** Changed in: ntp (Ubuntu)
Importance: Undecided => Low

** Changed in: ntp (Ubuntu)
Milestone: None => ubuntu-12.04.5
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

The remove_ and delete_ functions remove the current element from the
asyncio_reader_list, and free it, respectively.

We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element,
whose contents are now scrambled by having link pointers, etc, from internal malloc state overlaying the data.

This loop should probably extract the ->link pointer prior to calling
->receiver(), as that function can free the asyncio_reader object in
question. (LP: #1481388)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Changed in: ntp (Ubuntu)
Milestone: ubuntu-12.04.5 => trusty-updates

** Changed in: ntp (Ubuntu)
Milestone: trusty-updates => None
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Also affects: ntp (Ubuntu Trusty)
Importance: Undecided
Status: New

** Also affects: ntp (Ubuntu Wily)
Importance: Low
Assignee: eric.desrochers (eric-desrochers-z)
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Information type changed from Private to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: ntp (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: ntp (Ubuntu Trusty)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Changed in: ntp (Ubuntu Trusty)
Assignee: (unassigned) => eric.desrochers (eric-desrochers-z)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

Unfortunately, I can't reproduce the behaviour on my side.
I'm providing a hotfix[1] based on the upstream commit[2] that addressed the issue.

If you can reproduce the problem, please test the hotfix and provide
feedbacks.

[1] https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1481388/+packages
[2] d6df9d3 [Bug 2224] Use-after-free in routing socket code after dropping root

Thanks !
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

I was able to reproduce the problem on PRECISE (12.04) by lowering the
kernel parameter value "net.core.rmem_max".

And then test my .deb build on my PPA[1] with the following upstream
commits :

- d6df9d3 [Bug 2224] Use-after-free in routing socket code after dropping root.
- db47bd4 [Bug 2890] Ignore ENOBUFS on routing netlink socket.

What the patch does ?
===
The program first "read" from the fd. On success, the number of bytes written into buf is
returned. On error, the call returns −1 and sets errno

If the call returns -1, then there is a verification to validate if the
errno == ENOBUFS

and then send to syslog the following message : "routing socket reports:
No buffer space available"

Otherwise, if errno is NOT ENOBUFS, then it close the socket
(remove_asyncio_reader(reader);) and free the memory space
(delete_asyncio_reader(reader);)

And send to syslog the following message : i/o error on routing socket
No buffer space available - disabling

Before this patch, no matter what was the errno, it was automatically
close() and free() without validation if ENOBUFS or not.

To summarize, the patch allow the program to not close() and free() the socket when the a errno == ENOBUFS occur, but still send a message in syslog to notify the administrator.
===

If after installing the patch, you are receiving this kind of message in
/var/log/syslog : "routing socket reports: No buffer space available"
The next step, would be to increase the "net.core.rmem_max" and
"net.core.wmem_max"values equally until the "routing socket reports: No
buffer space available" message no longer showed up.


[1] 1:4.2.6.p3+dfsg-1ubuntu3.4+20150820lp1481388~2
https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1481388
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Also affects: ntp (Ubuntu Vivid)
Importance: Undecided
Status: New

** Also affects: ntp (Ubuntu Precise)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Changed in: ntp (Ubuntu Precise)
Assignee: (unassigned) => Eric Desrochers (eric-desrochers-z)

** Changed in: ntp (Ubuntu Vivid)
Assignee: (unassigned) => Eric Desrochers (eric-desrochers-z)

** Changed in: ntp (Ubuntu Precise)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Changed in: ntp (Ubuntu Precise)
Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Vivid)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for precise

** Patch added: "debdiff for precise"
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+attachment/4452908/+files/lp1481388_precise.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for precise


** Description changed:

+ [Impact]
+
+ * User experienced repeated segfaults at the same instruction pointer
+
+ i/o error on routing socket No buffer space available - disabling
+ segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]
+
+ The remove_ and delete_ functions remove the current element from the
+ asyncio_reader_list, and free it, respectively.
+
+ We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element, whose contents are (in theory) now scrambled
+ by having link pointers, etc, from internal malloc state overlaying the data.
+
+ [Test Case]
+
+ You can easily reproduce the bug by :
+
+ - Lowering the sysctl value net.core.rmem_max
+
+ $ sysctl -w net.core.wmem_max=<LOWER_VALUE>
+ This sets the max OS send buffer size for all types of connections.
+
+ - Adding multiple network interfaces and static routes.
+
+ [Regression Potential]
+
+ None expected since the fix is already available upstream
+ (https://github.com/ntp-project/ntp.git) and Debian package.
+
+ If after installing the patch, user are receiving this kind of message in /var/log/syslog : "routing socket reports: No buffer space available".
+ The next step, would be to increase the "net.core.rmem_max" and "net.core.wmem_max" values equally until the "routing socket reports: No buffer space available" message no longer showed up.
+
+ [Other Info]
+
+ NTP upstream (https://github.com/ntp-project/ntp.git)
+ [Bug 2224] Use-after-free in routing socket code after dropping root. - Commit: d6df9d3
+ [Bug 2890] Ignore ENOBUFS on routing netlink socket. - Commit: db47bd4
+
+ The use-after-free bug has been fix in Debian release (closes: #795315)
+ Will submit the ignore-ENOBUFS-on-routing-netlink-socket in Debian in the next days.
+
+ [Original Description]
+
We have 1 server (among hundreds) that its ntp service is crashing.

A few minute/seconds after a start attempts we can see the following in syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]

OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic

I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol.

** Tags added: verification-done

** Changed in: ntp (Ubuntu Precise)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for precise
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for precise
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

The attachment "debdiff for precise" seems to be a debdiff. The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff. If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

I also noticed the situation can be reproduced at boot if the value of
"net.core.rmem_default" is too low.

I reproduced it by only lowering the "net.core.rmem_default = 2000"
value with 6 network interface at boot.

ntpd[851]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
ntpd[851]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
ntpd[851]: Listen and drop on 1 v6wildcard :: UDP 123
ntpd[851]: Listen normally on 2 eth1 192.168.1.10 UDP 123
ntpd[851]: Listen normally on 3 eth2 192.168.2.10 UDP 123
ntpd[851]: Listen normally on 4 eth3 192.168.3.10 UDP 123
ntpd[851]: Listen normally on 5 eth4 192.168.4.10 UDP 123
ntpd[851]: Listen normally on 6 eth5 192.168.5.10 UDP 123
ntpd[851]: Listen normally on 7 eth6 192.168.6.10 UDP 123
ntpd[851]: peers refreshed
ntpd[851]: Listening on routing socket on fd #24 for interface updates
ntpd[851]: Deferring DNS for 0.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for 1.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for 2.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for 3.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for ntp.ubuntu.com 1
ntpd[864]: signal_no_reset: signal 17 had flags 4000000
===> ntpd[851]: i/o error on routing socket No buffer space available - disabling <===
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for trusty

** Patch added: "1:4.2.6.p5+dfsg-3ubuntu2.14.04.4"
https://bugs.launchpad.net/ubuntu/precise/+source/ntp/+bug/1481388/+attachment/4453392/+files/lp1481388_trusty.debdiff

** Changed in: ntp (Ubuntu Trusty)
Status: Confirmed => In Progress

** Changed in: ntp (Ubuntu Trusty)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for Vivid

** Patch added: "debdiff for Vivid"
https://bugs.launchpad.net/ubuntu/precise/+source/ntp/+bug/1481388/+attachment/4455714/+files/lp1481388_vivid.debdiff

** Changed in: ntp (Ubuntu Vivid)
Status: Confirmed => In Progress

** Changed in: ntp (Ubuntu Vivid)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Patch removed: "debdiff for Vivid"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4455714/+files/lp1481388_vivid.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for vivid

** Patch added: "debdiff for vivid"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4456186/+files/lp1481388_vivid.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

debdiff for wily

** Patch added: "debdiff for wily"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4456187/+files/lp1481388_wily.debdiff

** Changed in: ntp (Ubuntu Wily)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Changed in: ntp (Ubuntu Wily)
Importance: Low => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions

** Bug watch added: Debian Bug tracker #795315
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795315

** Also affects: ntp (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795315
Importance: Unknown
Status: Unknown

** Bug watch added: bugs.ntp.org/ #2224
http://bugs.ntp.org/show_bug.cgi?id=2224

** Also affects: ntp via
http://bugs.ntp.org/show_bug.cgi?id=2224
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

ACK on the debdiffs, thanks!

I've slightly modified the whitespace in the changelog and have added
the bug number, and have uploaded it to wily, and to the other releases
for processing by the SRU team.


** Tags removed: verification-done

** Changed in: ntp (Ubuntu Wily)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu7

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu7) wily; urgency=medium

* Fix use-after-free in routing socket code (LP: #1481388)
- debian/patches/use-after-free-in-routing-socket.patch
fix logic in ntpd/ntp_io.c
* Fix to ignore ENOBUFS on routing netlink socket
- debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch
fix logic in ntpd/ntp_io.c

-- Eric Desrochers <***@canonical.com> Wed, 02 Sep 2015
09:57:16 -0400

** Changed in: ntp (Ubuntu Wily)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Branch linked: lp:ubuntu/ntp
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Hello Eric, or anyone else affected,

Accepted ntp into trusty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-
3ubuntu2.14.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: ntp (Ubuntu Trusty)
Status: In Progress => Fix Committed

** Tags added: verification-needed

** Changed in: ntp (Ubuntu Precise)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Hello Eric, or anyone else affected,

Accepted ntp into precise-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p3+dfsg-
1ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: ntp (Ubuntu Vivid)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Hello Eric, or anyone else affected,

Accepted ntp into vivid-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-
3ubuntu6.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Branch linked: lp:ubuntu/vivid-proposed/ntp

** Branch linked: lp:ubuntu/precise-proposed/ntp

** Branch linked: lp:~ubuntu-branches/ubuntu/trusty/ntp/trusty-proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Changed in: ntp (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

I tried to reproduce the problem by lowering {r,w}mem_max on Precise and
Trusty's *unpatched* version to no avail. On the up side, I couldn't
find any regression with the update version.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Err, I meant I couldn't reproduce the issue with and without the patch.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Simon, you may want to add a few ethernet interfaces and static routes.

I was able to reproduce it with ~6 network interface.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Eric, I don't know if that's a good test case but on my patched Trusty
box:

***@xeon:~# uname -a
Linux xeon 3.13.0-63-generic #103-Ubuntu SMP Fri Aug 14 21:42:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
***@xeon:~# sysctl net.core.wmem_max=4650
net.core.wmem_max = 4700
***@xeon:~# sysctl net.core.rmem_max=2400
net.core.rmem_max = 2400
***@xeon:~# (ip -4 ro ; ip -6 ro) | wc -l
43
***@xeon:~# (ip -4 a; ip -6 a) | grep -c inet
34
***@xeon:~# ip link | grep -c link
23
***@xeon:~# dpkg -l | awk '{if ($2 == "ntp") print $3}'
1:4.2.6.p5+dfsg-3ubuntu2.14.04.4
***@xeon:~# /etc/init.d/ntp restart
***@xeon:~# netstat -puant | grep -c ntpd
36

Then syslog shows nothing abnormal. It says "Listen normally on
{2..35}". FYI, many of those interfaces a vnetX interfaces belonging to
VMs so I don't know if they really count. Trying to lower {r,w}mem_max
even more result in "Invalid argument". Please let me know if I'm doing
something wrong.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Eric, I've been running the proposed version on many systems and haven't
found any regression. Do you think this would be ready to move on to
-updates now?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Has anyone who was able to reproduce the original crash tested the
packages from trusty-proposed (or precise or vivid) to check that the
crash is actually fixed?

It's good that it doesn't seem to regress anything, but we also want to
know whether it *fixes* anything :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Good evening Chris,

This bug has been brought to my attention by someone in the community.
Unfortunately, I never had a confirmation from him if the fix solve his
issue or not... but as state in comment #5 & #11, I've been able to
reproduce the problem and make sure it addressed the situation.

The reproducer is basically to lower down the value of
"net.core.[m-r]mem_default" and adding multiples network interface +
static route.

FYI, the same fix has been also applied in Debian

ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795315

Let me know if you need anything else.

Thanks !
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

This SRU has been shadowed by a security update and needs to be re-
merged.

** Changed in: ntp (Ubuntu Precise)
Status: Fix Committed => In Progress

** Changed in: ntp (Ubuntu Trusty)
Status: Fix Committed => In Progress

** Changed in: ntp (Ubuntu Vivid)
Status: Fix Committed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Good evening Mathew,

Does it mean I need to re-do the debdiffs ?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

I think it is probably necessary to rebase the debdiffs on the new
versions in case there are any confilcts. There were a lot of changes as
you can see here http://www.ubuntu.com/usn/usn-2783-1/ .

I don't have direct knowledge of the code though.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Hi Mathew,

I have the knowledge of the code, I will rebase the debdiffs for V/T/P

Note: I checked and Xenial has the patch already.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Patch removed: "debdiff for precise"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4452908/+files/lp1481388_precise.debdiff

** Patch removed: "debdiff for trusty"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4453392/+files/lp1481388_trusty.debdiff

** Patch removed: "debdiff for vivid"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4456186/+files/lp1481388_vivid.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Here is the rebase debdiff for Trusty

** Patch added: "Rebase Trusty debdiff"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4508494/+files/lp1481388_rebase_trusty.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Here is the rebase debdiff for Precise

** Patch added: "Rebase Precise debdiff"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4508496/+files/lp1481388_rebase_precise.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

Here is the rebase debdiff for Vivid

** Patch added: "Rebase Vivid debdiff"
https://bugs.launchpad.net/ubuntu/vivid/+source/ntp/+bug/1481388/+attachment/4508498/+files/lp1481388_rebase_vivid.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Tags added: sts
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

sponsored to precise/trusty/vivid (though i'm unsure vivid is useful
since it's not the current stable)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

I've been using the -proposed package on 15 Trusty machines since it was
published. Again, I never was able to reproduce the original problem but
I saw no regression either.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Tags removed: verification-done
** Tags added: verification-done-trusty verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu6.3

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu6.3) vivid; urgency=medium

* Fix use-after-free in routing socket code (closes: #795315)
- debian/patches/use-after-free-in-routing-socket.patch:
fix logic in ntpd/ntp_io.c (LP: #1481388)

-- Eric Desrochers <***@canonical.com> Thu, 29 Oct 2015
09:18:12 -0400

** Changed in: ntp (Ubuntu Vivid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

The verification of the Stable Release Update for ntp has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report. In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

This bug was fixed in the package ntp - 1:4.2.6.p3+dfsg-1ubuntu3.7

---------------
ntp (1:4.2.6.p3+dfsg-1ubuntu3.7) precise; urgency=medium

* Fix use-after-free in routing socket code (closes: #795315)
- debian/patches/use-after-free-in-routing-socket.patch:
fix logic in ntpd/ntp_io.c (LP: #1481388)

-- Eric Desrochers <***@canonical.com> Thu, 29 Oct 2015
09:47:20 -0400

** Changed in: ntp (Ubuntu Precise)
Status: Fix Committed => Fix Released

** Changed in: ntp (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu2.14.04.6

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.6) trusty; urgency=medium

* Fix use-after-free in routing socket code (closes: #795315)
- debian/patches/use-after-free-in-routing-socket.patch:
fix logic in ntpd/ntp_io.c (LP: #1481388)

-- Eric Desrochers <***@canonical.com> Thu, 29 Oct 2015
09:34:22 -0400
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1481388

Title:
NTP : Use-after-free in routing socket code after dropping root

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1481388/+subscriptions