-
Bug
-
Resolution: Done
-
Undefined
-
None
-
rhel-9.4
-
None
-
None
-
Moderate
-
rhel-sst-cs-system-management
-
ssg_core_services
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
-
All
-
None
What were you trying to do that didn't work?
A customer experiences regular crashes of snmpd when the interfaces are checked for any update:
Core was generated by `/usr/sbin/snmpd -LS0-6d -f'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fbc82abbc23 in _check_interface_entry_for_updates (rowreq_ctx=0x564be3a00570, cdc=0x7ffcd581e360)
at mibgroup/if-mib/ifTable/ifTable_data_access.c:317
317 int lastchanged = rowreq_ctx->data.ifLastChange;
(gdb) list
312 static void
313 _check_interface_entry_for_updates(ifTable_rowreq_ctx * rowreq_ctx,
314 cd_container *cdc)
315 {
316 char oper_changed = 0;
317 int lastchanged = rowreq_ctx->data.ifLastChange;
318 netsnmp_container *ifcontainer = cdc->current;
319
320 /*
321 * check for matching entry. We can do this directly, since
(gdb) p *rowreq_ctx
$1 = {oid_idx = {len = 94883941367392, oids = 0x564be39d1930}, oid_tmp = {0}, tbl_idx = {ifIndex = 0}, data = {
ifLinkUpDownTrapEnable = 0, ifAlias = '\000' <repeats 63 times>, ifAlias_len = 0,
ifCounterDiscontinuityTime = 0, ifentry = 0x0}, undo = 0x0, column_set_flags = 0, rowreq_flags = 0,
known_missing = 1 '\001', undo_ref_count = 0 '\000', ifTable_data_list = 0x0}
(gdb) p rowreq_ctx->data->ifentry
$2 = (netsnmp_interface_entry *) 0x0
Here above ifLastChange is a macro expanding to ifentry->lastchange.
We have the ifentry field be 0, hence it cannot be dereferenced. The entire context rowreq_ctx seems mostly initialized to 0, which tends to indicate the structure got cleared just before this call occurred.
This seems to occur because of docker workload on the system which constantly creates/destroys new "veth" interfaces.
Having given a build of snmpd with ASAN+UBSAN support, it happens nothing else can be seen but the accessed structure is in a 0 page (which we know already from above):
==3392585==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x7f0ced2c31e9 bp 0x6030000b2f90 sp 0x7ffebb05b690 T0)
==3392585==The signal is caused by a READ memory access.
==3392585==Hint: address points to the zero page.
#0 0x7f0ced2c31e9 in _check_interface_entry_for_updates (/lib64/libnetsnmpmibs.so.40+0xc31e9)
#1 0x7f0cee09a4e1 in _ba_for_each (/lib64/libnetsnmp.so.40+0xa84e1)
#2 0x7f0ced2c3c53 in ifTable_container_load (/lib64/libnetsnmpmibs.so.40+0xc3c53)
#3 0x7f0cee110a83 in _cache_load (/lib64/libnetsnmpagent.so.40+0x1aa83)
#4 0x7f0cee073529 in run_alarms (/lib64/libnetsnmp.so.40+0x81529)
#5 0x561873dde6e1 in receive (/usr/sbin/snmpd+0xb6e1)
#6 0x561873ddca10 in main (/usr/sbin/snmpd+0x9a10)
#7 0x7f0cece2958f in __libc_start_call_main (/lib64/libc.so.6+0x2958f)
#8 0x7f0cece2963f in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2963f)
#9 0x561873dddce4 in _start (/usr/sbin/snmpd+0xace4)
Please provide the package NVR for which bug is seen:
net-snmp-5.9.1-13.el9
How reproducible:
Often on custom system
Steps to reproduce
- Start snmpd with default configuration
- Start/stop docker containers repeatedly
Expected results
No crash
Actual results
Regular crashes
