110864103 adventures-in-bug-hunting

adventures
in
bug hunting
@joedamato
http://timetobleed.com

http://boundary.com
(make use of it)

before we get this
horror show rolling
• kernels, drivers, glibc, and everything else
changes.
• code snips will differ from what you are
running on your machines.
• some things are simpliﬁed in the interest of
time.

bprobe
• boundary IPFIX flow meter
• collects flow data by sniffing packets with libpcap
• also collects low level NIC data from the driver
• packets tx/rx
• bytes tx/rx
• ethernet collisions
• ethernet errors

ethernet bonding (aka teaming)
• combine a group of physical NICs (eth0, eth1, ...)
into a single virtual device (bond0, bond1, ...).
• different modes
• active-passive
• round robin
• link aggregation

ethernet bonding (aka teaming)

how does bonding work (on linux) ?
• at a high level...
• the bonding driver creates a “virtual device”
• when a packet is sent, bonding driver ﬁgures
out which physical NIC to transmit the packet
on.
• when a packet comes in, the NICs pass the
incoming packet up for the higher layers of the
network stack to ﬁgure out.

bprobe and bonding
• bprobe discovers bonded network
interfaces.
• uses libpcap to monitor the underlying
physical NICs instead of bond devices.
• detecting link failures, etc

everything was looking
good until....

Bug was ﬁled...
• Debian Lenny, 64bit.
• Bonded ethernet interfaces.
•No incoming packets are showing up.

Step 0
•Take a step back.
•Breathe.
•Do not break the computer.

Step 1
• Examine our assumptions:
• The packets are making it to the kernel.
• The packets are being handed up from the
kernel to libpcap.
• libpcap doesn’t lose any packets before
bprobe examines them.
• bprobe has some weird bug in it.

packets are making it to the kernel
?

watch -n 1 'cat /proc/net/dev'

packets are making it to the kernel

packets are being handed up from the kernel
?

Peel some layers away
• bprobe is really libpcap + packet analysis +
output.
• if this is a bug in the kernel or libpcap then
other programs that use libpcap (like
tcpdump) will also fail the same way.
• so, do they?

tcpdump
• bonded ethernet interfaces (on linux) are virtual
devices created by combining other devices.
• for example:
• bond0
• eth0
• eth2
• eth4
• ...

First, sniff bond0...
% sudo tcpdump -i bond0 dst 172.16.209.136 and proto 1
12:57:26.275660 IP 172.16.209.1 > 172.16.209.136: ICMP
echo request, id 62831, seq 54, length 64
12:57:27.275731 IP 172.16.209.1 > 172.16.209.136: ICMP
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

Now eth0 (the active NIC in
bond0)
% sudo tcpdump -i eth0 dst
172.16.209.136 and proto 1
^C
0 packets captured

incoming packets appear
to be missing when snifﬁng
the physical device.

outgoing packets show up
regardless.

only way to ﬁgure out where they
are getting lost is to follow them
through the kernel.

Steps 3-5
• Dig until you see something you haven’t
seen before.
• Read all of the code and understand it.
• Go to step 2.

how are packets received?
• packets come in from the wire.
• a couple different ways for the kernel to
“know” about new packets.
• let’s just look at the simple case.
• an interrupt is raised when a packet arrives.
• both paths hand data up to the higher
layers in similar ways.

netif_rx
• queues packets up.
• another thread pulls packets off and processes them.

OK, but how does pcap ﬁnd
out about these packets?

a more fundamental question...
how does pcap actually
work?

packet protocol family
(in the kernel)
libpcap
(in userland)
bprobe/tcpdump/etc
(in userland)
network device agnostic layer
(in the kernel)

bprobe/tcpdump/etc
(userland)
• call pcap_open_live or pcap_create/pcap_activate
to initialize libpcap.
• call pcap_next_ex to get packets from libpcap.
• examine the packets and do stuff.

libpcap (userland)
• creates a socket of type PF_PACKET
• two ways to get get packets from the kernel:
• one by one (slow)
• via shared memory (fast)
• libpcap tries to use the fast method
• if it fails, it falls back to slow.

libpcap creating PF_PACKET socket

new “fast” way is being setup.

the new way of pulling
packets out.

the old way is getting setup when
the new way failed to initialize.

pull packets out from
the kernel the old way.

PF_PACKET (kernel)
• libpcap creates the PF_PACKET socket
• the PF_PACKET code in the kernel
(eventually) executes.
• this code does some initialization and
inserts a protocol hook...

network device agnostic layer
• pulls packets off the backlog queue.
• calls netif_receive_skb()
• has some logic to determine who the real
sender is when bonding is enabled.
• passes the packet through the protocol
hooks.

(run through all protocol blocks
handing the packet over)

we now know the path packets take
so they can be examined by pcap apps.

back to the bug
• so, the bug was that packeting snifﬁng
physical NICs on bonded hosts was not
revealing incoming packets.
• what do we now know about our
environment?
• what would be the best place to look to
track down this bug?

assume the following
setup
• bond0
• eth0
• eth1
• eth2
• packet came in on eth0
• thus:
• skb->dev = eth0
• skb->dev->master = bond0

before
• skb->dev = eth0
after
• skb->dev = bond0
• code returns eth0 as orig_dev

Bug
• We overwrite the packet’s device with the bond
device.
• The protocol hook check, checks to see if the hook is
for the device on the packet.
• It isn’t
• we are snifﬁng eth0
• skb->dev was overwritten to bond0.
• That’s why if you sniff “bond0” you see packets but if
you sniff “eth0” you see nothing.

packets are being handed up from the kernel

YYYYYyyyyYYyYYyyYYy
YYYYYYYYYYYYYYYyY
eeeEEeeEEeEEEeEEEEee
eeeEEeEEEeeEEeEeEEaA
AaaaAaaAaAAaAaAAaa
AaAAAAAaaaAAa!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

reboot and try the new
kernel...

tcpdump/bprobe/other
pcap apps STILL FAIL.

????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????

In real life I spent the
next 4 days looking over
the same kernel code,
hundreds of times.

Every single day from the
moment I woke up (9am) until I
searched all day until I collapsed
with exhaustion (3am).

I got so wound up in trying
to get my ﬁx working, I lost
track of the process.

Step 1
• The kernel code is still broken.
• The incoming packets are being queued up for
libpcap to pull out of PF_PACKET properly.
• There probably isn’t bug in bProbe and
tcpdump.

verify my assumption
modify libpcap to verify that the
kernel really is still broken

i used apt-get source to
retrieve the ofﬁcial source for
debian lenny’s libpcap and I
found something
surprising.

old way of doing pcap
• debian lenny’s kernel supports the new way
of getting packets out of the kernel via
mmap.
•but, debian lenny’s libpcap is not new
enough and therefore uses the old way
to examine packets.
•this also means that unless i statically link
the libpcap version i want, my app will just
perform worse on lenny.

that if statement fails.
• we are snifﬁng packets on a physical device
• BUT in the kernel we are changing the
device a packet comes in on to the bond
device (remember in netif_receive_skb?)

that if statement fails.
• the index of the bond device is different from
the index of the physical device we are snifﬁng
• so this if statement evaluates to TRUE
• libpcap returns without processing
the packet.

why?
this code exists to prevent a race condition
when snifﬁng packets the old way in some
kernels.

solution
• boot into our ﬁxed debian lenny kernel.
• download a version of libpcap that is newer and
supports the mmap method for packet snifﬁng.
• new method doesn’t have this race condition
and has better performance.
• link bprobe/tcpdump/other pcap apps against it.

Next, sniff eth0...
% sudo tcpdump -i eth0 dst 172.16.209.136 and proto 1
12:57:26.275660 IP 172.16.209.1 > 172.16.209.136: ICMP
12:57:27.275731 IP 172.16.209.1 > 172.16.209.136: ICMP
^C
2 packets captured

summarize
• kernel bug when overwriting the device the
packet arrived on.
• ﬁxed this bug, but bprobe/tcpdump still
failed.
• libpcap bug when pulling packets out the
kernel the old way
• can avoid this bug and get better
performance with a newer libpcap

Step 1-5
• Examine your assumptions.
• Start digging.
• Keep going until you see something you
haven’t seen before.
• Read all of the code and understand it.
• Go to step 2.

Спасибо!
Happy debugging!

questions?
twitter: @joedamato
blog: http://timetobleed.com

ipﬁx_reader
•a test program
•links against yajl because it
generates JSON output
•works on ubuntu, but not
on centos5

here’s another program that
links ﬁne to a lib in /usr/local/lib
ON THE SAME SYSTEM.

W A T
• We have 2 programs:
• Both link against libraries in /usr/local/lib/
• Only one works.
• The broken program’s library is in /usr/local/lib/

Step 1
• The programs and libraries are both 64bit.
• /usr/local/lib/ is in the library search path

both programs and their libraries are 64bit.
?

both programs and their libraries are 64bit.

/usr/local/lib/ is in the library search path
?

/usr/local/lib/ is in the library search path

So...
ipﬁx_reader doesn’t work
because /usr/local/lib is
not in the search path.

but...
how can bprobe be
working ﬁne?

Strange
• This is confusing.
• bprobe should fail.
• But, the shared libraries a particular binary
dynamically links to at runtime are built
into the binary itself.
• So....

Let’s take a look with
readelf

ah ha!
• bprobe works and can link because the
binary is storing the library path inside of
itself.
• but, now there are 2 more questions:
• how did the rpath tag get there?
• why doesn’t ipﬁx_reader have one?

how did the rpath tag get there?

why doesn’t ipﬁx_reader have rpath?

110864103 adventures-in-bug-hunting

110864103 adventures-in-bug-hunting

More Related Content

What's hot

Viewers also liked

Similar to 110864103 adventures-in-bug-hunting

110864103 adventures-in-bug-hunting