Report information
The Basics
Id:
35495
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Tomas Hozza <thozza@redhat.com>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.10.0, 9.9.6, 9.8.8
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
S1 High
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Attachments
0001-Return-ISC_R_FAILURE-if-the-API-version-check-fails.patch backtrace_dlz_sigsegv
Dates
Created:Tue, 04 Mar 2014 10:35:57 -0500
Updated:Fri, 07 Jul 2017 20:53:00 -0400
Closed:Fri, 14 Mar 2014 13:50:07 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Tue, 04 Mar 2014 10:35:57 -0500 Tomas Hozza <thozza@redhat.com> - Ticket created
Subject: [PATCH] DLZ driver causes Segfault if the API version check fails in dlopen_dlz_create()
Date: Tue, 4 Mar 2014 10:35:42 -0500 (EST)
To: bind9-bugs@isc.org
From: Tomas Hozza <thozza@redhat.com>

Hi. We have a bug (https://bugzilla.redhat.com/show_bug.cgi?id=1052781) in Red Hat Bugzilla about BIND crashing with SEGFAULT in dlopen_dlz_configure() function when using DLZ. Log snippet: Nov 28 23:06:56 mainserver named[31960]: starting BIND 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 -u named Nov 28 23:06:56 mainserver named[31960]: built with '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Nov 28 23:06:56 mainserver named[31960]: ---------------------------------------------------- Nov 28 23:06:56 mainserver named[31960]: BIND 9 is maintained by Internet Systems Consortium, Nov 28 23:06:56 mainserver named[31960]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Nov 28 23:06:56 mainserver named[31960]: corporation. Support and training for BIND 9 are Nov 28 23:06:56 mainserver named[31960]: available at https://www.isc.org/support Nov 28 23:06:56 mainserver named[31960]: ---------------------------------------------------- Nov 28 23:06:56 mainserver named[31960]: adjusted limit on open files from 4096 to 1048576 Nov 28 23:06:56 mainserver named[31960]: found 4 CPUs, using 4 worker threads Nov 28 23:06:56 mainserver named[31960]: using 4 UDP listeners per interface Nov 28 23:06:56 mainserver named[31960]: using up to 4096 sockets Nov 28 23:06:56 mainserver named[31960]: loading configuration from '/etc/named.conf' Nov 28 23:06:56 mainserver named[31960]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Nov 28 23:06:56 mainserver named[31960]: using default UDP/IPv4 port range: [1024, 65535] Nov 28 23:06:56 mainserver named[31960]: using default UDP/IPv6 port range: [1024, 65535] Nov 28 23:06:56 mainserver named[31960]: listening on IPv4 interface lo, 127.0.0.1#53 Nov 28 23:06:56 mainserver named[31960]: listening on IPv4 interface em2, 10.0.0.2#53 Nov 28 23:06:56 mainserver named[31960]: listening on IPv6 interface lo, ::1#53 Nov 28 23:06:56 mainserver named[31960]: generating session key for dynamic DNS Nov 28 23:06:56 mainserver named[31960]: sizing zone task pool based on 8 zones Nov 28 23:06:56 mainserver named[31960]: zone 'henscheid.com' allows updates by IP address, which is insecure Nov 28 23:06:56 mainserver named[31960]: zone '0.0.10.in-addr.arpa' allows updates by IP address, which is insecure Nov 28 23:06:56 mainserver named[31960]: Loading 'AD DNS Zone' using driver dlopen Nov 28 23:06:56 mainserver named[31960]: dlz_dlopen: incorrect version 1 should be 2 in '/usr/local/samba/lib/bind9/dlz_bind9.so' Nov 28 23:06:56 mainserver named[31960]: dlz_dlopen of 'AD DNS Zone' failed Nov 28 23:06:56 mainserver kernel: [442516.782877] named[31964]: segfault at 5c ip b77b0ee6 sp b5484400 error 4 in named[b7744000+85000] Backtrace: #0 dlopen_dlz_configure at dlz_dlopen_driver.c:462 #1 dns_sdlzconfigure at sdlz.c:1687 #2 dns_dlzconfigure at dlz.c:627 #3 configure_view at server.c:2185 #4 load_configuration at server.c:5328 #5 run_server at server.c:5869 #6 dispatch at task.c:1116 #7 run at task.c:1286 I'm attaching more detailed backtrace. The problem seem to be caused by returning the wrong result in dlopen_dlz_create() function in the dlz_dlopen_driver.c file in the check for the API version (line 328). If the version of API used by the shared library does not match the version of the API used by the driver, the check will fail (and free the memory allocated in cd) but it returns the value of 'result' variable, which is ISC_R_SUCCESS from previous functions calls. Therefore the code execution proceeds and fails with SIGSEGV, since the memory has been already freed. I'm attaching simple proposed patch. Regards, Tomas Hozza
0001-Return-ISC_R_FAILURE-if-the-API-version-check-fails.patch

Message body is not shown because sender requested not to inline it.

backtrace_dlz_sigsegv

Message body not shown because it is not plain text.

  Tue, 04 Mar 2014 12:01:57 -0500 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Thank you Tomas, this has been merged. 3775. [bug] dlz_dlopen driver could return the wrong error code on API version mismatch, leading to a segfault. [RT #35495] 9.10.0, 9.9.6, 9.8.8
Tue, 04 Mar 2014 12:01:57 -0500 The RT System itself - Status changed from 'new' to 'open'
Tue, 04 Mar 2014 12:01:58 -0500 Evan Hunt <Evan_Hunt@isc.org> - Queue changed from #6 to #30
Thu, 06 Mar 2014 08:22:06 -0500 Cathy Almond <cathya@isc.org> - Severity S1 High added
Fri, 14 Mar 2014 12:43:00 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
Fri, 14 Mar 2014 12:43:12 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'resolved' to 'open'
Fri, 14 Mar 2014 13:50:07 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
Wed, 21 Jun 2017 14:35:53 -0400 Brian Conry <bconry@isc.org> - Queue changed from #30 to #6
Fri, 07 Jul 2017 20:53:00 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
Fri, 07 Jul 2017 20:53:00 -0400 Vicky Risk <vicky@isc.org> - Version Fixed 9.10.0, 9.9.6, 9.8.8 added