dhclient aborting with a stack smashing error

To: <debian-hurd@lists.debian.org>, Richard Braun <rbraun@sceen.net>, Samuel Thibault <sthibault@debian.org>
Subject: dhclient aborting with a stack smashing error
From: Thomas Schwinge <thomas@codesourcery.com>
Date: Wed, 13 Mar 2013 22:05:03 +0100
Message-id: <[🔎] 874ngfvwn4.fsf@kepler.schwinge.homeip.net>
Hi!

During booting, I currently see dhclient abort with a stack smashing
error.  I understand it is built with -fstack-protector by means of the
Debian hardening-wrapper package.  I first observed this when upgrading
(amongst other packages) glibc from Richard's 2.13-39+hurd.rbraun.6 to
current debian-ports' 2.13-39+hurd.3.  As »ldd /sbin/dhclient« doesn't
show any other shared library dependencies and as isc-dhcp-client itself
has not recently been upgraded (debian-ports' 4.2.2.dfsg.1-5+hurd.2,
installed on 2012-07-13), I'm fairly sure it is some glibc change that
now triggers this behavior, though not necessarily a bug in the exact
diff between these two versions; might also be some unrelated change that
now causes the stack frame layout to change in a way that this bug is now
triggered.  Or, it may be due to some other environmental changes, but
unfortunately, for cross-checking, I don't have the binary packages for
Richard's 2.13-39+hurd.rbraun.6 glibc version anymore (but I do have the
sources; though not yet rebuilt them myself).  Richard do you still have
the binary packages available somewhere?

What is being run at booting time is something like »ifup --all«, and I'm
able to reproduce the failure as follows.  This is fine:

    # env TZ=Europe/Berlin /sbin/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0
    Internet Systems Consortium DHCP Client 4.2.2
    Copyright 2004-2011 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    
    can't create /var/lib/dhcp/dhclient./dev/eth0.leases: No such file or directory
    Listening on Socket//dev/eth0
    Sending on   Socket//dev/eth0
    DHCPDISCOVER on /dev/eth0 to 255.255.255.255 port 67 interval 5
    DHCPREQUEST on /dev/eth0 to 255.255.255.255 port 67
    DHCPOFFER from 192.168.111.2
    DHCPACK from 192.168.111.2
    can't create /var/lib/dhcp/dhclient./dev/eth0.leases: No such file or directory
    bound to 192.168.111.221 -- renewal in 16252 seconds.

Likewise, a run with »env -i TZ=Europe/Berlin« also is fine.  On the
other hand, as soon as TZ is unset:

    # env -u TZ /sbin/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0
    Internet Systems Consortium DHCP Client 4.2.2
    Copyright 2004-2011 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    
    can't create /var/lib/dhcp/dhclient./dev/eth0.leases: No such file or directory
    Listening on Socket//dev/eth0
    Sending on   Socket//dev/eth0
    *** stack smashing detected ***: /sbin/dhclient terminated
    Aborted

Likewise, a complete empty environment, »env -i«, also fails.  With TZ
set to an invalid value, it fails even earlier:

    # env TZ=iNvAlId /sbin/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0 
    Internet Systems Consortium DHCP Client 4.2.2
    Copyright 2004-2011 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    
    *** stack smashing detected ***: /sbin/dhclient terminated
    Aborted

I don't see any direct TZ references in the isc-dhcp
4.2.2.dfsg.1-5+hurd.2 source package.

Unfortunately, GDB is of no help either:

    # env TZ=iNvAlId gdb -q --args /sbin/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0
    Reading symbols from /sbin/dhclient...(no debugging symbols found)...done.
    (gdb) r
    Starting program: /sbin/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0
    Cannot access memory at address 0x140e0ad0
    Cannot access memory at address 0x140e0acc

Rebuilding isc-dhcp 4.2.2.dfsg.1-5+hurd.2 fails:

    [...]
    make[3]: Entering directory `/media/erich/home/thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1/common'
    gcc -DHAVE_CONFIG_H -I. -I../includes  -I.. -DLOCALSTATEDIR='"/var"' -D_FORTIFY_SOURCE=2 -DLDAP_CONFIGURATION -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall -D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"' -D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"' -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM  -I../bind/include -MT alloc.o -MD -MP -MF .deps/alloc.Tpo -c -o alloc.o alloc.c
    In file included from ../bind/include/isc/sockaddr.h:26:0,
                     from ../bind/include/isc/socket.h:66,
                     from ../includes/omapip/isclib.h:57,
                     from ../includes/dhcpd.h:95,
                     from alloc.c:35:
    ../bind/include/isc/net.h:184:8: error: redefinition of ‘struct in6_pktinfo’
    In file included from ../includes/dhcpd.h:39:0,
                     from alloc.c:35:
    /usr/include/netinet/in.h:471:8: note: originally defined here
    make[3]: *** [alloc.o] Fehler 1
    make[3]: Leaving directory `/media/erich/home/thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1/common'
    make[2]: *** [all-recursive] Fehler 1
    make[2]: Leaving directory `/media/erich/home/thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1/common'
    make[1]: *** [all-recursive] Fehler 1
    make[1]: Leaving directory `/media/erich/home/thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1'
    make: *** [build-ldap-stamp] Fehler 2

    $ cat -n < bind/include/isc/net.h | grep -C 3 [\ ]*184
       181  
       182  #ifndef ISC_PLATFORM_HAVEIN6PKTINFO
       183  /*% IPv6 packet info */
       184     struct in6_pktinfo {
       185          struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
       186          unsigned int    ipi6_ifindex; /*%< send/recv interface index */
       187  };
    $ cat -n < /usr/include/netinet/in.h | grep -C 3 [\ ]*471
       468
       469  #ifdef __USE_GNU
       470  /* IPv6 packet information.  */
       471     struct in6_pktinfo
       472    {
       473      struct in6_addr ipi6_addr;  /* src/dst IPv6 address */
       474      unsigned int ipi6_ifindex;  /* send/recv interface index */

    configure:23208: checking for in6_pktinfo
    configure:23227: gcc -c -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall -D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"' -D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"' -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM  -I./bind/include -D_FORTIFY_SOURCE=2 conftest.c >&5
    conftest.c: In function 'main':
    conftest.c:52:20: error: storage size of 'xyzzy' isn't known
    conftest.c:52:20: warning: unused variable 'xyzzy' [-Wunused-variable]
    configure:23227: $? = 1
    configure: failed program was:
    [...]
    | #include <sys/types.h>
    | #include <sys/socket.h>
    | #include <netinet/in.h>
    | 
    | 
    | 
    | int
    | main ()
    | {
    | struct in6_pktinfo xyzzy; return (0);
    |   ;
    |   return 0;
    | }
    configure:23232: result: no -- disabling runtime ipv6 support

Forcing a -D_GNU_SOURCE into debian/rules' CFLAGS "solves" this problem,
and (luckily!) I can still reproduce the crash with the resulting
dhclient binary (and GDB still doesn't like it...).  If I manually re-do
the link command of dhclient, but remove »-fstack-protector
--param=ssp-buffer-size=4« from that command line (but all the object
files keep it enabled), GDB is of more help (so this is to be filed as an
Open Issue for GCC/GDB).

    # env TZ=iNvAlId gdb -q --args ~thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1/client/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0
    Reading symbols from /media/erich/home/thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1/client/dhclient...done.
    (gdb) break __stack_chk_fail
    Breakpoint 1 at 0x804d3d0
    (gdb) r
    Starting program: /media/erich/home/thomas/tmp/isc-dhcp-client/debian/isc-dhcp-4.2.2.dfsg.1/client/dhclient -1 -v -pf /run/dhclient./dev/eth0.pid -lf /var/lib/dhcp/dhclient./dev/eth0.leases /dev/eth0
    [...]
    Breakpoint 1, __stack_chk_fail () at stack_chk_fail.c:29
    29      stack_chk_fail.c: No such file or directory.
    (gdb) bt
    #0  __stack_chk_fail () at stack_chk_fail.c:29
    #1  0x0819b514 in __stack_chk_fail_local ()
    #2  0x08071b9b in discover_interfaces (state=state@entry=2) at discover.c:1331
    #3  0x08052468 in main (argc=8, argv=0x1024e04) at dhclient.c:478

So in discover_interfaces it fails.  And now I wonder if there's a
coincidence between that function, right near its beginning calling
getifaddrs (via begin_iface_scan), and the Debian eglibc changelog
mentioning »patches/hurd-i386/tg-ifaddrs_v6.diff: New patch, fixes IPv6
addresses in getifaddrs« -- though that patch, while apparently applied
to the 2.13-39+hurd.3 binary packages, does not actually seem to be
present in the source package I retrieved?  Am I confused or is Debian
packaging?


Grüße,
 Thomas
Attachment: pgpFJozF0NS5A.pgp
Description: PGP signature
Reply to:
Follow-Ups:
- Re: dhclient aborting with a stack smashing error
  - From: Samuel Thibault <sthibault@debian.org>
Prev by Date: hurd_20130226-1+exp1_hurd-i386.changes ACCEPTED into experimental, experimental
Next by Date: Re: dhclient aborting with a stack smashing error
Previous by thread: hurd_20130226-1+exp1_hurd-i386.changes ACCEPTED into experimental, experimental
Next by thread: Re: dhclient aborting with a stack smashing error
Index(es):
- Date
- Thread