ISC_PLATFORM_USEBACKTRACE

Gary E. Miller gem at rellim.com
Wed May 31 20:19:39 UTC 2017 

Yo Hal!

On Wed, 31 May 2017 01:02:13 -0700
Hal Murray <hmurray at megapathdsl.net> wrote:

> > I'm pretty sure we are not talking about the same thing.  
> 
> OK.  Let me try again.
> 
> Your hex numbers are useless unless we can turn them into some
> reference to the code.

Yup, that was my point.

> Can you try something like
>     gdb <your ntpd>
>     print /a <your hex number>

Nope.  We have LTO, ASR, and a bunch of other things making the
addresses not repeatable.  Every time I intentionally crash ntpd
at the same spot the stack IPs are unique.

And using gpsd requires that ntpd is built with --enable-debug-gdb.

But, as I said earlier, backtrace_symbols() does seem to provide a
smidgen of improvement, equal to what your gdb trick might do, if it
actually worked like you thought it would..  

Only thing is this all requires gcc.  So far.  clang may have some
euivalent options.

> If that prints something useful, then we are on the right track.

So, wrong track.

> > And, I added print statements so I know all the seccomp calls are
> > made and seem to behave as expected.  But no way can I force a
> > seccomp fail.   
> 
> Weird.  My usual problem is that it goes off when I don't want it to.

Yup.

> You might try strace to see if it gets to the kernel.  It won't cost
> much. There is the skeleton of a recipe in ntp_sandbox.c so you don't
> even have to read the man page.
>   *  sudo strace -t -f -o<filename> <path-to-ntpd> <args>

Gack, I hate sudo...

So, after cheking a bunch of syscalls, I found some that will fail:

#if 0
        SCMP_SYS(read),
        SCMP_SYS(recvfrom),
        SCMP_SYS(recvmsg),
        SCMP_SYS(rename),
#endif

Then I get this:

05-31T13:10:38 ntpd[7311]: sandbox: seccomp enabled.
Bad system call

So the code that is supposed to catch that is not really working.  No
backtrace will work until I can actually catch the bad call.

Here is the strace:

fcntl(6, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(6, {sa_family=AF_INET6, sin6_port=htons(2947), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = ?
+++ killed by SIGSYS +++
Bad system call

So this trap catcher, in ntpd/ntp_sandbox.c not working:

static void catchTrap(int sig)

I think this, in ntpd/ntp_sandbox.c is where it is set:

        signal_no_reset(SIGSYS, catchTrap);

I have seen catchTrap() catch other things....

Any ideas?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170531/149e54ae/attachment.bin>

More information about the devel mailing list