ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-07-16T07:34:27Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/1957use cryptolink RNG for qid2021-07-16T07:34:27ZFrancis Dupontuse cryptolink RNG for qidCurrently the qid (DNS query ID) is randomly generated by a weak RNG in lib util. This code should be moved to the DNS++ library and the RNG replaced by the cryptolink one.Currently the qid (DNS query ID) is randomly generated by a weak RNG in lib util. This code should be moved to the DNS++ library and the RNG replaced by the cryptolink one.kea1.9.10Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2759Broken handling of DS/NSEC records in signed, wildcard+CNAME-sourced delegations2021-07-16T05:27:02ZMichał KępieńBroken handling of DS/NSEC records in signed, wildcard+CNAME-sourced delegationsWhen answering a query requires wildcard expansion, the AUTHORITY
section of the response needs to include NSEC(3) record(s) proving that
the QNAME does not exist.
When a response to a query is an insecure delegation, the AUTHORITY
sect...When answering a query requires wildcard expansion, the AUTHORITY
section of the response needs to include NSEC(3) record(s) proving that
the QNAME does not exist.
When a response to a query is an insecure delegation, the AUTHORITY
section needs to include an NSEC(3) proof that no DS record exists at
the parent side of the zone cut.
These two conditions combined trip up the NSEC part of the logic
contained in query_addds(), which expects the NS RRset to be owned by
the first name found in the AUTHORITY section of a delegation response.
This may not always be true, for example if wildcard expansion causes an
NSEC record proving QNAME nonexistence to be added to the AUTHORITY
section before the delegation is added to the response. In such a case,
named incorrectly omits the NSEC record proving nonexistence of QNAME
from the AUTHORITY section.
The same block of code is affected by another flaw: if the same NSEC
record proves nonexistence of both the QNAME and the DS record at the
parent side of the zone cut, this NSEC record will be added to the
AUTHORITY section twice.
This issue was [originally reported][1] by @libchap.
[1]: https://chat.dns-oarc.net/community/pl/8eezk1brqpy8je7fj3rtdco98eJuly 2021 (9.11.34, 9.11.34-S1, 9.16.19, 9.16.19-S1, 9.17.16)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2626Deadlock with concurrent `rndc addzone`/`rndc delzone` commands2021-07-16T05:19:12ZBenjamin GentilDeadlock with concurrent `rndc addzone`/`rndc delzone` commands### Summary
A deadlock can happens between concurrent `rndc delzone` and `rndc addzone` commands (on different zones) making the named process and every following `rndc` commands stuck.
### BIND version used
bind9 debian buster-backpo...### Summary
A deadlock can happens between concurrent `rndc delzone` and `rndc addzone` commands (on different zones) making the named process and every following `rndc` commands stuck.
### BIND version used
bind9 debian buster-backports package 1:9.16.13-1~bpo10+1
```
BIND 9.16.13-Debian (Stable Release) <id:072e758>
running on Linux x86_64 5.11.8-200.fc33.x86_64 #1 SMP Mon Mar 22 01:35:01 UTC 2021
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-xJGMKz/bind9-9.16.13=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libuv version: 1.24.1
linked to libuv version: 1.24.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
Has been also reproduced on a 9.11.25 build, but not on the debian buster version (1:9.11.5.P4+dfsg-5.1+deb10u3)
### Steps to reproduce
The issue can be triggered by running many `rndc addzone` & `rndc delzone` in parallel.
A repository with a POC is available here: https://github.com/bengentil/bind-deadlock
### What is the current *bug* behavior?
When the bug happens the named process is deadlocked and all `rndc` commands are stuck.
### What is the expected *correct* behavior?
The expected behavior is to have all `rndc` commands to be executed to completion without any deadlock.
### Relevant configuration files
I don't have any specific configuration in place to reproduce this issue, as far as I know this issue is not avoidable by configuration.
### Relevant logs and/or screenshots
An extract of a gdb backtrace of the deadlocked process (only the 2 relevant threads):
```
Thread 16 (Thread 0x7f549b6bf700 (LWP 58)):
#0 0x00007f54a5a9e00c in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#1 0x00007f54a5f560a9 in isc_task_beginexclusive (task0=<optimized out>) at task.c:1662
task = <optimized out>
manager = 0x7f54a02ba010
#2 0x000055a0f169bf99 in do_addzone (zoneconf=<optimized out>, text=0x7f549b6bebc8, redirect=false, zoneobj=0x7f5495d48a38, name=0x7f549b6be830, view=0x7f5490bc1ea0, cfg=0x7f5495d4e048, server=0x7f54a02c0010) at ./server.c:13398
tresult = <optimized out>
zone = 0x0
dbi = 2428247712
result = 0
txn = 0x0
result = <optimized out>
tresult = <optimized out>
zone = <optimized out>
txn = <optimized out>
dbi = <optimized out>
dbp = <optimized out>
#3 named_server_changezone (server=0x7f54a02c0010, command=<optimized out>, text=text@entry=0x7f549b6bebc8) at ./server.c:13800
result = <optimized out>
addzone = true
redirect = false
cfg = 0x7f5495d4e048
zoneconf = 0x7f5495d48b00
zoneobj = 0x7f5495d48a38
zonename = 0x7f5458008430 "test1.local"
view = 0x7f5490bc1ea0
buf = {magic = 1114990113, base = 0x7f5458008430, length = 11, used = 11, current = 11, active = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}
fname = {name = {magic = 1145983854, ndata = 0x7f549b6be940 "\005test1\005local", length = 13, labels = 3, attributes = 1, offsets = 0x7f549b6be880 "", buffer = 0x7f549b6be900, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, list = {head = 0x0, tail = 0x0}}, offsets = "\000\006\f\000\000\000\000\000\240\307Z\245T\177\000\000\000\200\255\373\320\224\004\255\200\314\005XT\177\000\000\200\314\005XT\177\000\000\200\314\005XT\177\000\000\200\314\005XT\177\000\000\000E\027^\345\027Y\223\310\353k\233T\177\000\000\350\203,\240T\177\000\000\000\352k\233T\177\000\000\320\351k\233T\177\000\000@\366+\240T\177\000\000\277\306X\245T\177\000\000 \000\000\000\060\000\000\000\320\351k\233T\177\000", buffer = {magic = 1114990113, base = 0x7f549b6be940, length = 255, used = 13, current = 0, active = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}, data = "\005test1\005local\000\177\000\000\000\020\000\000\000\000\000\000\000E\027^\345\027Y\223\a\000\000\000\000\000\000\000\310\353k\233T\177\000\000\000\000\000\000\000\000\000\000\270\352k\233T\177\000\000p_\316\225T\177\000\000\300!\371\245T\177\000\000\000\000\000\000\000\000\000\000\242\347\362\245T\177\000\000\260\351k\233T\177\000\000\260\216\025\243T\177\000\000\060\000\000\000\060\000\000\000\220\352k\233T\177\000\000\320\351k\233T\177\000\000\000E\027^\345\027Y\223buffer-0x7f549\000\000\223\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000w_\316\225T\177\000\000\260E\005XT\177\000\000\002\000\000\000\000\000\000\000"...}
dnsname = 0x7f549b6be830
#4 0x000055a0f167d7d7 in named_control_docommand (message=<optimized out>, readonly=<optimized out>, text=text@entry=0x7f549b6bebc8) at control.c:209
data = <optimized out>
cmdline = 0x7f54580545b0 "addzone test1.local {type master; file \"/var/cache/bind/test1.local.db\"; auto-dnssec maintain; inline-signing yes; key-directory \"/var/cache/bind/keys\";};"
command = 0x7f5495ce5f70 "addzone"
result = 0
log_level = <optimized out>
src = {magic = 1114990113, base = 0x7f54580545b0, length = 154, used = 154, current = 8, active = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}
lex = 0x7f54a02c83e8
#5 0x000055a0f16809f3 in control_recvmessage (task=0x7f5495d25010, event=<optimized out>) at controlconf.c:476
conn = 0x7f5495d43e50
listener = 0x7f5495d4d120
key = 0x7f54a02bf640
request = 0x7f5458005240
response = 0x0
algorithm = 163
secret = {rstart = 0x7f54a315bab0 "\342\061\016`\001\201\065\067\242U\313\033|\321\334\350\303\335\213OX\252u\f\210\033v\271K\221x\342\020\273\025\243T\177", rend = 0x7f54a315bad0 "\020\273\025\243T\177"}
now = 1617996781
b = <optimized out>
r = {base = 0x7f54a1ec4f0d ";", length = 2716618509}
text = 0x7f544c046db0
result = <optimized out>
eresult = <optimized out>
_ctrl = 0x7f54580540e0
sent = 1617996781
exp = 1617996841
nonce = 459112386
data = 0x0
#6 0x00007f54a5f53e4b in dispatch (threadid=<optimized out>, manager=0x7f54a02ba010) at task.c:1153
dispatch_count = 24
done = false
finished = false
requeue = false
event = 0x7f5495d43ed0
task = 0x7f5495d25010
task = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
dispatch_count = <optimized out>
done = <optimized out>
requeue = <optimized out>
finished = <optimized out>
event = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
was_idle = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
empty = <optimized out>
i = <optimized out>
__atomic_store_ptr = <optimized out>
__atomic_store_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
#7 run (queuep=<optimized out>) at task.c:1345
tq = <optimized out>
manager = 0x7f54a02ba010
threadid = <optimized out>
#8 0x00007f54a5f5a282 in isc__trampoline_run (arg=0x55a0f2d9d970) at trampoline.c:191
trampoline = 0x55a0f2d9d970
result = <optimized out>
#9 0x00007f54a5a97fa3 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#10 0x00007f54a562d4cf in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
Thread 15 (Thread 0x7f549bec0700 (LWP 57)):
#0 0x00007f54a5aa129c in __lll_lock_wait () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#1 0x00007f54a5a9a87a in pthread_mutex_lock () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#2 0x000055a0f168caef in rmzone (task=<optimized out>, event=<optimized out>) at ./server.c:13890
dz = 0x7f5495d34ff0
zone = 0x7f5464008d10
raw = 0x0
mayberaw = <optimized out>
zonename = "test2.local", '\000' <repeats 17 times>, "T\177", '\000' <repeats 26 times>, "\377\377\377\377\377\377\377\377RSND\377\377\377\377\000\000\000\000\000\000\000\000", '\377' <repeats 16 times>, '\000' <repeats 20 times>, "\377\377\377\377", '\000' <repeats 72 times>, "X\002\000\000\000\000\000\000"...
view = 0x7f5490bc1ea0
cfg = <optimized out>
dbp = 0x0
added = true
result = <optimized out>
txn = 0x0
dbi = 4294967295
#3 0x00007f54a5f53e4b in dispatch (threadid=<optimized out>, manager=0x7f54a02ba010) at task.c:1153
dispatch_count = 0
done = false
finished = false
requeue = false
event = 0x7f549559be48
task = 0x7f5495d25be0
task = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
dispatch_count = <optimized out>
done = <optimized out>
requeue = <optimized out>
finished = <optimized out>
event = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
was_idle = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
empty = <optimized out>
i = <optimized out>
__atomic_store_ptr = <optimized out>
__atomic_store_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
__atomic_load_ptr = <optimized out>
__atomic_load_tmp = <optimized out>
#4 run (queuep=<optimized out>) at task.c:1345
tq = <optimized out>
manager = 0x7f54a02ba010
threadid = <optimized out>
#5 0x00007f54a5f5a282 in isc__trampoline_run (arg=0x55a0f2d9d7e0) at trampoline.c:191
trampoline = 0x55a0f2d9d7e0
result = <optimized out>
#6 0x00007f54a5a97fa3 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#7 0x00007f54a562d4cf in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
```
The corresponding relevant logs:
```
Apr 9 19:33:01 f402d8b027a0 named[42]: received control channel command 'delzone test2.local'
Apr 9 19:33:01 f402d8b027a0 named[42]: zone test2.local scheduled for removal via delzone
Apr 9 19:33:01 f402d8b027a0 named[42]: received control channel command 'addzone test1.local {type master; file "/var/cache/bind/test1.local.db"; auto-dnssec maintain; inline-signing yes; key-directory "/var/cache/bind/keys";};'
Apr 9 19:33:01 f402d8b027a0 named[42]: deleting zone test2.local in view _default via delzone
```
We can see that `rndc addzone test1.local [...]` has been executed during an already running `rndc delzone test2.local` and both threads are now waiting.
The thread 15/LWP 57 (delzone) is waiting for a lock owned by thread 16/LWP 58 (addzone)
```
(gdb) thread 15
[Switching to thread 15 (Thread 0x7f549bec0700 (LWP 57))]
#0 0x00007f54a5aa129c in __lll_lock_wait () from /lib/x86_64-linux-gnu/libpthread.so.0
(gdb) frame 2
#2 0x000055a0f168caef in rmzone (task=<optimized out>, event=<optimized out>) at ./server.c:13890
13890 in ./server.c
(gdb) p *(&view->new_zone_lock->__data->__owner)
$9 = 58
```
isc_task_beginexclusive waits while this is true: `manager->halted + 1 < manager->workers`
```
(gdb) thread 16
[Switching to thread 16 (Thread 0x7f549b6bf700 (LWP 58))]
#0 0x00007f54a5a9e00c in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/x86_64-linux-gnu/libpthread.so.0
(gdb) frame 1
#1 0x00007f54a5f560a9 in isc_task_beginexclusive (task0=<optimized out>) at task.c:1662
1662 task.c: No such file or directory.
(gdb) p manager->halted
$10 = 6
(gdb) p manager->workers
$11 = 8
```
### Observations
The rmzone relevant code is:
* [server.c:13890](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_13/bin/named/server.c#L13874)
```
13855 rmzone(isc_task_t *task, isc_event_t *event) {
[...]
13888 #ifdef HAVE_LMDB
13889 /* Make sure we can open the NZD database */
->13890 LOCK(&view->new_zone_lock);
```
The addzone relevant code is:
* [server.c:13350](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_13/bin/named/server.c#L13382)
```
13337 do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
13338 dns_name_t *name, cfg_obj_t *zoneconf, const cfg_obj_t *zoneobj,
13339 bool redirect, isc_buffer_t **text) {
[...]
13350 LOCK(&view->new_zone_lock);
[...]
13387 /* Make sure we can open the NZD database */
13388 result = nzd_writable(view);
13389 if (result != ISC_R_SUCCESS) {
13390 TCHECK(putstr(text, "unable to open NZD database for '"));
13391 TCHECK(putstr(text, view->new_zone_db));
13392 TCHECK(putstr(text, "'"));
13393 result = ISC_R_FAILURE;
13394 goto cleanup;
13395 }
13396 #endif /* HAVE_LMDB */
13397
->13398 result = isc_task_beginexclusive(server->task);
```
* [task.c:1662](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_13/lib/isc/task.c#L1662)
```
1634 isc_task_beginexclusive(isc_task_t *task0) {
[...]
1660 while (manager->halted + 1 < manager->workers) {
1661 wake_all_queues(manager);
->1662 WAIT(&manager->halt_cond, &manager->halt_lock);
1663 }
```
My understanding is that the `rmzone` is executed between the `LOCK(&view->new_zone_lock)` and the `isc_task_beginexclusive` in `do_addzone` resulting in:
* `do_addzone` waits for other workers to stop (ie. waits for `rmzone` to stop)
* `rmzone` waits for the `view->new_zone_lock` locked by `do_addzone`
* `do_addzone` sees always 2 workers and the `view->new_zone_lock` is never unlockedMay 2021 (9.11.32, 9.11.32-S1, 9.16.16, 9.16.16-S1, 9.17.13)Diego dos Santos FronzaDiego dos Santos Fronzahttps://gitlab.isc.org/isc-projects/bind9/-/issues/833Lock reordering between zt->lock, zone->lock, view->lock2021-07-15T12:42:20ZWitold KrecickiLock reordering between zt->lock, zone->lock, view->lockWe have a lot of lock reorderings in zt->lock, zone->lock and view->lock that might cause a deadlock. Those should be investigated, and a common order of locking should be documented.We have a lot of lock reorderings in zt->lock, zone->lock and view->lock that might cause a deadlock. Those should be investigated, and a common order of locking should be documented.https://gitlab.isc.org/isc-projects/bind9/-/issues/2819Cache the isc_os_ncpu() result2021-07-14T19:26:10ZOndřej SurýCache the isc_os_ncpu() resultIt was discovered that on some platforms (f.e. Alpine Linux with MUSL)
the result of isc_os_ncpus() call differ when called before and after we
drop privileges.It was discovered that on some platforms (f.e. Alpine Linux with MUSL)
the result of isc_os_ncpus() call differ when called before and after we
drop privileges.August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2703gcc-10+ -fanalyzer reports dereference of NULL ‘text’ in server.c:147212021-07-14T19:15:38ZOndřej Surýgcc-10+ -fanalyzer reports dereference of NULL ‘text’ in server.c:14721```
server.c:14721:35: error: dereference of NULL ‘text’ [CWE-476] [-Werror=analyzer-null-dereference]
14721 | if (isc_buffer_usedlength(*text) > 0) {
../../lib/isc/include/isc/buffer.h:160:41: note: in definition of macro ‘isc_b...```
server.c:14721:35: error: dereference of NULL ‘text’ [CWE-476] [-Werror=analyzer-null-dereference]
14721 | if (isc_buffer_usedlength(*text) > 0) {
../../lib/isc/include/isc/buffer.h:160:41: note: in definition of macro ‘isc_buffer_usedlength’
160 | #define isc_buffer_usedlength(b) ((b)->used) /* d-a */
| ^
‘named_server_showzone’: event 1
|
|server.c:14633:1:
|14633 | named_server_showzone(named_server_t *server, isc_lex_t *lex,
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to ‘named_server_showzone’
|
‘named_server_showzone’: event 2
|
|14649 | CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true));
| | ^
| | |
| | (2) calling ‘zone_from_args’ from ‘named_server_showzone’
server.c:191:27: note: in definition of macro ‘CHECK’
| 191 | result = (op); \
| | ^~
|
+--> ‘zone_from_args’: event 3
|
|10671 | zone_from_args(named_server_t *server, isc_lex_t *lex, const char *zonetxt,
| | ^~~~~~~~~~~~~~
| | |
| | (3) entry to ‘zone_from_args’
|
‘zone_from_args’: event 4
|
|../../lib/isc/include/isc/util.h:287:20:
| 287 | #define REQUIRE(e) assert(e)
| | ^~~~~~
| | |
| | (4) following ‘true’ branch...
server.c:10686:9: note: in expansion of macro ‘REQUIRE’
|10686 | REQUIRE(zonep != NULL && *zonep == NULL);
| | ^~~~~~~
|
‘zone_from_args’: events 5-8
|
|10688 | if (skip) {
| | ^~ ~
| | | |
| | | (6) following ‘true’ branch (when ‘skip != 0’)...
| | (5) ...to here
|10689 | /* Skip the command name. */
|10690 | ptr = next_token(lex, text);
| | ~~~ ~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (8) calling ‘next_token’ from ‘zone_from_args’
| | (7) ...to here
|
+--> ‘next_token’: events 9-11
|
|10619 | next_token(isc_lex_t *lex, isc_buffer_t **text) {
| | ^~~~~~~~~~
| | |
| | (9) entry to ‘next_token’
|......
|10639 | (void)putnull(text);
| | ~~~~~~~~~~~~~
| | |
| | (11) ...to here
|......
|10643 | if (text != NULL) {
| | ~
| | |
| | (10) following ‘false’ branch (when ‘text’ is NULL)...
|
<------+
|
‘zone_from_args’: events 12-13
|
|10690 | ptr = next_token(lex, text);
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (12) returning to ‘zone_from_args’ from ‘next_token’
|10691 | if (ptr == NULL) {
| | ~
| | |
| | (13) following ‘true’ branch (when ‘ptr’ is NULL)...
|
‘zone_from_args’: event 14
|
|cc1:
| (14): ...to here
|
<------+
|
‘named_server_showzone’: event 15
|
|14649 | CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true));
| | ^
| | |
| | (15) returning to ‘named_server_showzone’ from ‘zone_from_args’
server.c:191:27: note: in definition of macro ‘CHECK’
| 191 | result = (op); \
| | ^~
|
‘named_server_showzone’: event 16
|
| 192 | if (result != ISC_R_SUCCESS) \
| | ^
| | |
| | (16) following ‘true’ branch (when ‘result != 0’)...
server.c:14649:9: note: in expansion of macro ‘CHECK’
|14649 | CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true));
| | ^~~~~
|
‘named_server_showzone’: event 17
|
| 193 | goto cleanup; \
| | ^~~~
| | |
| | (17) ...to here
server.c:14649:9: note: in expansion of macro ‘CHECK’
|14649 | CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true));
| | ^~~~~
|
‘named_server_showzone’: events 18-19
|
|14717 | if (nzconfig != NULL) {
| | ^
| | |
| | (18) following ‘false’ branch...
|......
|14721 | if (isc_buffer_usedlength(*text) > 0) {
| | ~~
| | |
| | (19) ...to here
|
‘named_server_showzone’: event 20
|
|14721 | if (isc_buffer_usedlength(*text) > 0) {
../../lib/isc/include/isc/buffer.h:160:41: note: in definition of macro ‘isc_buffer_usedlength’
| 160 | #define isc_buffer_usedlength(b) ((b)->used) /* d-a */
| | ^
|
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)https://gitlab.isc.org/isc-projects/bind9/-/issues/2808unchecked returns in rbtdb_test.c and dnssec-signzone.c2021-07-14T19:14:21ZMark Andrewsunchecked returns in rbtdb_test.c and dnssec-signzone.crbtdb_test.c
```
134 isc_buffer_add(&b, strlen(str1));
CID 332455 (#1 of 2): Unchecked return value (CHECKED_RETURN) [select issue]
135 dns_name_fromtext(name1, &b, dns_rootname, 0, NULL);
136
137 name2 = dns_fi...rbtdb_test.c
```
134 isc_buffer_add(&b, strlen(str1));
CID 332455 (#1 of 2): Unchecked return value (CHECKED_RETURN) [select issue]
135 dns_name_fromtext(name1, &b, dns_rootname, 0, NULL);
136
137 name2 = dns_fixedname_initname(&fname2);
138 isc_buffer_constinit(&b, str2, strlen(str2));
139 isc_buffer_add(&b, strlen(str2));
CID 332455 (#2 of 2): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling dns_name_fromtext without checking return value (as is done elsewhere 137 out of 157 times).
140 dns_name_fromtext(name2, &b, dns_rootname, 0, NULL);
```
```
199 isc_buffer_add(&b, strlen(str1));
CID 332453 (#1 of 2): Unchecked return value (CHECKED_RETURN) [select issue]
200 dns_name_fromtext(name1, &b, dns_rootname, 0, NULL);
201
202 name2 = dns_fixedname_initname(&fname2);
203 isc_buffer_constinit(&b, str1, strlen(str1));
204 isc_buffer_add(&b, strlen(str1));
CID 332453 (#2 of 2): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling dns_name_fromtext without checking return value (as is done elsewhere 137 out of 157 times).
205 dns_name_fromtext(name2, &b, dns_rootname, 0, NULL);
```
dnssec-signzone.c
```
385
CID 332452 (#1 of 1): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling isc_rwlock_lock without checking return value (as is done elsewhere 98 out of 100 times).
386 isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
387 key = keythatsigned_unlocked(rrsig);
CID 332454: Unchecked return value (CHECKED_RETURN) [select issue]
388 isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read);
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2810Silence untrusted loop bound2021-07-14T19:09:27ZMark AndrewsSilence untrusted loop bound```
630
1. tainted_argument: Calling function dns_rdata_tostruct taints argument nsec3param.iterations. [show details]
631 result = dns_rdata_tostruct(nsec3rdata, &nsec3param, NULL);
2. Condition !!(result == 0), taking tr...```
630
1. tainted_argument: Calling function dns_rdata_tostruct taints argument nsec3param.iterations. [show details]
631 result = dns_rdata_tostruct(nsec3rdata, &nsec3param, NULL);
2. Condition !!(result == 0), taking true branch.
3. Condition !!(result == 0), taking true branch.
632 RUNTIME_CHECK(result == ISC_R_SUCCESS);
633
634 dns_fixedname_init(&fixed);
CID 281425 (#1 of 1): Untrusted loop bound (TAINTED_SCALAR)
4. tainted_data: Passing tainted expression nsec3param.iterations to dns_nsec3_hashname, which uses it as a loop boundary. [show details]
Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
635 result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, vctx->origin,
636 vctx->origin, nsec3param.hash,
637 nsec3param.iterations, nsec3param.salt,
638 nsec3param.salt_length);
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)https://gitlab.isc.org/isc-projects/bind9/-/issues/2807Coverity reports use of tainted scalar2021-07-14T19:07:03ZMark AndrewsCoverity reports use of tainted scalar```
2607
43. tainted_argument: Calling function journal_read_xhdr taints argument xhdr.size. [show details]
2608 result = journal_read_xhdr(j1, &xhdr);
44. Condition rewrite, taking true branch.
45. ...```
2607
43. tainted_argument: Calling function journal_read_xhdr taints argument xhdr.size. [show details]
2608 result = journal_read_xhdr(j1, &xhdr);
44. Condition rewrite, taking true branch.
45. Condition result == 29, taking false branch.
2609 if (rewrite && result == ISC_R_NOMORE) {
2610 break;
2611 }
46. Condition result != 0, taking false branch.
2612 CHECK(result);
2613
47. var_assign_var: Assigning: size = xhdr.size. Both are now tainted.
2614 size = xhdr.size;
CID 331088 (#3 of 3): Untrusted allocation size (TAINTED_SCALAR)
48. tainted_data: Passing tainted expression size to isc__mem_get, which uses it as an allocation size. [show details]
Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
2615 buf = isc_mem_get(mctx, size);
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2812memory leak in main2021-07-14T19:06:07ZOndřej Surýmemory leak in mainI can more-or-less reliably reproduce following crash:
```
D:rrl:Core was generated by `/home/ondrej/Projects/bind9/bin/named/.libs/named -D rrl-ns2 -X named.lock -m r'.
D:rrl:Program terminated with signal SIGABRT, Aborted.
D:rrl:#0 0x...I can more-or-less reliably reproduce following crash:
```
D:rrl:Core was generated by `/home/ondrej/Projects/bind9/bin/named/.libs/named -D rrl-ns2 -X named.lock -m r'.
D:rrl:Program terminated with signal SIGABRT, Aborted.
D:rrl:#0 0x00007fdc2dd8e7bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
D:rrl:#0 0x00007fdc2dd8e7bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
D:rrl:#1 0x00007fdc2dd79535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
D:rrl:#2 0x000055dc9eb46c2f in assertion_failed (file=<optimized out>, line=<optimized out>, type=isc_assertiontype_insist, cond=0x7fdc2ea7aa97 "malloced == 0") at main.c:249
D:rrl:#3 0x00007fdc2ea31971 in isc_assertion_failed (file=file@entry=0x7fdc2ea7a958 "mem.c", line=line@entry=550, type=type@entry=isc_assertiontype_insist, cond=cond@entry=0x7fdc2ea7aa97 "malloced == 0") at assertions.c:47
D:rrl:#4 0x00007fdc2ea44583 in destroy (ctx=ctx@entry=0x55dca054da60) at jemalloc_shim.h:37
D:rrl:#5 0x00007fdc2ea448f4 in isc__mem_destroy (ctxp=0x55dc9ebade88 <named_g_mctx>, file=<optimized out>, line=<optimized out>) at mem.c:645
D:rrl:#6 0x000055dc9eb48d04 in main (argc=<optimized out>, argv=<optimized out>) at main.c:1556
D:rrl:--------------------------------------------------------------------------------
```
The memleak analysis points to:
```
add 0x7fdc0c039740 size 256 file netmgr/netmgr.c line 1480 mctx 0x55dca054da60
add 0x7fdc0c0c8a00 size 536 file netmgr/netmgr.c line 1647 mctx 0x55dca054da60
add 0x7fdc0c0395f0 size 256 file netmgr/netmgr.c line 1478 mctx 0x55dca054da60
add 0x7fdc0c6c9010 size 536 file netmgr/netmgr.c line 1644 mctx 0x55dca054da60
```
as it does happen only intermittently and in the softhsm2.4 branch (which is kind of broken - jemalloc+softhsm2.4 is no-no-no), it was only found later that this happens on "vanilla" build.
We changed the `isc_mem_allocate()` and `isc_mem_free()` on the `ah_frees` and `ah_handles` to `isc_mem_put() and `isc_mem_put()`, but missed the fact that `isc_mem_reallocate() is being used on L1642 and L1645.August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2478Consider making the build-time dependency on nghttp2 optional2021-07-14T18:34:16ZMichał KępieńConsider making the build-time dependency on nghttp2 optionalRight now, the `main` branch needs nghttp2 to be available in order for
BIND 9 to build at all. Since nghttp2 is only required for
DNS-over-HTTPS (DoH) support - which we promised to backport to BIND
9.16 at some point - it looks slight...Right now, the `main` branch needs nghttp2 to be available in order for
BIND 9 to build at all. Since nghttp2 is only required for
DNS-over-HTTPS (DoH) support - which we promised to backport to BIND
9.16 at some point - it looks slightly harsh to have a new, hard
requirement on another library (even if it is a rather ubiquitous and
not version-picky one), especially in light of a future BIND 9.16
backport.
We should probably discuss whether nghttp2 should be considered
mandatory for:
- BIND 9.17+
- ~~BIND 9.16~~[^1]
Any changes in this area should be "announced" in:
- `README.md`
- `PLATFORMS.md`
- release notes.
[^1]: Not a possibility any more as it has been decided that DoH support
will not be backported to BIND 9.16.August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)https://gitlab.isc.org/isc-projects/bind9/-/issues/2824Verify that random calls are seeded and used appropriately2021-07-14T09:43:02ZMichael McNallyVerify that random calls are seeded and used appropriatelyA recent issue with [weak randomization used by the dhclient part of the ISC DHCP project](https://gitlab.isc.org/isc-projects/dhcp/-/issues/197) is a good reminder that we should examine PRNG use in each of ISC's open source projects to...A recent issue with [weak randomization used by the dhclient part of the ISC DHCP project](https://gitlab.isc.org/isc-projects/dhcp/-/issues/197) is a good reminder that we should examine PRNG use in each of ISC's open source projects to ensure that we are using (pseudo-)randomness appropriately.
Please treat this ticket as:
- a reminder to review PRNG use in your project to ensure that it is used properly
- a request to report on the status of that review, so that users who search for this ticket can satisfy themselves that we have checked our usage and believe it to be reasonable.https://gitlab.isc.org/isc-projects/bind9/-/issues/2815Crashes related to memory reallocation on OpenBSD2021-07-13T12:00:06ZMichał KępieńCrashes related to memory reallocation on OpenBSDNew crashes, which seem to be related to memory reallocation, have been
recently observed on OpenBSD:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1856101
```
D:fetchlimit:Core was generated by `named'.
D:fetchlimit...New crashes, which seem to be related to memory reallocation, have been
recently observed on OpenBSD:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1856101
```
D:fetchlimit:Core was generated by `named'.
D:fetchlimit:Program terminated with signal SIGSEGV, Segmentation fault.
D:fetchlimit:#0 isc___nmhandle_get (sock=0x4bdedbe5008, peer=<optimized out>, local=<optimized out>) at netmgr/netmgr.c:1658
D:fetchlimit:1658 INSIST(sock->ah_handles[pos] == NULL);
D:fetchlimit:[Current thread is 1 (process 414524)]
D:fetchlimit:#0 isc___nmhandle_get (sock=0x4bdedbe5008, peer=<optimized out>, local=<optimized out>) at netmgr/netmgr.c:1658
D:fetchlimit:#1 0x000004bd59eb8689 in isc__nm_get_read_req (sock=0x4bdedbe5008, sockaddr=0x4be16fdaae8) at netmgr/netmgr.c:2113
D:fetchlimit:#2 0x000004bd59ec666c in udp_recv_cb (handle=<optimized out>, nrecv=39, buf=0x4be16fdad70, addr=0x4be16fdac40, flags=<optimized out>) at netmgr/udp.c:402
D:fetchlimit:#3 0x000004bd6f10c137 in uv.udp_io () from /usr/local/lib/libuv.so.3.0
D:fetchlimit:#4 0x000004bd6f10da19 in uv.io_poll () from /usr/local/lib/libuv.so.3.0
D:fetchlimit:#5 0x000004bd6f0fc0b8 in uv_run () from /usr/local/lib/libuv.so.3.0
D:fetchlimit:#6 0x000004bd59eb0d6b in nm_thread (worker0=0x4be100990b8) at netmgr/netmgr.c:682
D:fetchlimit:#7 0x000004bd59f01d73 in isc__trampoline_run (arg=0x4be100b5580) at trampoline.c:180
D:fetchlimit:#8 0x000004be3b384f51 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96
D:fetchlimit:#9 0x000004be0da71a5a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84
```
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1856602
```
D:fetchlimit:Core was generated by `named'.
D:fetchlimit:Program terminated with signal SIGABRT, Aborted.
D:fetchlimit:#0 thrkill () at /tmp/-:3
D:fetchlimit:[Current thread is 1 (process 478794)]
D:fetchlimit:#0 thrkill () at /tmp/-:3
D:fetchlimit:#1 0x000009cadd8db7be in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
D:fetchlimit:#2 0x000009c8758fb913 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at main.c:249
D:fetchlimit:#3 0x000009ca795aeca0 in isc_assertion_failed (file=0x0, line=6, type=isc_assertiontype_require, cond=0x9cadd92dffa <thrkill+10> "r\001\303d\211\004% ") at assertions.c:47
D:fetchlimit:#4 0x000009ca795c2ec4 in mem_putstats (ctx=0x9ca7638f008, ptr=<optimized out>, size=13744632839234567870) at mem.c:386
D:fetchlimit:#5 isc__mem_reallocate (ctx=0x9ca7638f008, old_ptr=0x9cad038e408, new_size=512, file=0x9ca7957e4b2 "netmgr/netmgr.c", line=1645) at mem.c:899
D:fetchlimit:#6 0x000009ca7959bcf2 in isc___nmhandle_get (sock=0x9cb270af008, peer=<optimized out>, local=<optimized out>) at netmgr/netmgr.c:1643
D:fetchlimit:#7 0x000009ca7959d689 in isc__nm_get_read_req (sock=0x9cb270af008, sockaddr=0x9cb655d0318) at netmgr/netmgr.c:2113
D:fetchlimit:#8 0x000009ca795ab66c in udp_recv_cb (handle=<optimized out>, nrecv=39, buf=0x9cb655d05a0, addr=0x9cb655d0470, flags=<optimized out>) at netmgr/udp.c:402
D:fetchlimit:#9 0x000009cb515e8137 in uv.udp_io () from /usr/local/lib/libuv.so.3.0
D:fetchlimit:#10 0x000009cb515e9a19 in uv.io_poll () from /usr/local/lib/libuv.so.3.0
D:fetchlimit:#11 0x000009cb515d80b8 in uv_run () from /usr/local/lib/libuv.so.3.0
D:fetchlimit:#12 0x000009ca79595d6b in nm_thread (worker0=0x9ca954680b8) at netmgr/netmgr.c:682
D:fetchlimit:#13 0x000009ca795e6d73 in isc__trampoline_run (arg=0x9cb70b6dc00) at trampoline.c:180
D:fetchlimit:#14 0x000009cadeacdf51 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96
D:fetchlimit:#15 0x000009cadd94acca in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84
```
It looks like these flaws might have been uncovered by !5252. @ondrej
[said][1] that they are related to OpenBSD not exposing `malloc_size()`
or `malloc_usable_size()` and us having to work around it. He also
[proposed][2] a fix.
[1]: https://gitlab.isc.org/isc-projects/bind9/-/issues/2812#note_224856
[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/2812#note_224858August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)https://gitlab.isc.org/isc-projects/bind9/-/issues/2811checkds code may fail to release all resources on shutdown2021-07-13T09:50:39ZMichał Kępieńcheckds code may fail to release all resources on shutdownThe "checkds" system test has been failing intermittently on FreeBSD:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1845792
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1847239
- https://gitlab.isc.org/isc-projects/bind...The "checkds" system test has been failing intermittently on FreeBSD:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1845792
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1847239
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/1851457
These failures are caused not by the test itself failing (the actual
Python tests are skipped), but rather by `named` assertion failures
triggered by outstanding memory allocations at shutdown.
I assumed these are happening because `named` is shut down very shortly
after startup. By looking at the list of outstanding allocations, I was
able to determine that the leaked allocations are instances of the
`dns_message_t` structure along with its various members. All of these
`dns_message_t` objects had `from_to_wire` set to
`DNS_MESSAGE_INTENTRENDER`, which made me look at
`checkds_send_toaddr()`, where these objects are allocated.
I believe there is a bug in there that prevents the `dns_message_t`
object (referenced by the `message` stack variable) from being released
when the `dns_request_createvia()` call fails (e.g. because
`requestmgr->exiting` is `true`, which is what happens at shutdown):
```diff
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index bbd2da00fda..cb6f47870f4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21231,7 +21231,7 @@ checkds_send_toaddr(isc_task_t *task, isc_event_t *event) {
checkds->zone, ISC_LOG_DEBUG(3),
"checkds: dns_request_createvia() to %s failed: %s",
addrbuf, dns_result_totext(result));
- goto cleanup;
+ goto cleanup_key;
}
cleanup_key:
```
(Note that the `goto` statement can also be removed altogether, but
perhaps it is more future-proof to leave it there, in case more code
gets added at a later time.)
To reproduce the problem, apply the following patch:
```diff
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index bbd2da00fda..1790f7d3ada 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -14,6 +14,7 @@
#include <errno.h>
#include <inttypes.h>
#include <stdbool.h>
+#include <unistd.h>
#include <isc/atomic.h>
#include <isc/file.h>
@@ -21222,6 +21223,7 @@ checkds_send_toaddr(isc_task_t *task, isc_event_t *event) {
timeout = 15;
options |= DNS_REQUESTOPT_TCP;
+ sleep(1);
result = dns_request_createvia(
checkds->zone->view->requestmgr, message, &src, &checkds->dst,
dscp, options, key, timeout * 3, timeout, 0,
```
and run the `checkds` system test on a platform where the Python tests
for checkds are skipped.
I do not think this is significant enough to fix in July releases - it
only happens if `named` is shut down around the time a DS check is
queued and only triggers an assertion failure *at shutdown*.August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/83Convert docbook to md/rst2021-07-12T08:28:23ZOndřej SurýConvert docbook to md/rstA placeholder issue to convert the documentation from docbook to a human readable format.A placeholder issue to convert the documentation from docbook to a human readable format.June 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)https://gitlab.isc.org/isc-projects/bind9/-/issues/2816mem.c:739:2: runtime error: null pointer returned from function declared to n...2021-07-12T08:23:42ZOndřej Surýmem.c:739:2: runtime error: null pointer returned from function declared to never return nullFound by ossfuzz:
```
[Environment] UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfu...Found by ossfuzz:
```
[Environment] UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-d76d7bd8ebb5b351b84bf2047ba1e3c4c126abe6
Time ran: 0.05019402503967285
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3998893740
INFO: Loaded 1 modules (113688 inline 8-bit counters): 113688 [0x103ace8, 0x1056900),
INFO: Loaded 1 PC tables (113688 PCs): 113688 [0x1056900,0x1212a80),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-d76d7bd8ebb5b351b84bf2047ba1e3c4c126abe6
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb in isc__mem_get bind9/lib/isc/mem.c:740:1
#1 0x93c28f in isc_buffer_allocate bind9/lib/isc/buffer.c:543:25
#2 0x5254b2 in unknown_fromtext bind9/lib/dns/rdata.c:882:2
#3 0x523e6d in dns_rdata_fromtext bind9/lib/dns/rdata.c:979:13
#4 0x4b5fff in LLVMFuzzerTestOneInput bind9/fuzz/dns_rdata_fromwire_text.c:173:11
#5 0x443d93 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#6 0x42f4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#7 0x4351ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#8 0x45eca2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#9 0x7fa08774183f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/libc-start.c:291
#10 0x40a5a8 in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mem.c:739:2 in
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x95a4bb)
#1 0x93c28f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x93c28f)
#2 0x5254b2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x5254b2)
#3 0x523e6d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x523e6d)
#4 0x4b5fff (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4b5fff)
#5 0x443d93 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x443d93)
#6 0x42f4d2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x42f4d2)
#7 0x4351ae (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4351ae)
#8 0x45eca2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x45eca2)
#9 0x7fa08774183f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#10 0x40a5a8 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x40a5a8)
ORIGINAL STACKTRACE ON REVISION D7AA979A6C3F5A639012EC5981992FC8A3867525 (43 LINES)
[Environment] UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b3e3b33147ec29ee51c4add23be2f25febb5b351b84bf2047ba1e3c4c126abe6
Time ran: 0.04110836982727051
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4192504056
INFO: Loaded 1 modules (113688 inline 8-bit counters): 113688 [0x103ace8, 0x1056900),
INFO: Loaded 1 PC tables (113688 PCs): 113688 [0x1056900,0x1212a80),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b3e3b33147ec29ee51c4add23be2f25febb5b351b84bf2047ba1e3c4c126abe6
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb in isc__mem_get bind9/lib/isc/mem.c:740:1
#1 0x93c28f in isc_buffer_allocate bind9/lib/isc/buffer.c:543:25
#2 0x5254b2 in unknown_fromtext bind9/lib/dns/rdata.c:882:2
#3 0x523e6d in dns_rdata_fromtext bind9/lib/dns/rdata.c:979:13
#4 0x4b5fff in LLVMFuzzerTestOneInput bind9/fuzz/dns_rdata_fromwire_text.c:173:11
#5 0x443d93 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#6 0x42f4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#7 0x4351ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#8 0x45eca2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#9 0x7fd7daa3f83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/libc-start.c:291
#10 0x40a5a8 in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mem.c:739:2 in
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x95a4bb)
#1 0x93c28f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x93c28f)
#2 0x5254b2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x5254b2)
#3 0x523e6d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x523e6d)
#4 0x4b5fff (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4b5fff)
#5 0x443d93 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x443d93)
#6 0x42f4d2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x42f4d2)
#7 0x4351ae (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4351ae)
#8 0x45eca2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x45eca2)
#9 0x7fd7daa3f83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#10 0x40a5a8 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x40a5a8)
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2817mem.c:739:2: runtime error: null pointer returned from function declared to n...2021-07-12T07:22:51ZOndřej Surýmem.c:739:2: runtime error: null pointer returned from function declared to never return nullFound by ossfuzz:
```
[Environment] UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfu...Found by ossfuzz:
```
[Environment] UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-d76d7bd8ebb5b351b84bf2047ba1e3c4c126abe6
Time ran: 0.05019402503967285
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3998893740
INFO: Loaded 1 modules (113688 inline 8-bit counters): 113688 [0x103ace8, 0x1056900),
INFO: Loaded 1 PC tables (113688 PCs): 113688 [0x1056900,0x1212a80),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-d76d7bd8ebb5b351b84bf2047ba1e3c4c126abe6
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb in isc__mem_get bind9/lib/isc/mem.c:740:1
#1 0x93c28f in isc_buffer_allocate bind9/lib/isc/buffer.c:543:25
#2 0x5254b2 in unknown_fromtext bind9/lib/dns/rdata.c:882:2
#3 0x523e6d in dns_rdata_fromtext bind9/lib/dns/rdata.c:979:13
#4 0x4b5fff in LLVMFuzzerTestOneInput bind9/fuzz/dns_rdata_fromwire_text.c:173:11
#5 0x443d93 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#6 0x42f4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#7 0x4351ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#8 0x45eca2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#9 0x7fa08774183f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/libc-start.c:291
#10 0x40a5a8 in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mem.c:739:2 in
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x95a4bb)
#1 0x93c28f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x93c28f)
#2 0x5254b2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x5254b2)
#3 0x523e6d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x523e6d)
#4 0x4b5fff (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4b5fff)
#5 0x443d93 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x443d93)
#6 0x42f4d2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x42f4d2)
#7 0x4351ae (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4351ae)
#8 0x45eca2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x45eca2)
#9 0x7fa08774183f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#10 0x40a5a8 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x40a5a8)
ORIGINAL STACKTRACE ON REVISION D7AA979A6C3F5A639012EC5981992FC8A3867525 (43 LINES)
[Environment] UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b3e3b33147ec29ee51c4add23be2f25febb5b351b84bf2047ba1e3c4c126abe6
Time ran: 0.04110836982727051
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4192504056
INFO: Loaded 1 modules (113688 inline 8-bit counters): 113688 [0x103ace8, 0x1056900),
INFO: Loaded 1 PC tables (113688 PCs): 113688 [0x1056900,0x1212a80),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b3e3b33147ec29ee51c4add23be2f25febb5b351b84bf2047ba1e3c4c126abe6
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb in isc__mem_get bind9/lib/isc/mem.c:740:1
#1 0x93c28f in isc_buffer_allocate bind9/lib/isc/buffer.c:543:25
#2 0x5254b2 in unknown_fromtext bind9/lib/dns/rdata.c:882:2
#3 0x523e6d in dns_rdata_fromtext bind9/lib/dns/rdata.c:979:13
#4 0x4b5fff in LLVMFuzzerTestOneInput bind9/fuzz/dns_rdata_fromwire_text.c:173:11
#5 0x443d93 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#6 0x42f4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#7 0x4351ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#8 0x45eca2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#9 0x7fd7daa3f83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/libc-start.c:291
#10 0x40a5a8 in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mem.c:739:2 in
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
mem.c:739:2: runtime error: null pointer returned from function declared to never return null
include/isc/mem.h:478:1: note: returns_nonnull attribute specified here
#0 0x95a4bb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x95a4bb)
#1 0x93c28f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x93c28f)
#2 0x5254b2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x5254b2)
#3 0x523e6d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x523e6d)
#4 0x4b5fff (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4b5fff)
#5 0x443d93 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x443d93)
#6 0x42f4d2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x42f4d2)
#7 0x4351ae (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x4351ae)
#8 0x45eca2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x45eca2)
#9 0x7fd7daa3f83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#10 0x40a5a8 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bind9_9f24385eb8a2bc6fb33e75dbdae3dfe52925ab00/revisions/dns_rdata_fromwire_text_fuzzer+0x40a5a8)
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2753timer_test subtests are not independent2021-07-12T03:58:03ZMark Andrewstimer_test subtests are not independentJob [#1773630](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1773630) failed for 6d84bff56595a2d06014f344f4b76bc4f316168a:
Only the first subtest failed below (timer_test.c:234 subthread_assert_true) but 2..5 reported failures.
```
...Job [#1773630](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1773630) failed for 6d84bff56595a2d06014f344f4b76bc4f316168a:
Only the first subtest failed below (timer_test.c:234 subthread_assert_true) but 2..5 reported failures.
```
1..5
# timer_test.c:234 subthread_assert_true
not ok 1 - ticker
# 0x22 != 0
# timer_test.c:144: error: Failure!
not ok 2 - once_life
# 0x22 != 0
# timer_test.c:144: error: Failure!
not ok 3 - once_idle
# 0x22 != 0
# timer_test.c:144: error: Failure!
not ok 4 - reset
# 0x22 != 0
# timer_test.c:144: error: Failure!
not ok 5 - purge
# 0x22 != 0
# timer_test.c:585: error: Failure!
```August 2021 (9.11.35, 9.11.35-S1, 9.16.20, 9.16.20-S1, 9.17.17)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/kea/-/issues/1954Recommend latin1 character set with latin1_swedish_ci collation for MySQL2021-07-08T15:07:34ZAndrei Pavelandrei@isc.orgRecommend latin1 character set with latin1_swedish_ci collation for MySQLNot enforce it. Just recommend it in the ARM because it's what we've been testing with for so long. It's the default collation. Other collations have posed problems, like the infamous 767 bytes limit of the UTF-8 character set.
[RT#1858...Not enforce it. Just recommend it in the ARM because it's what we've been testing with for so long. It's the default collation. Other collations have posed problems, like the infamous 767 bytes limit of the UTF-8 character set.
[RT#18583](https://support.isc.org/Ticket/Display.html?id=18583)https://gitlab.isc.org/isc-projects/bind9/-/issues/2279Document in the ARM, how max-cache-size is used (from 9.16.6 and 9.17.4 and n...2021-07-08T09:17:25ZCathy AlmondDocument in the ARM, how max-cache-size is used (from 9.16.6 and 9.17.4 and newer) to avoid server delays due to hash table resizing
Related to #1775, !3935, !3936 and [Support ticket #16212](https://support.isc.org/Ticket/Display.html?id=16212)
We haven't done a very good job of documenting in the ARM how this new hash table sizing thing works.
There's just this s...
Related to #1775, !3935, !3936 and [Support ticket #16212](https://support.isc.org/Ticket/Display.html?id=16212)
We haven't done a very good job of documenting in the ARM how this new hash table sizing thing works.
There's just this snippet in the 9.16 ARM:
8.7.3 Feature Changes
• BIND’s cache database implementation has been updated to use a faster hash function with better distribution. In
addition, the effective max-cache-size (configured explicitly, defaulting to a value based on system memory or
set to unlimited) now pre-allocates fixed-size hash tables. This prevents interruption to query resolution when
the hash table sizes need to be increased. [GL #1775]
Meanwhile, max-cache-size is still described thus:
max-cache-size
This sets the maximum amount of memory to use for the server’s cache, in bytes or percentage
of total physical memory. When the amount of data in the cache reaches this limit, the server causes records to
expire prematurely based on an LRU-based strategy so that the limit is not exceeded. The keyword unlimited,
or the value 0, places no limit on the cache size; records are purged from the cache only when their TTLs expire.
Any positive values less than 2MB are ignored and reset to 2MB. In a server with multiple views, the limit applies
separately to the cache of each view. The default is 90%. On systems where detection of the amount of physical
memory is not supported, values represented as a percentage fall back to unlimited. Note that the detection of
physical memory is done only once at startup, so named does not adjust the cache size if the amount of physical
memory is changed during runtime
Neither of these really explains how max-cache-size affects cache hash table sizing, which is:
a) Set the initial hash table size to be 4 bits (see !3935, !3936 and #2075)
b) If we have set max-cache-size, or have not specified it at all (defaults to 90% of available system memory) then compute the largest expected hash table size we should need
c) On the first time we need to increase the hash table for any RBT, and assuming we have not set 'unlimited' (max-cache-size 0), then do one single increase, from the minimum, to the biggest size we expect to need (per action b)
Please find a way to explain this clearly in the ARM.
====
We should, I think, also recommend that operators with multiple views in their configuration, set max-cache-size per view, and also (to prevent surprises), for minimal-use-views that they don't know how big a cache they will need, but that it's probably not too big, to use "max-cache-size 0;"July 2021 (9.11.34, 9.11.34-S1, 9.16.19, 9.16.19-S1, 9.17.16)