Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 4850

Hi.

We have a bug (https://bugzilla.redhat.com/show_bug.cgi?id=1052781)
in Red Hat Bugzilla about BIND crashing with SEGFAULT in dlopen_dlz_configure()
function when using DLZ.


Log snippet:
Nov 28 23:06:56 mainserver named[31960]: starting BIND 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 -u named
Nov 28 23:06:56 mainserver named[31960]: built with '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Nov 28 23:06:56 mainserver named[31960]: ----------------------------------------------------
Nov 28 23:06:56 mainserver named[31960]: BIND 9 is maintained by Internet Systems Consortium,
Nov 28 23:06:56 mainserver named[31960]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Nov 28 23:06:56 mainserver named[31960]: corporation.  Support and training for BIND 9 are
Nov 28 23:06:56 mainserver named[31960]: available at https://www.isc.org/support
Nov 28 23:06:56 mainserver named[31960]: ----------------------------------------------------
Nov 28 23:06:56 mainserver named[31960]: adjusted limit on open files from 4096 to 1048576
Nov 28 23:06:56 mainserver named[31960]: found 4 CPUs, using 4 worker threads
Nov 28 23:06:56 mainserver named[31960]: using 4 UDP listeners per interface
Nov 28 23:06:56 mainserver named[31960]: using up to 4096 sockets
Nov 28 23:06:56 mainserver named[31960]: loading configuration from '/etc/named.conf'
Nov 28 23:06:56 mainserver named[31960]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Nov 28 23:06:56 mainserver named[31960]: using default UDP/IPv4 port range: [1024, 65535]
Nov 28 23:06:56 mainserver named[31960]: using default UDP/IPv6 port range: [1024, 65535]
Nov 28 23:06:56 mainserver named[31960]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 28 23:06:56 mainserver named[31960]: listening on IPv4 interface em2, 10.0.0.2#53
Nov 28 23:06:56 mainserver named[31960]: listening on IPv6 interface lo, ::1#53
Nov 28 23:06:56 mainserver named[31960]: generating session key for dynamic DNS
Nov 28 23:06:56 mainserver named[31960]: sizing zone task pool based on 8 zones
Nov 28 23:06:56 mainserver named[31960]: zone 'henscheid.com' allows updates by IP address, which is insecure
Nov 28 23:06:56 mainserver named[31960]: zone '0.0.10.in-addr.arpa' allows updates by IP address, which is insecure
Nov 28 23:06:56 mainserver named[31960]: Loading 'AD DNS Zone' using driver dlopen
Nov 28 23:06:56 mainserver named[31960]: dlz_dlopen: incorrect version 1 should be 2 in '/usr/local/samba/lib/bind9/dlz_bind9.so'
Nov 28 23:06:56 mainserver named[31960]: dlz_dlopen of 'AD DNS Zone' failed
Nov 28 23:06:56 mainserver kernel: [442516.782877] named[31964]: segfault at 5c ip b77b0ee6 sp b5484400 error 4 in named[b7744000+85000]


Backtrace:
 #0 dlopen_dlz_configure at dlz_dlopen_driver.c:462
 #1 dns_sdlzconfigure at sdlz.c:1687
 #2 dns_dlzconfigure at dlz.c:627
 #3 configure_view at server.c:2185
 #4 load_configuration at server.c:5328
 #5 run_server at server.c:5869
 #6 dispatch at task.c:1116
 #7 run at task.c:1286

I'm attaching more detailed backtrace.


The problem seem to be caused by returning the wrong
result in dlopen_dlz_create() function in the
dlz_dlopen_driver.c file in the check for the API version
(line 328). If the version of API used by the shared library
does not match the version of the API used by the driver,
the check will fail (and free the memory allocated in cd)
but it returns the value of 'result' variable, which is
ISC_R_SUCCESS from previous functions calls. Therefore
the code execution proceeds and fails with SIGSEGV,
since the memory has been already freed.

I'm attaching simple proposed patch.


Regards,

Tomas Hozza