Report information
The Basics
Id:
47120
Status:
resolved
Priority:
Low/Low
Queue:
bind9-public
People
BugTracker
Version Fixed:
9.12.1, 9.13.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P3 Low
Severity:
S3 Low
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
bug
Dates
Created:Mon, 05 Feb 2018 07:03:32 -0500
Updated:Mon, 05 Feb 2018 14:32:14 -0500
Closed:Mon, 05 Feb 2018 14:32:14 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Mon, 05 Feb 2018 07:03:33 -0500 Michał Kępień <michal@isc.org> - Ticket created
To: bind9-public@isc.org
Subject: named may crash on shutdown when under load
Date: Mon, 05 Feb 2018 13:03:32 +0100
From: michal@isc.org

interfacemgr.c:326: REQUIRE((__builtin_expect(!!((mgr) != ((void *)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(mgr))->magic == ((('I') << 24 | ('F') << 16 | ('M') << 8 | ('G')))), 1))) failed, back trace (gdb) bt #0 0x00007ffff3543860 in raise () from /usr/lib/libc.so.6 #1 0x00007ffff3544ec9 in abort () from /usr/lib/libc.so.6 #2 0x00005555555afd07 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at ./main.c:248 #3 0x00005555557a2cfa in isc_assertion_failed (file=file@entry=0x55555580b3a6 "interfacemgr.c", line=line@entry=326, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x55555580b560 "(__builtin_expect(!!((mgr) != ((void *)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(mgr))->magic == ((('I') << 24 | ('F') << 16 | ('M') << 8 | ('G')))), 1))") at assertions.c:49 #4 0x00005555555e6d96 in ns_interfacemgr_getaclenv (mgr=<optimized out>) at interfacemgr.c:326 #5 0x00005555555b160b in get_matching_view (srcaddr=0x7ffff19454c0, destaddr=0x7fffe8040ffc, message=0x7ffff7ed4010, ecs=0x0, sigresult=0x7ffff19453c0, viewp=0x7fffe8040978) at ./server.c:9353 #6 0x00005555555e545a in ns__client_request (task=<optimized out>, event=<optimized out>) at client.c:2634 #7 0x00005555557c84e9 in dispatch (manager=0x7ffff7f8a010) at task.c:1138 #8 run (uap=0x7ffff7f8a010) at task.c:1310 #9 0x00007ffff67c008c in start_thread () from /usr/lib/libpthread.so.0 #10 0x00007ffff3604e7f in clone () from /usr/lib/libc.so.6 This crash seems to be easier to trigger when dnstap is in use, but I also came across it when using GDB to trace named with dnstap support compiled away entirely. Considerable query load seems to be necessary for triggering the crash. I was able to semi-reliably reproduce this by doing the following: 1. Start dnsperf on the same host. 2. Start an authoritative-only named in the foreground. 3. Hit CTRL+C. 4. Repeat steps 2-3 until a crash happens. The problem here is that named_g_server->interfacemgr may already be NULL by the time get_matching_view() gets called from ns__client_request() if server shutdown is in progress. The problem was introduced when libns was added (commit 8eb88aafee) and thus only affects 9.12.0. Does not look exploitable to me.
  Mon, 05 Feb 2018 07:10:22 -0500 Michał Kępień <michal@isc.org> - Correspondence added

Please review rt47120. The log message for commit 1e070c631f contains the rationale. No system test because this crash is caused by a very specific sequence of events which is not really predictable.
Mon, 05 Feb 2018 07:10:22 -0500 Michał Kępień <michal@isc.org> - Status changed from 'open' to 'review'
Mon, 05 Feb 2018 07:10:23 -0500 Michał Kępień <michal@isc.org> - Untaken
  Mon, 05 Feb 2018 12:26:32 -0500 Evan Hunt <each@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #47120] named may crash on shutdown when under load
From: "Evan Hunt" <each@isc.org>
To: "Michał Kępień via RT" <bind9-public@isc.org>
CC:
Date: Mon, 5 Feb 2018 17:26:27 +0000

> Please review rt47120. The log message for commit 1e070c631f contains > the rationale. No system test because this crash is caused by a very > specific sequence of events which is not really predictable. Looks okay.
Mon, 05 Feb 2018 12:27:09 -0500 Evan Hunt <Evan_Hunt@isc.org> - Given to Michał Kępień <michal@isc.org>
  Mon, 05 Feb 2018 14:32:13 -0500 Michał Kępień <michal@isc.org> - Correspondence added

4884. [bug] named could crash on shutdown due to a race between shutdown_server() and ns__client_request(). [RT #47120] 9.12.1, 9.13.0
Mon, 05 Feb 2018 14:32:14 -0500 Michał Kępień <michal@isc.org> - Status changed from 'review' to 'resolved'
Mon, 05 Feb 2018 14:32:14 -0500 Michał Kępień <michal@isc.org> - Version Fixed 9.12.1, 9.13.0 added