Bird routing daemon memory segfault issue submission

Thu Jun 22 15:13:56 CEST 2023

Hello!

We'll try to reproduce it locally (which should be trivial) and fix this 
corner case. If any additional information is needed, we'll follow up.

Thank you for your report.
Maria

On 6/22/23 14:52, Kobayashi_Bairuo via Bird-users wrote:
>
> Hello Bird Development Team:
>
> We are AS140731, aka TOHUNET, we use bird as our routing program, we 
> have a problem that may be related to the memory address of bird.
>
> Here are the problem details:
>
> We designed a function for anycast to balance the unequal length 
> ASPATH between different upstreams and different nodes, it has this 
> structure:
>
> function anycast(int AS;int Region;int Country;int NodeID) {
>
>        if net ~ [2406:840:eb8c::/48] then
>
>        {
>
>               case NodeID {
>
>                      1: {
>
> case AS {
>
> 6939: {bgp_path.prepend(140731);bgp_path.prepend(140731);}
>
> }
>
>                      }
>
>               }
>
>        }
>
> }
>
> Among them, AS represents the peer AS of this session, and NodeID 
> represents the ID of this node. After the conditional statement in the 
> case matches the peer AS, as you can see, it will execute 
> bgp_path.prepend, and it works well when the curly braces of the 
> conditional statement are not empty. But the aspath of some of our 
> nodes is long enough that they don't need to be prepend, so we have 
> the following configuration:
>
> function anycast(int AS;int Region;int Country;int NodeID) {
>
>        if net ~ [2406:840:eb8c::/48] then
>
>        {
>
>               case NodeID {
>
>                      1: {
>
> case AS {
>
> 6939:     {}
>
> }
>
>                      }
>
>               }
>
>        }
>
> }
>
> Then the problem occurred. In our example, when the Session at 6939 
> was established, the conditional statement matched 6939, but the 
> content in the curly braces was empty. At this time, bird will be 
> automatically killed and restarted by Linux due to a memory segment 
> fault. The following is the information we get in journalctl:
>
> kernel: bird[11433]: segfault at 0 ip 0000559bb2900c28 sp 
> 00007ffcd21d1fc0 error 4 in bird[559bb2886000+9d000]
>
> kernel: Code: 8b 7b 04 83 03 01 41 8d 4f ff 0f 1f 84 00 00 00 00 00 89 
> cd 48 8d 44 6d 00 48 8d 14 c3 4c 8b a2 08 80 01 00 8b 82 10 80 01 00 
> <41> 3b 04 24 0f >
>
> systemd[1]: bird.service: Main process exited, code=killed, status=11/SEGV
>
> The version number we are currently using is: v2.13-5-gf8ba8280 
> debian11, but we have tried to roll back to v2.13 and update to 
> v2.13-10-gf8bcb037, these problems still exist.
>
-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20230622/d0ac2734/attachment.htm>