Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 109662

Summary: net-snmp-5.2.1.2-r1 segfault when start in a amd64 hardened system
Product: Gentoo Linux Reporter: Steve Yin <steve>
Component: Current packagesAssignee: Gentoo Netmon project <netmon>
Status: RESOLVED NEEDINFO    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Steve Yin 2005-10-17 21:07:52 UTC 
the snmpd segfault and exit right after the init script was done, here is the
message logged to kernel

snmpd[30975]: segfault at 0000000000000001 rip 000036e6dc92e7ad rsp 00007917f599
7ad0 error 4
grsec: From 192.168.0.2: denied resource overstep by requesting 4096 for RLIMIT_
CORE against limit 0 for /usr/sbin/snmpd[snmpd:30975] uid/euid:0/0 gid/egid:0/0,
 parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I'm using Dual-Xeon with 64bit system, here is my emerge info

Portage 2.0.51.22-r3 (hardened/amd64, gcc-3.4.4, glibc-2.3.5-r2, 2.6.13-hardened
 x86_64)
=================================================================
System uname: 2.6.13-hardened x86_64 Intel(R) Xeon(TM) CPU 2.80GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe -fforce-addr -pipe -msse3 -msse2 -mfpmath=sse -D
NDEBUG -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X1
1/xkb /usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=nocona -O2 -pipe -fforce-addr -pipe -msse3 -msse2 -mfpmath=sse 
-DNDEBUG -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://192.168.0.1 http://mirror.datapipe.net/pub/gentoo http://
mirror.datapipe.net/pub/gentoo"
LC_ALL="en_US.UTF-8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://owl.gentoo.org/gentoo-portage"
USE="X Xaw3d a52 aac aalib accessibility acl acpi adns aim alsa amd64 apache2 ap
m atlas authdaemond avi bash-completion bcmath berkdb bidi bitmap-fonts bluetoot
h bmp bonobo bzip2 bzlib calendar canna caps cdparanoia cdr cjk crypt cscope cty
pe cups curl curlwrappers dbase dbm dbx dedicated dio dmx dv dvd dvdr dvdread em
acs-w3 encode esd ethereal evo exif expat fam fastcgi fbcon ffmpeg flac flash fl
atfile foomaticdb fortran freetds freetype freewnn ftp gb gd gdbm geoip gif gimp
print ginac glut gmp gnome gnustep gnutls gphoto2 gpm gps gstreamer gtk gtk2 gtk
html guile hal hardened icc-pgo iconv icq idn imagemagick imap imlib inifile inn
odb ipv6 ithreads jabber java javascript jikes joystick jpeg junit justify kde k
erberos ladcca lcms ldap leim lesstif libedit libg++ libgda libwww lirc lm_senso
rs logrotate m17n-lib maildir mailwrapper matroska mcal mcve memlimit mhash mikm
od milter mime ming mmap mng motif mp3 mpeg mpi msn mule mysql mysqli ncurses ne
Xt netcdf nhc98 nis nls nocardbus nocd nptl nptlonly odbc offensive ofx openal o
pengl oscar pam pcmcia pcntl pcre pda pdflib perl php pic pie plotutils png pnp 
posix postgres ppds prelude profile python qt quicktime readline recode ruby sam
ba sasl scanner session sftplogging sharedext sharedmem shorten simplexml skey s
lang slp snmp soap sockets socks5 sox speex spell spl sqlite ssl svg symlink sys
fs sysvipc szip tcltk tcpd tetex theora threads tidy tiff tokenizer truetype tru
sted unicode usb v4l vcd vhosts videos voodoo3 wavelan wddx wifi wmf wxwindows x
face xine xinerama xml xml2 xmlrpc xosd xpm xprint xsl xv xvid yahoo yaz zeo zli
b userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LDFLAGS, LINGUAS, PORTDIR_OVERLAY

note, the 2.6.13 kernel was used because 2.6.11 also segfault.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 solar (RETIRED) gentoo-dev 2005-10-18 07:11:52 UTC 
You must remove -DNDEBUG from your CFLAGS before and recompile before anybody
will check this bug.
I'd suggest relaxing the other cflags also. (sse2/3 are known to misbehave) 
but the NDEBUG in CFLAGS is probably one of the worst ideas you could ever do.
Comment 2 Steve Yin 2005-10-21 02:00:22 UTC 
no difference, I changed my cflags as these:
CFLAGS="-march=nocona -O2 -pipe -fforce-addr -pipe -fomit-frame-pointer"

and the use flag:

[ebuild   R   ] net-analyzer/net-snmp-5.2.1.2-r1  +X -doc -elf +ipv6 +lm_sensors
 -minimal +perl -rpm (-selinux) +smux +ssl +tcpd 0 kB 

after I rebuild snmpd without -DNDEBUG there is no segfault any more, but, It
still not work, show me this:

Oct 21 16:54:38 [kernel] grsec: From 192.168.0.2: denied resource overstep by re
questing 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/snmpd[snmpd:30585] u
id/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Comment 3 solar (RETIRED) gentoo-dev 2005-10-22 13:14:16 UTC 
I don't own an amd64 so please try to pinpoint it down to which CFLAG/USE= flag
Comment 4 Steve Yin 2005-10-24 23:42:34 UTC 
no, after I set CFLAGS="" and set USE=elf, USE="-elf -dmux", snmpd still report
RLIMIT_CORE thing like above, I've tried snmp-5.1x, also killed by grsec.

ct 25 14:38:18 [kernel] grsec: From 192.168.0.2: denied resource overstep by re
questing 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/snmpd[snmpd:31944] u
id/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

and, I don't think this problem is related to CFLAGS/USE, just like
glibc-2.3.5-r1  problem on hardened system.
Comment 5 Joacim Wicander 2005-10-28 23:47:11 UTC 
I get the same error with net-snmp-5.2.1.2-r1on a AMD 64, not hardened, when USE
lm_sensors is added to my make.conf.
If i remove lm_sensors the snmpd process runs perfectly.

emerge --info:
Portage 2.0.53_rc6 (default-linux/amd64/2005.0, gcc-3.4.4, glibc-2.3.5-r3,
2.6.13-gentoo-r5-devil x86_64)
=================================================================
System uname: 2.6.13-gentoo-r5-devil x86_64 AMD Athlon(tm) 64 Processor 3800+
Gentoo Base System version 1.12.0_pre9
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.13
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O3 -march=athlon64 -ffast-math -funroll-loops -funit-at-a-time
-fpeel-loops -ftracer -funswitch-loops -fomit-frame-pointer -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/env.d"
CXXFLAGS="-O3 -march=athlon64 -ffast-math -funroll-loops -funit-at-a-time
-fpeel-loops -ftracer -funswitch-loops -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.du.se/pub/os/gentoo/ http://mirror.pudas.net/gentoo/
http://gentoo.eliteitminds.com http://gentoo.mirror.icd.hu/
ftp://mir.zyrianes.net/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -Wl,--strip-all"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X alsa amd64 avi bash-completion bitmap-fonts browserplugin bzlib cdr crypt
cups curl dvd dvdr eds emboss encode esd fam fbcon flac foomaticdb fortran gd
gif gnome gpm gstreamer gtk gtk2 hal howl imlib imlib2 ipv6 java jpeg lzw
lzw-tiff mad mfd-rewrites mozilla mp3 mpeg ncurses nls nptl nvidia ogg opengl
pam pdflib perl png python quicktime readline samba sdl snmp spell sqlite ssl
sysvipc tcpd tiff truetype truetype-fonts type1-fonts udev usb userlocales
vorbis xine xml xml2 xmms xpm xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LINGUAS
Comment 6 solar (RETIRED) gentoo-dev 2005-10-30 05:52:50 UTC 
Removing hardened from CC as comment #5 explains this is in lm_sensors.


Note netmon herd:

Dont be overly shocked about bugs on 64bit systems. 
I talked with the net-snmp author some time ago and the story I got was that 64bit 
support is limited and improper results can happen when polling OID's.
Comment 7 Markus Ullmann (RETIRED) gentoo-dev 2006-02-01 08:17:06 UTC 
so should we drop the lm_sensors use flag for amd64 then?
Comment 8 Marcelo Goes (RETIRED) gentoo-dev 2006-02-01 09:20:16 UTC 
Some days ago I dropped lm_sensors support in all ebuilds. The patch we have has a memory leak, etc. This is bug 109785. A user just pointed out that lm_sensors works without our patch, so perhaps we can just drop the patch and use net-snmp's built-in lm_sensors support. Maybe it fixes this bug, too.
Comment 9 Markus Ullmann (RETIRED) gentoo-dev 2006-10-08 12:17:04 UTC 
Is this still an issue?
Comment 10 Markus Ullmann (RETIRED) gentoo-dev 2006-10-22 15:46:04 UTC 
Feel free to reopen if it is still an issue with latest version in tree