open-power / petitboot

GNU General Public License v2.0
212 stars 56 forks source link

pb-discover crashes with a malformed DHCP URL for the pxeconffile #92

Closed legoater closed 2 years ago

legoater commented 2 years ago

The petitboot discover logs show an error when parsing an URL from a DCHP message :

  udhcpc6: started, v1.30.1
  udhcpc: sending discover
  udhcpc6: sending discover
  udhcpc: sending select for 172.17.0.124
  udhcpc: lease of 172.17.0.124 obtained, lease time 43200
  deleting routers
  adding dns 172.16.103.5
  [18:09:37] trying parsers for enP5p1s0f0
  [18:09:37] pb_url_parse: parse path failed '172.17.103.20.':''

and crashes soon afterwards, leaving the system with only a shell running.

Extract from pb-udhcpc.log :

paramstr=' pxeconffile=http://172.17.103.20/.'"'"':'"'"' . 80/tftpboot/pxelinux.cfg/p/172.17.0.0_16 mac=08:94:ef:81:14:5d ip=172.17.0.124 siaddr=172.17.103.20 serverid=172.16.103.5'
  pxeconffile='http://172.17.103.20/.'"'"':'"'"' . 80/tftpboot/pxelinux.cfg/p/172.17.0.0_16'

It can be reproduced and a QEMU PowerNV machine with a libvirt bridge it necessary.

legoater commented 2 years ago

Analysis of the coredump file shows a corruption, the user_event_boot() routine is called with an event action = EVENT_ACTION_DHCP.

  (gdb) bt
  #0  talloc_reference (context=0x1030103070602, ptr=0x0)
      at lib/talloc/talloc.c:271
  #1  0x0000000010013490 in user_event_boot (uev=0x264f9988, event=0x264ff6c8)
      at discover/user-event.c:486
  #2  user_event_handle_message (len=<optimized out>, buf=0x7fffdffb0c70 "dhcp", 
      uev=0x264f9988) at discover/user-event.c:665
  #3  user_event_process (arg=0x264f9988) at discover/user-event.c:710
  #4  0x0000000010024664 in read_string (ctx=0x0, pos=0x264fabf8, 
      len=0x264f3bc8, str=0x264f3bc8) at lib/pb-protocol/pb-protocol.c:147
  #5  0x000000001000e364 in conf_strip_str (
      s=0x100507b8 <native_parser> "\316.\003\020") at discover/parser-conf.c:57
  #6  conf_strip_str (s=<optimized out>) at discover/parser-conf.c:44
  #7  0x0000000000000000 in ?? ()
  (gdb) p *((struct event *)0x264ff6c8)
  $2 = {type = EVENT_TYPE_USER, action = EVENT_ACTION_DHCP, 
    device = 0x26504b38 "enP5p1s0f0", params = 0x26504ea8, n_params = 7}
  (gdb) p *((struct user_event *)0x264f9988)
  $3 = {handler = 0x264f97f8, socket = 9}
  (gdb) p *(struct device_handler *)0x264f97f8
  $4 = {server = 0x264f3c78, dry_run = 0, udev = 0x264f8da8,
    network = 0x264faa98, user_event = 0x264f9988, devices = 0x26508568,
    n_devices = 9, ramdisks = 0x265011d8, n_ramdisks = 16, waitset = 0x264f3bc8,
    timeout_waiter = 0x264ff628, autoboot_enabled = true, sec_to_boot = 8,
    temp_autoboot = 0x0, default_boot_option = 0x26500d48,
    last_boot_option = 0x26500d48, default_boot_option_priority = 4,
    unresolved_boot_options = {head = {prev = 0x264f9878, next = 0x264f9878}},
    pending_boot = 0x0, pending_boot_is_default = false, progress = {head = {
        prev = 0x264f9898, next = 0x264f9898}}, n_progress = 0, plugins = 0x0,
    n_plugins = 0, plugin_installing = false, crypt_devices = {head = {
  prev = 0x264f98c0, next = 0x264f98c0}}}