Segfault in mmap_fgets_multiline

Florian Hars hars at bik-gmbh.de
Thu Oct 2 17:45:59 CEST 2008
Previous message: Services get stuck in warning/critical state
Next message: notify-html-email.sh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I tried running Nagios 3.0.3 on a recent OpenBSD snapshot and (apart from
the gd problems due to a lack of libttf) hit on the problem that nagios
segfaults in mmap_fgets_multiline. Not on every run, but if it segfaults,
it always segfaults at the same place in the code.
It looks related to http://archive.netbsd.se/?ml=nagios-users&a=2008-05&t=7383489

-------------- snip --------------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 11262, thread 0x81cf3000]
0x1c03c42d in mmap_fgets_multiline (temp_mmapfile=0x8318aca0) at utils.c:3486
3486                    else if(buf[end]=='\\')
(gdb) l
3481                            buf[end+1]='\x0';
3482                            break;
3483                            }
3484    
3485                    /* one backslash found, so we should continue reading the next line */
3486                    else if(buf[end]=='\\')
3487                            buf[end]='\x0';
3488    
3489                    /* else no continuation marker was found, so break */
3490                    else
(gdb) print end
$1 = -1
(gdb) print buf
$2 = 0x7ce6a000 "\n"
(gdb) bt
#0  0x1c03c42d in mmap_fgets_multiline (temp_mmapfile=0x8318aca0) at utils.c:3486
#1  0x1c018757 in read_main_config_file (main_config_file=0x7cecc000 "/usr/local/nagios/etc/nagios.cfg") at config.c:281
#2  0x1c00e0b2 in main (argc=3, argv=0xcfbda84c) at nagios.c:475
(gdb)

It ssem to happen in different places in the input file, though:

(gdb) print *temp_mmapfile
$2 = {path = 0x80319600 "/usr/local/nagios/etc/nagios.cfg", mode = 0, fd = 8, file_size = 42546, current_position = 8259, current_line = 244, mmap_buf = 0x7e4a2000}

$4 = {path = 0x80c68600 "/usr/local/nagios/etc/nagios.cfg", mode = 0, fd = 8, file_size = 42546, current_position = 8710, current_line = 258, mmap_buf = 0x8af0c000}

$6 = {path = 0x7fd22340 "/usr/local/nagios/etc/nagios.cfg", mode = 0, fd = 8, file_size = 42546, current_position = 6989, current_line = 211, mmap_buf = 0x883aa000}

$8 = {path = 0x7cb245c0 "/usr/local/nagios/etc/nagios.cfg", mode = 0, fd = 8, file_size = 42546, current_position = 12151, current_line = 375, mmap_buf = 0x83b74000}

$9 = {path = 0x80fdd480 "/usr/local/nagios/etc/nagios.cfg", mode = 0, fd = 8, file_size = 42546, current_position = 7212, current_line = 221, mmap_buf = 0x7c66f000}

Sometimes it even seems to get confused over the real end of the config files:

| LEN: 37, END: 35, BUF=# "TRUE" REGULAR EXPRESSION MATCHING
| BUFNOW: # "TRUE" REGULAR EXPRESSION MATCHING
| LEN: 65, END: 63, BUF=# This option controls whether or not 
| Total Warnings: 0
| Total Errors:   0
|
| Things look okay - No serious problems were detected during the pre-flight check

or

| LEN: 71, END: 69, BUF=# This directive is used to specify an event broker module that should
| BUFNOW: # This directive is used to specify an event broker module that should
| LEN: 71, END: 69, BUF=# by loaded by Nagios at start
| Total Warnings: 0
| Total Errors:   0
|
| Things look okay - No serious problems were detected during the pre-flight check

I think these lines make end negative if buf contains just an end of line:

3465                    /* handle Windows/DOS CR/LF */
3466                    if(len>=2 && buf[len-2]=='\r')
3467                            end=len-3;
3468                    /* normal Unix LF */
3469                    else if(len>=1 && buf[len-1]=='\n')
3470                            end=len-2;
3471                    else
3472                            end=len-1;


But apart from that I am completely confused, as I can see no source of non-determinism in
the code. Maybe it is address randomization: sometimes buf is allocated at the beginning
of a page, so buf[-1] segfaults, and sometimes not, so that the erroneous code continues
to run, yielding undefined behaviour.
Memtest86+ shows nothing suspicious on the machine, so there seems to be no involuntary
hardware RNG involved.

- Florian.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Services get stuck in warning/critical state
Next message: notify-html-email.sh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list