segmentation faults cf3-r434

> Hello,
>
>
> running on CentOS 5.3 / RHEL5.3 32 and 64bit , cf3 trunk build 434.
> When compiling cf3 without special options the cf-agent binary is
> throwing a segfault after every run.
> When disabling FORTIFY_SOURCE with CFLAGS="-g -O2 -D_FORTIFY_SOURCE=0"
> the binary is running somewhat stable ... but on configuration errors it
> still reacts sometimes with segmentation faults. The bad side is that
> cf-agent intends to go into failsafe mode but never does because of the
> segfault.
> Below you can find some examples.
>
> -- this seems to be reproducable -------------------------
>
> looks like when cf-agent is called with the -f option and through the
> path variable (not direct path) it is segfaulting ...
> Same happens when instead of the -f option an broken promise is
> configured. The agent will segfault.
>
>> this is fine
> [root@mir inputs]# /var/cfengine/bin/cf-agent -K -f testing/hello_world.cf
> R: Hello World
>
>> this is bad
> root@mir inputs]# cf-agent -K -f testing/hello_world.cf
> R: Hello World
> *** buffer overflow detected ***: cf-agent terminated
> ======= Backtrace: =========
> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
> cf-agent[0x809f95e]
> cf-agent[0x809fefa]
>
> another example.
> ----- wrong defined body should not finish in a segfault of cf-agent
> --------------------
>
> [root@mir inputs]# cf-agent -K
> cf3:/var/cfengine/inputs/sys/main.cf:3,1: Redefinition of body control
> for common is a broken promise, near token '{'
> cf3:/var/cfengine/inputs/sys/main.cf:12,20: Redefinition of input list
> (broken promise), near token '}'
> Summarizing promises as text to /var/cfengine/inputs/promises.cf.txt
> Summarizing promises as html to /var/cfengine/inputs/promises.cf.html
> cf-agent was not able to get confirmation of promises from cf-promises,
> so going to failsafe
> *** buffer overflow detected ***: cf-agent terminated
> ======= Backtrace: =========
> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
> cf-agent[0x809f95e]
> cf-agent[0x809fefa]
> cf-agent[0x804cba4]
> /lib/i686/nosegneg/libc.so.6(__libc_start_main+0xdc)[0x835e8c]
> cf-agent[0x804ad51]
>
> well it never goes into failsafe because of the segfault and my clients
> will become unmanaged through this.
>
> --------------------------------------------------
>
>
> and yet another example. I was trying to fill an slist with
> execresult("/bin/ls /mydir/*.cf","noshell") and divine what. The
> cf-agent process dies with a segmentation fault .... but this one is
> different than the others ;)
>
> when using execresult to get a dynamic configfile list all processes do
> segfaults
> cf3   > Parsing file /var/cfengine/inputs/sys/update.cf
> cf3   > Parsing file /var/cfengine/inputs/sys/library.cf
> cf3   > Parsing file /var/cfengine/inputs/sys/server.cf
> cf3   > Parsing file /var/cfengine/inputs/sys/cfengine_maintenance.cf
> Segmentation fault
>
> ------ details ---
> GetVariable(global,files_unixnews): using scope 'global' for variable
> 'files_unixnews'
> return final variable type=slist, value={
> /bin/ls: /var/cfengine/unixnews.ch/*.cf: No such file or directory}
> ExpandPrivateRval(scope=sys,type=/)
> Cannot append X to rval-list [(null)]
> Segmentation fault
> -------------------------
>
>
> ------- slist for dynmic variables finishes with segfault
> ---------------------
> GetVariable(global,files_unixnews): using scope 'global' for variable
> 'files_unixnews'
> return final variable type=slist, value={
> hostname_test.cf main.cf}
> ExpandPrivateRval(scope=sys,type=n)
> Cannot append X to rval-list [(null)]
> Segmentation fault
>
>
>
> Thanks in advance for reviewing.
> Kind regards
> marco
>
>
>
>
>
>
>
>

> Hello,
>
>
> running on CentOS 5.3 / RHEL5.3 32 and 64bit , cf3 trunk build 434.
> When compiling cf3 without special options the cf-agent binary is
> throwing a segfault after every run.
> When disabling FORTIFY_SOURCE with CFLAGS="-g -O2 -D_FORTIFY_SOURCE=0"
> the binary is running somewhat stable ... but on configuration errors it
> still reacts sometimes with segmentation faults. The bad side is that
> cf-agent intends to go into failsafe mode but never does because of the
> segfault.
> Below you can find some examples.
>
> -- this seems to be reproducable -------------------------
>
> looks like when cf-agent is called with the -f option and through the
> path variable (not direct path) it is segfaulting ...
> Same happens when instead of the -f option an broken promise is
> configured. The agent will segfault.
>
>> this is fine
> [root@mir inputs]# /var/cfengine/bin/cf-agent -K -f testing/hello_world.cf
> R: Hello World
>
>> this is bad
> root@mir inputs]# cf-agent -K -f testing/hello_world.cf
> R: Hello World
> *** buffer overflow detected ***: cf-agent terminated
> ======= Backtrace: =========
> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
> cf-agent[0x809f95e]
> cf-agent[0x809fefa]
>
> another example.
> ----- wrong defined body should not finish in a segfault of cf-agent
> --------------------
>
> [root@mir inputs]# cf-agent -K
> cf3:/var/cfengine/inputs/sys/main.cf:3,1: Redefinition of body control
> for common is a broken promise, near token '{'
> cf3:/var/cfengine/inputs/sys/main.cf:12,20: Redefinition of input list
> (broken promise), near token '}'
> Summarizing promises as text to /var/cfengine/inputs/promises.cf.txt
> Summarizing promises as html to /var/cfengine/inputs/promises.cf.html
> cf-agent was not able to get confirmation of promises from cf-promises,
> so going to failsafe
> *** buffer overflow detected ***: cf-agent terminated
> ======= Backtrace: =========
> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
> cf-agent[0x809f95e]
> cf-agent[0x809fefa]
> cf-agent[0x804cba4]
> /lib/i686/nosegneg/libc.so.6(__libc_start_main+0xdc)[0x835e8c]
> cf-agent[0x804ad51]
>
> well it never goes into failsafe because of the segfault and my clients
> will become unmanaged through this.
>
> --------------------------------------------------
>
>
> and yet another example. I was trying to fill an slist with
> execresult("/bin/ls /mydir/*.cf","noshell") and divine what. The
> cf-agent process dies with a segmentation fault .... but this one is
> different than the others ;)
>
> when using execresult to get a dynamic configfile list all processes do
> segfaults
> cf3   > Parsing file /var/cfengine/inputs/sys/update.cf
> cf3   > Parsing file /var/cfengine/inputs/sys/library.cf
> cf3   > Parsing file /var/cfengine/inputs/sys/server.cf
> cf3   > Parsing file /var/cfengine/inputs/sys/cfengine_maintenance.cf
> Segmentation fault
>
> ------ details ---
> GetVariable(global,files_unixnews): using scope 'global' for variable
> 'files_unixnews'
> return final variable type=slist, value={
> /bin/ls: /var/cfengine/unixnews.ch/*.cf: No such file or directory}
> ExpandPrivateRval(scope=sys,type=/)
> Cannot append X to rval-list [(null)]
> Segmentation fault
> -------------------------
>
>
> ------- slist for dynmic variables finishes with segfault
> ---------------------
> GetVariable(global,files_unixnews): using scope 'global' for variable
> 'files_unixnews'
> return final variable type=slist, value={
> hostname_test.cf main.cf}
> ExpandPrivateRval(scope=sys,type=n)
> Cannot append X to rval-list [(null)]
> Segmentation fault
>
>
>
> Thanks in advance for reviewing.
> Kind regards
> marco
>
>
>
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----

> "most uncertain component of computer systems are humans !"
>
> First of all - my appoligies . Everything I said yesterday about the
> segfaults is not so critical as it seems to be.
>
> I found out why I was not able to reproduce the segmentation faults at
> work. On my testsystem (home) I had an "old" version of cf-binaries
> installed into /usr/local/bin and a new one in /var/cfengine/bin.
> (old: FORTIFY_SOURCE enabled, new: FORITFY_SOURCE=0). So when executing
> cf-agent through the $PATH the /usr/local/bin variant was called and for
> sure this one creates the segmentation faults.
>
> So I am sorry for this and to bring it together.
>
> When using  : CFLAGS="-g -O2 -D_FORTIFY_SOURCE=0"  no segmentation
> faults will happen !.
>
> But I took the time and created a gdb backtrace of the faulty cf-agent
> version. If you want you can have a look into it, or throw it in the
> trashbin - it's up to you.
>
>
> Sorry again.
>
> Best regards
> marco
>
>
>
>
> Mark Burgess wrote:
>> You could also try running through Valgrind
>> M
>
>> Marco Hoehle wrote:
>>> Hello,
>>>
>>>
>>> running on CentOS 5.3 / RHEL5.3 32 and 64bit , cf3 trunk build 434.
>>> When compiling cf3 without special options the cf-agent binary is
>>> throwing a segfault after every run.
>>> When disabling FORTIFY_SOURCE with CFLAGS="-g -O2 -D_FORTIFY_SOURCE=0"
>>> the binary is running somewhat stable ... but on configuration errors it
>>> still reacts sometimes with segmentation faults. The bad side is that
>>> cf-agent intends to go into failsafe mode but never does because of the
>>> segfault.
>>> Below you can find some examples.
>>>
>>> -- this seems to be reproducable -------------------------
>>>
>>> looks like when cf-agent is called with the -f option and through the
>>> path variable (not direct path) it is segfaulting ...
>>> Same happens when instead of the -f option an broken promise is
>>> configured. The agent will segfault.
>>>
>>>> this is fine
>>> [root@mir inputs]# /var/cfengine/bin/cf-agent -K -f testing/hello_world.cf
>>> R: Hello World
>>>
>>>> this is bad
>>> root@mir inputs]# cf-agent -K -f testing/hello_world.cf
>>> R: Hello World
>>> *** buffer overflow detected ***: cf-agent terminated
>>> ======= Backtrace: =========
>>> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
>>> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
>>> cf-agent[0x809f95e]
>>> cf-agent[0x809fefa]
>>>
>>> another example.
>>> ----- wrong defined body should not finish in a segfault of cf-agent
>>> --------------------
>>>
>>> [root@mir inputs]# cf-agent -K
>>> cf3:/var/cfengine/inputs/sys/main.cf:3,1: Redefinition of body control
>>> for common is a broken promise, near token '{'
>>> cf3:/var/cfengine/inputs/sys/main.cf:12,20: Redefinition of input list
>>> (broken promise), near token '}'
>>> Summarizing promises as text to /var/cfengine/inputs/promises.cf.txt
>>> Summarizing promises as html to /var/cfengine/inputs/promises.cf.html
>>> cf-agent was not able to get confirmation of promises from cf-promises,
>>> so going to failsafe
>>> *** buffer overflow detected ***: cf-agent terminated
>>> ======= Backtrace: =========
>>> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
>>> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
>>> cf-agent[0x809f95e]
>>> cf-agent[0x809fefa]
>>> cf-agent[0x804cba4]
>>> /lib/i686/nosegneg/libc.so.6(__libc_start_main+0xdc)[0x835e8c]
>>> cf-agent[0x804ad51]
>>>
>>> well it never goes into failsafe because of the segfault and my clients
>>> will become unmanaged through this.
>>>
>>> --------------------------------------------------
>>>
>>>
>>> and yet another example. I was trying to fill an slist with
>>> execresult("/bin/ls /mydir/*.cf","noshell") and divine what. The
>>> cf-agent process dies with a segmentation fault .... but this one is
>>> different than the others ;)
>>>
>>> when using execresult to get a dynamic configfile list all processes do
>>> segfaults
>>> cf3   > Parsing file /var/cfengine/inputs/sys/update.cf
>>> cf3   > Parsing file /var/cfengine/inputs/sys/library.cf
>>> cf3   > Parsing file /var/cfengine/inputs/sys/server.cf
>>> cf3   > Parsing file /var/cfengine/inputs/sys/cfengine_maintenance.cf
>>> Segmentation fault
>>>
>>> ------ details ---
>>> GetVariable(global,files_unixnews): using scope 'global' for variable
>>> 'files_unixnews'
>>> return final variable type=slist, value={
>>> /bin/ls: /var/cfengine/unixnews.ch/*.cf: No such file or directory}
>>> ExpandPrivateRval(scope=sys,type=/)
>>> Cannot append X to rval-list [(null)]
>>> Segmentation fault
>>> -------------------------
>>>
>>>
>>> ------- slist for dynmic variables finishes with segfault
>>> ---------------------
>>> GetVariable(global,files_unixnews): using scope 'global' for variable
>>> 'files_unixnews'
>>> return final variable type=slist, value={
>>> hostname_test.cf main.cf}
>>> ExpandPrivateRval(scope=sys,type=n)
>>> Cannot append X to rval-list [(null)]
>>> Segmentation fault
>>>
>>>
>>>
>>> Thanks in advance for reviewing.
>>> Kind regards
>>> marco
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Bug-cfengine mailing list
>> Bug-cfengine@...
>> https://cfengine.org/mailman/listinfo/bug-cfengine
>

> "most uncertain component of computer systems are humans !"
>
> First of all - my appoligies . Everything I said yesterday about the
> segfaults is not so critical as it seems to be.
>
> I found out why I was not able to reproduce the segmentation faults at
> work. On my testsystem (home) I had an "old" version of cf-binaries
> installed into /usr/local/bin and a new one in /var/cfengine/bin.
> (old: FORTIFY_SOURCE enabled, new: FORITFY_SOURCE=0). So when executing
> cf-agent through the $PATH the /usr/local/bin variant was called and for
> sure this one creates the segmentation faults.
>
> So I am sorry for this and to bring it together.
>
> When using  : CFLAGS="-g -O2 -D_FORTIFY_SOURCE=0"  no segmentation
> faults will happen !.
>
> But I took the time and created a gdb backtrace of the faulty cf-agent
> version. If you want you can have a look into it, or throw it in the
> trashbin - it's up to you.
>
>
> Sorry again.
>
> Best regards
> marco
>
>
>
>
> Mark Burgess wrote:
>> You could also try running through Valgrind
>> M
>
>> Marco Hoehle wrote:
>>> Hello,
>>>
>>>
>>> running on CentOS 5.3 / RHEL5.3 32 and 64bit , cf3 trunk build 434.
>>> When compiling cf3 without special options the cf-agent binary is
>>> throwing a segfault after every run.
>>> When disabling FORTIFY_SOURCE with CFLAGS="-g -O2 -D_FORTIFY_SOURCE=0"
>>> the binary is running somewhat stable ... but on configuration errors it
>>> still reacts sometimes with segmentation faults. The bad side is that
>>> cf-agent intends to go into failsafe mode but never does because of the
>>> segfault.
>>> Below you can find some examples.
>>>
>>> -- this seems to be reproducable -------------------------
>>>
>>> looks like when cf-agent is called with the -f option and through the
>>> path variable (not direct path) it is segfaulting ...
>>> Same happens when instead of the -f option an broken promise is
>>> configured. The agent will segfault.
>>>
>>>> this is fine
>>> [root@mir inputs]# /var/cfengine/bin/cf-agent -K -f testing/hello_world.cf
>>> R: Hello World
>>>
>>>> this is bad
>>> root@mir inputs]# cf-agent -K -f testing/hello_world.cf
>>> R: Hello World
>>> *** buffer overflow detected ***: cf-agent terminated
>>> ======= Backtrace: =========
>>> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
>>> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
>>> cf-agent[0x809f95e]
>>> cf-agent[0x809fefa]
>>>
>>> another example.
>>> ----- wrong defined body should not finish in a segfault of cf-agent
>>> --------------------
>>>
>>> [root@mir inputs]# cf-agent -K
>>> cf3:/var/cfengine/inputs/sys/main.cf:3,1: Redefinition of body control
>>> for common is a broken promise, near token '{'
>>> cf3:/var/cfengine/inputs/sys/main.cf:12,20: Redefinition of input list
>>> (broken promise), near token '}'
>>> Summarizing promises as text to /var/cfengine/inputs/promises.cf.txt
>>> Summarizing promises as html to /var/cfengine/inputs/promises.cf.html
>>> cf-agent was not able to get confirmation of promises from cf-promises,
>>> so going to failsafe
>>> *** buffer overflow detected ***: cf-agent terminated
>>> ======= Backtrace: =========
>>> /lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x907f61]
>>> /lib/i686/nosegneg/libc.so.6(__strcpy_chk+0x43)[0x907383]
>>> cf-agent[0x809f95e]
>>> cf-agent[0x809fefa]
>>> cf-agent[0x804cba4]
>>> /lib/i686/nosegneg/libc.so.6(__libc_start_main+0xdc)[0x835e8c]
>>> cf-agent[0x804ad51]
>>>
>>> well it never goes into failsafe because of the segfault and my clients
>>> will become unmanaged through this.
>>>
>>> --------------------------------------------------
>>>
>>>
>>> and yet another example. I was trying to fill an slist with
>>> execresult("/bin/ls /mydir/*.cf","noshell") and divine what. The
>>> cf-agent process dies with a segmentation fault .... but this one is
>>> different than the others ;)
>>>
>>> when using execresult to get a dynamic configfile list all processes do
>>> segfaults
>>> cf3   > Parsing file /var/cfengine/inputs/sys/update.cf
>>> cf3   > Parsing file /var/cfengine/inputs/sys/library.cf
>>> cf3   > Parsing file /var/cfengine/inputs/sys/server.cf
>>> cf3   > Parsing file /var/cfengine/inputs/sys/cfengine_maintenance.cf
>>> Segmentation fault
>>>
>>> ------ details ---
>>> GetVariable(global,files_unixnews): using scope 'global' for variable
>>> 'files_unixnews'
>>> return final variable type=slist, value={
>>> /bin/ls: /var/cfengine/unixnews.ch/*.cf: No such file or directory}
>>> ExpandPrivateRval(scope=sys,type=/)
>>> Cannot append X to rval-list [(null)]
>>> Segmentation fault
>>> -------------------------
>>>
>>>
>>> ------- slist for dynmic variables finishes with segfault
>>> ---------------------
>>> GetVariable(global,files_unixnews): using scope 'global' for variable
>>> 'files_unixnews'
>>> return final variable type=slist, value={
>>> hostname_test.cf main.cf}
>>> ExpandPrivateRval(scope=sys,type=n)
>>> Cannot append X to rval-list [(null)]
>>> Segmentation fault
>>>
>>>
>>>
>>> Thanks in advance for reviewing.
>>> Kind regards
>>> marco
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Bug-cfengine mailing list
>> Bug-cfengine@...
>> https://cfengine.org/mailman/listinfo/bug-cfengine
>