for me. Thanks for commiting the fix so quickly! |
|
marcin1j: Then it's yet another issue. In my case return address is src/rfc1035.c:1231, not src/rfc1035.c:1228 and the problem still exists in release 10:
[24765.577349] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00a3f000
[24765.594344] epc = 77bedec0 in libc.so[77b7b000+92000]
[24765.604458] ra = 00406e05 in dnsmasq[400000+21000]
[24769.206101] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 0088e000
[24769.223124] epc = 779b9ec0 in libc.so[77947000+92000]
[24769.233240] ra = 00406e05 in dnsmasq[400000+21000]
[24896.049121] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 006f4000
[24896.066035] epc = 77d50eb8 in libc.so[77cde000+92000]
[24896.076129] ra = 00406e05 in dnsmasq[400000+21000]
[25012.530166] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00b07000
[25012.547072] epc = 77435ed0 in libc.so[773c3000+92000]
[25012.557170] ra = 00406e05 in dnsmasq[400000+21000]
[25213.195928] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 006f9000
[25213.212813] epc = 779c0ec0 in libc.so[7794e000+92000]
[25213.222940] ra = 00406e05 in dnsmasq[400000+21000]
[25217.511738] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00b06000
[25217.528643] epc = 770c2ec0 in libc.so[77050000+92000]
[25217.538749] ra = 00406e05 in dnsmasq[400000+21000]
[25351.294752] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00a00000
[25351.311763] epc = 77f52ed0 in libc.so[77ee0000+92000]
[25351.321881] ra = 00406e05 in dnsmasq[400000+21000]
[25357.126580] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00beb000
[25357.143485] epc = 7784cec0 in libc.so[777da000+92000]
[25357.153585] ra = 00406e05 in dnsmasq[400000+21000]
[25573.914415] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00930000
[25573.931322] epc = 775f9ec0 in libc.so[77587000+92000]
[25573.941423] ra = 00406e05 in dnsmasq[400000+21000]
[25577.487255] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00a3c000
[25577.504169] epc = 7753fed0 in libc.so[774cd000+92000]
[25577.514282] ra = 00406e05 in dnsmasq[400000+21000]
Unfortunately I don't know how to reproduce it. I'll try to comment out memset and see if it helps. |
|
marcin1j: Added some logging and looks like a dnsmasq issue. It's trying to memset a negative number of bytes. |
|
ckujau: I think the remaining issues are now fixed with [[http://www.thekelleys.org.uk/dnsmasq/CHANGELOG|dnsmasq v2.78]]. |
|
dedeckeh: @marcin Jurkowski Can you confirm no dnsmasq crashes are observed anymore with version 2.78 ? |
|
marcin1j: After several days of testing I can confirm that the problem is solved. As a side note: the code that caused memory corruption seems to be completely removed in version 2.78. |
marcin1j:
This happens repeatedly on ramips target (Nexx WT3020) with dnsmasq version 2.77-9:
do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 009d5000 epc = 7766aae4 in libc.so[775f8000+92000] ra = 00406e05 in dnsmasq[400000+21000]Return address 0x00406e05 corresponds to line 1231 in src/rfc1035.c:
1231 if (ntohs(header->ancount) != 0 ||
1232 ntohs(header->nscount) != 0 ||
1233 ntohs(header->qdcount) == 0 ||
1234 OPCODE(header) != QUERY )
1235 return 0;
It's impossible to identify line number for program counter 0x7766aae4 (EPC seems invalid) however the only MUSL function called is ntohs:
uint16_t ntohs(uint16_t n)
{
union { int i; char c; } u = { 1 };
return u.c ? bswap_16(n) : n;
}
This issue has been reported in bug #251.
Is it a bug in dnsmasq itself, gcc, MUSL or some linking issue?
The text was updated successfully, but these errors were encountered: