dhcpcd crashes with a bus error during startup on sparc64

[koachan]

Sample log:

# dhcpcd -dB enp12s0f0
main: control_open: Connection refused
dhcpcd-10.1.0 starting
DUID 00:01:00:01:2e:02:4d:64:00:10:e0:3a:79:4c
enp12s0f0: executing: /lib/dhcpcd/dhcpcd-run-hooks PREINIT
enp12s0f0: executing: /lib/dhcpcd/dhcpcd-run-hooks CARRIER
enp12s0f0: IAID e0:3a:79:4c
enp12s0f0: delaying IPv6 router solicitation for 0.4 seconds
enp12s0f0: delaying IPv4 for 1.2 seconds
enp12s0f0: soliciting an IPv6 router
enp12s0f0: sending Router Solicitation
enp12s0f0: reading lease: /var/lib/dhcpcd/enp12s0f0.lease
enp12s0f0: rebinding lease of 192.168.2.2
enp12s0f0: sending REQUEST (xid 0x6c5949ec), next in 4.0 seconds
Bus error

GDB backtrace:

dhcp_packet (ifp=0x1000021d5f0, data=0x7feffffc31a "E\020\001H", len=328, bpf_flags=1) at dhcp.c:3582
3582            if (!checksums_valid(data, &from, bpf_flags)) 

#0  dhcp_packet (ifp=0x1000021d5f0, data=0x7feffffc31a "E\020\001H", len=328, bpf_flags=1) at dhcp.c:3582
#1  0x00000100000355fc in dhcp_readbpf (arg=0x1000021d5f0, events=<optimized out>) at dhcp.c:3621
#2  0x000001000001712c in eloop_run_ppoll (eloop=0x1000021c690, ts=<optimized out>, signals=0x7feffffeb90) at eloop.c:1106
#3  eloop_start (eloop=0x1000021c690, signals=0x7feffffeb90) at eloop.c:1228
#4  0x0000010000015418 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at dhcpcd.c:2650

System setup:
Gentoo on sparc64 with 6.6.30 Linux kernel, glibc 2.40, dhcpcd 10.1.0, and clang 19.1.4.

A quick look shows that dhcp_readbpf creates an uint8_t buffer which then gets casted into a const struct ip * inside checksums_valid, but struct ip appear to have stronger alignment requirements, so when the pointer is dereferenced it crashes from the misaligned access.

[koachan]

By the way, force-aligning the buffer like so makes it work, but I feel like this is more of a workaround than a proper fix:

diff --git a/src/dhcp.c b/src/dhcp.c
index 9e23ab62..f1ce0355 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -3715,7 +3715,7 @@ static void
 dhcp_readbpf(void *arg, unsigned short events)
 {
        struct interface *ifp = arg;
-       uint8_t buf[FRAMELEN_MAX];
+       uint8_t buf[FRAMELEN_MAX] __attribute__((aligned(8)));
        ssize_t bytes;
        struct dhcp_state *state = D_STATE(ifp);
        struct bpf *bpf = state->bpf;

[rsmarples]

How about moving uint8_t buf[FRAMELEN_MAX]; to the top of the block so it's declared first?
Stack should be word aligned in each function to that might fix it without the need for the attribute.

If that fails, we could malloc and free it I guess which should fix it too.

[koachan]

How about moving uint8_t buf[FRAMELEN_MAX]; to the top of the block so it's declared first? Stack should be word aligned in each function to that might fix it without the need for the attribute.

This doesn't seem to fix the issue, unfortunately.

[rsmarples]

How about moving uint8_t buf[FRAMELEN_MAX]; to the top of the block so it's declared first? Stack should be word aligned in each function to that might fix it without the need for the attribute.

This doesn't seem to fix the issue, unfortunately.

Shame. Does using malloc rather than a buffer on stack fix it?

[koachan]

Shame. Does using malloc rather than a buffer on stack fix it?

Using malloc does seem to fix it. This is what I did:

diff --git a/src/dhcp.c b/src/dhcp.c
index 9e23ab62..c50c9d2e 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -3715,7 +3715,7 @@ static void
 dhcp_readbpf(void *arg, unsigned short events)
 {
 	struct interface *ifp = arg;
-	uint8_t buf[FRAMELEN_MAX];
+	uint8_t *buf = malloc(FRAMELEN_MAX);
 	ssize_t bytes;
 	struct dhcp_state *state = D_STATE(ifp);
 	struct bpf *bpf = state->bpf;
@@ -3725,7 +3725,7 @@ dhcp_readbpf(void *arg, unsigned short events)
 
 	bpf->bpf_flags &= ~BPF_EOF;
 	while (!(bpf->bpf_flags & BPF_EOF)) {
-		bytes = bpf_read(bpf, buf, sizeof(buf));
+		bytes = bpf_read(bpf, buf, FRAMELEN_MAX);
 		if (bytes == -1) {
 			if (state->state != DHS_NONE) {
 				logerr("%s: %s", __func__, ifp->name);
@@ -3740,6 +3740,7 @@ dhcp_readbpf(void *arg, unsigned short events)
 		if ((bpf = state->bpf) == NULL)
 			break;
 	}
+	free(buf);
 }
 
 void

[rsmarples]

Good to know!

Do you use privsep?

[koachan]

Uhm, I only run it with the basic dhcpcd enp12s0f0 so I don't think I have privsep?

[rsmarples]

It's not how you run it, it's how you compile it :)

[rsmarples]

Does this fix it instead?

$ git diff
diff --git a/src/dhcp.c b/src/dhcp.c
index 9e23ab62..f4910fe1 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -49,6 +49,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <inttypes.h>
+#include <stdalign.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
@@ -3715,7 +3716,7 @@ static void
 dhcp_readbpf(void *arg, unsigned short events)
 {
        struct interface *ifp = arg;
-       uint8_t buf[FRAMELEN_MAX];
+       alignas(8) uint8_t buf[FRAMELEN_MAX];
        ssize_t bytes;
        struct dhcp_state *state = D_STATE(ifp);
        struct bpf *bpf = state->bpf;

Then I just need to document why 8, or use a sizeof.

[koachan]

It's not how you run it, it's how you compile it :)

Ah, for that, I built it with something like CC=clang CFLAGS="-O2" ./configure && make... so I guess I don't have it?

Does this fix it instead?

$ git diff
diff --git a/src/dhcp.c b/src/dhcp.c
index 9e23ab62..f4910fe1 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -49,6 +49,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <inttypes.h>
+#include <stdalign.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
@@ -3715,7 +3716,7 @@ static void
 dhcp_readbpf(void *arg, unsigned short events)
 {
        struct interface *ifp = arg;
-       uint8_t buf[FRAMELEN_MAX];
+       alignas(8) uint8_t buf[FRAMELEN_MAX];
        ssize_t bytes;
        struct dhcp_state *state = D_STATE(ifp);
        struct bpf *bpf = state->bpf;

Then I just need to document why 8, or use a sizeof.

This change fixes the issue too.

[rsmarples]

Great! Do you know if your userland is 32 or 64 bits please?

[koachan]

It's 64 bits.