BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2020-08-25T06:59:03Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2055[CVE-2020-8624] "update-policy" rules of type "subdomain" are enforced incorr...2020-08-25T06:59:03ZJoop Boonen[CVE-2020-8624] "update-policy" rules of type "subdomain" are enforced incorrectly<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
update-policy { grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt; } is not handled correctly
It is also possible to change entries in DOMAIN.TLD
### BIND version used
9.16.5 opensuse
9.11.5 debian buster
Both exactly the same Problem
### Steps to reproduce
Configuration:
````
include "/etc/bind/dev.key";
zone DOMAIN.TLD {
type master;
file "/var/lib/bind/zones/DOMAIN.TLD";
key-directory "/var/lib/bind/keys";
masterfile-format raw;
update-policy {
grant dhcp zonesub a dhcid;
grant local-ddns zonesub any;
grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt;
};
allow-transfer {
local;
};
};
````
Key
````
cat /etc/bind/dev.key
key "dev.DOMAIN.TLD" {
algorithm hmac-sha512;
secret "******";
};
````
````
nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test3.dev.DOMAIN.TLD a 192.0.2.3
> send
> update add test.DOMAIN.TLD a 192.0.2.1
> send
````
````
Jul 28 16:48:59 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test3.dev.DOMAIN.de' A 192.0.2.3
Jul 28 16:48:59 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050521)
Jul 28 16:49:07 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test.DOMAIN.de' A 192.0.2.1
Jul 28 16:49:07 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050522)
````
### What is the current *bug* behavior?
It is also possible to change entries in DOMAIN.TLD
### What is the expected *correct* behavior?
````
nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test4.dev.DOMAIN.TLD a 192.0.2.4
> send
> update add test4.DOMAIN.TLD a 192.0.2.4
> send
update failed: REFUSED
````
````
Jul 28 19:55:24 leap152-bind named[7625]: client @0x7ff5580a6970 192.168.122.1#46061/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test4.dev.DOMAIN.de' A 192.0.2.4
Jul 28 19:55:24 leap152-bind named[7625]: zone DOMAIN.de/IN: sending notifies (serial 2020050523)
Jul 28 19:55:38 leap152-bind named[7625]: client @0x7ff5580a6970 192.168.122.1#46061/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': update failed: rejected by secure update (REFUSED)
````
This is seen on:
````
9.11.2 opensuse
9.10.3 debian stretch
````
### Relevant configuration files
````
zone DOMAIN.TLD {
type master;
file "/var/lib/bind/zones/DOMAIN.TLD";
key-directory "/var/lib/bind/keys";
masterfile-format raw;
update-policy {
grant dhcp zonesub a dhcid;
grant local-ddns zonesub any;
grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt;
};
allow-transfer {
local;
};
};
cat /etc/bind/dev.key
key "dev.DOMAIN.TLD" {
algorithm hmac-sha512;
secret "******";
};
````
### Relevant logs and/or screenshots
````
nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test3.dev.DOMAIN.TLD a 192.0.2.3
> send
> update add test.DOMAIN.TLD a 192.0.2.1
> send
````
````
Jul 28 16:48:59 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test3.dev.DOMAIN.de' A 192.0.2.3
Jul 28 16:48:59 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050521)
Jul 28 16:49:07 leap152-bind named[5894]: client @0x7f5718000c80 192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding an RR at 'test.DOMAIN.de' A 192.0.2.1
Jul 28 16:49:07 leap152-bind named[5894]: zone DOMAIN.de/IN: sending notifies (serial 2020050522)
````
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2033'rndc dnstap --roll' fix was incomplete2020-08-04T11:02:59ZMark Andrews'rndc dnstap --roll' fix was incomplete```
1178 }
21. Condition i < versions, taking true branch.
1179 if (i < versions) {
CID 305429 (#1 of 1): Out-of-bounds read (OVERRUN)
22. overrun-l...```
1178 }
21. Condition i < versions, taking true branch.
1179 if (i < versions) {
CID 305429 (#1 of 1): Out-of-bounds read (OVERRUN)
22. overrun-local: Overrunning array of 2048 bytes at byte offset 2048 by dereferencing pointer &to_keep[i + 1]. [Note: The source code implementation of the function has been overridden by a builtin model.]
1180 memmove(&to_keep[i + 1],
1181 &to_keep[i],
1182 sizeof(to_keep[0]) *
1183 (versions - i -
1184 1));
1185 to_keep[i] = version;
1186 }
1187 }
1188 }
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2028[CVE-2020-8622] A truncated TSIG response can lead to an assertion failure2020-08-31T06:27:58ZMichael McNally[CVE-2020-8622] A truncated TSIG response can lead to an assertion failureOn [Support #16800](https://support.isc.org/Ticket/Display.html?id=16800) a customer reports to us:
There is a bug that we've seen in BIND, where a crash can occur if BIND receives a response to a TSIG-signed packet where the TSIG recor...On [Support #16800](https://support.isc.org/Ticket/Display.html?id=16800) a customer reports to us:
There is a bug that we've seen in BIND, where a crash can occur if BIND receives a response to a TSIG-signed packet where the TSIG record is not completely (or at all) contained in the response which is at least 4097 bytes _and_ the packet is marked as truncated (tc bit == 1).
We initially saw it in a 9.9 version, but then updated to an ESV 9.11 and have reproduced the issue there as well. Our 9.9 stack trace is corrupted, but we were able to get a stack trace from 9.11.
```
#0 0x000000fff63010c0 in raise () from /lib64/libc.so.6
#1 0x000000fff6303060 in abort () from /lib64/libc.so.6
#2 0x000000aaab8ad8b8 in assertion_failed ()
#3 0x000000fff6b12ac8 in isc_assertion_failed () from /lib64/libisc.so.169
#4 0x000000fff6e8a228 in dns_message_checksig () from /lib64/libdns.so.1102
#5 0x000000fff6f4c2b0 in resquery_response () from /lib64/libdns.so.1102
#6 0x000000fff6b3fcd0 in run () from /lib64/libisc.so.169
#7 0x000000fff6847e24 in start_thread () from /lib64/libpthread.so.0
#8 0x000000fff6418f2c in __thread_start () from /lib64/libc.so.6
```
A key element appears to be that even though BIND issues an OPT record requesting a packet size of 4096, if:
- The initial request has a TSIG.
- The responder responds with more than 4096 bytes (or at least a situation where the TSIG record is not completely contained with the first 4096 bytes)
- the response is marked with the TC bit == 1.
This is also in a scenario where BIND is acting as a forwarder, though I do not know if that is relevant.August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2020configure call needs to be cleaned up main: gcc:centos6:amd642020-07-31T06:26:12ZMark Andrewsconfigure call needs to be cleaned up main: gcc:centos6:amd64Job [#1019080](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1019080) failed for c91dc92410f15d1c93c70d2c596350eee7748958:
Unrecognized options:
--with-libtool, --without-make-clean, --with-python, --without-pythonJob [#1019080](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1019080) failed for c91dc92410f15d1c93c70d2c596350eee7748958:
Unrecognized options:
--with-libtool, --without-make-clean, --with-python, --without-pythonAugust 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2014Statschannel system test failed at setup stage.2020-07-16T07:22:03ZMark AndrewsStatschannel system test failed at setup stage.Job [#1013834](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1013834) failed for 032133d8cedd202f30f8e32b38386158cc647649:
Looking at the contents of ns2 and sign.sh it appears that the dnssec-signzone failed. This is almost certain...Job [#1013834](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1013834) failed for 032133d8cedd202f30f8e32b38386158cc647649:
Looking at the contents of ns2 and sign.sh it appears that the dnssec-signzone failed. This is almost certainly due to verification failing as it set expiration to `"now"+1s`.
```
S:statschannel:2020-07-08T02:16:29+0000
T:statschannel:1:A
A:statschannel:System test statschannel
I:statschannel:PORTRANGE:12500 - 12599
I:statschannel:setup.sh script failed
R:statschannel:FAIL
E:statschannel:2020-07-08T02:16:31+0000
```
```
[beetle:system/statschannel/ns2] marka% ls
Kdnssec.+013+42972.key Kdnssec.+013+47508.private
Kdnssec.+013+42972.private dsset-dnssec.
Kdnssec.+013+47508.key named.conf
[beetle:system/statschannel/ns2] marka%
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2013Unchecked returns of inet_pton in geoip_test.c2020-07-13T01:45:30ZMark AndrewsUnchecked returns of inet_pton in geoip_test.c```
305 dns_geoip_elem_t elt;
306 struct in_addr in4;
307 isc_netaddr_t na;
308
CID 281437 (#1 of 1): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling inet_pton without checking return value (as ...```
305 dns_geoip_elem_t elt;
306 struct in_addr in4;
307 isc_netaddr_t na;
308
CID 281437 (#1 of 1): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling inet_pton without checking return value (as is done elsewhere 89 out of 91 times).
309 inet_pton(AF_INET, addr, &in4);
310 isc_netaddr_fromin(&na, &in4);
...
322 dns_geoip_elem_t elt;
323 struct in6_addr in6;
324 isc_netaddr_t na;
325
CID 281472 (#1 of 1): Unchecked return value (CHECKED_RETURN)
1. check_return: Calling inet_pton without checking return value (as is done elsewhere 89 out of 91 times).
326 inet_pton(AF_INET6, addr, &in6);
327 isc_netaddr_fromin6(&na, &in6);
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2010Potential NULL pointer dereference (9.11) in dnstap.c2020-07-13T04:31:50ZMark AndrewsPotential NULL pointer dereference (9.11) in dnstap.c```
REQUIRE(handlep != NULL && *handlep == NULL);
858
859 handle = isc_mem_get(mctx, sizeof(*handle));
4. Condition handle == NULL, taking true branch.
5. var_compare_op: Comparing handle to null implies that ha...```
REQUIRE(handlep != NULL && *handlep == NULL);
858
859 handle = isc_mem_get(mctx, sizeof(*handle));
4. Condition handle == NULL, taking true branch.
5. var_compare_op: Comparing handle to null implies that handle might be null.
860 if (handle == NULL)
6. Condition result != 0, taking true branch.
7. Jumping to label cleanup.
861 CHECK(ISC_R_NOMEMORY);
...
897 cleanup:
8. Condition result != 0, taking true branch.
CID 286432 (#1 of 1): Dereference after null check (FORWARD_NULL)
9. var_deref_op: Dereferencing null pointer handle.
898 if (result != ISC_R_SUCCESS && handle->reader != NULL) {
899 fstrm_reader_destroy(&handle->reader);
900 handle->reader = NULL;
901 }
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1991Cleanup redundant non-NULL check.2020-07-06T00:30:57ZMark AndrewsCleanup redundant non-NULL check.```
1407 if (sigrdataset != NULL) {
1408 putrdataset(client->mctx, &sigrdataset);
1409 }
CID 288001 (#1 of 1): Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking rctx suggest...```
1407 if (sigrdataset != NULL) {
1408 putrdataset(client->mctx, &sigrdataset);
1409 }
CID 288001 (#1 of 1): Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking rctx suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1410 if (rctx != NULL) {
1411 isc_mutex_destroy(&rctx->lock);
1412 isc_mem_put(mctx, rctx, sizeof(*rctx));
1413 }
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1990Bad isc_mem_put size.2020-07-16T07:05:26ZMark AndrewsBad isc_mem_put size.```
331 result = dns_rdatatype_fromtext(&types[i++].type, &r);
332 if (result != ISC_R_SUCCESS) {
333 cfg_obj_log(identity, named_g_lctx,
334 ...```
331 result = dns_rdatatype_fromtext(&types[i++].type, &r);
332 if (result != ISC_R_SUCCESS) {
333 cfg_obj_log(identity, named_g_lctx,
334 ISC_LOG_ERROR,
335 "'%.*s' is not a valid type",
336 (int)r.length, str);
CID 302775 (#1 of 1): Sizeof not portable (SIZEOF_MISMATCH)
suspicious_sizeof: Passing argument types of type dns_ssuruletype_t * and argument n * 8UL /* sizeof (types) */ to function isc__mem_put is suspicious. In this case, sizeof (dns_ssuruletype_t *) is equal to sizeof (dns_ssuruletype_t), but this is not a portable assumption.
Did you intend to use sizeof (*types) instead of sizeof (types)?
337 isc_mem_put(mctx, types, n * sizeof(types));
338 goto cleanup;
339 }
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1475ThreadSanitizer: data race lib/dns/rbtdb.c:1545 in mark_header_stale and chec...2020-08-26T21:24:35ZOndřej SurýThreadSanitizer: data race lib/dns/rbtdb.c:1545 in mark_header_stale and check_stale_headerFound in `zero` test:
```
WARNING: ThreadSanitizer: data race (pid=7941)
Read of size 2 at 0x7b3000026adc by thread T2 (mutexes: read M633172806149932752, read M641898633507182144):
#0 mark_header_stale /home/ondrej/Projects/bind9/...Found in `zero` test:
```
WARNING: ThreadSanitizer: data race (pid=7941)
Read of size 2 at 0x7b3000026adc by thread T2 (mutexes: read M633172806149932752, read M641898633507182144):
#0 mark_header_stale /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1545 (libdns.so.1505+0x10bd0b)
#1 check_stale_header /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4345 (libdns.so.1505+0x10bd0b)
#2 cache_find /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4797 (libdns.so.1505+0x122c03)
#3 dns_db_findext /home/ondrej/Projects/bind9/lib/dns/db.c:551 (libdns.so.1505+0x6673c)
#4 query_lookup /home/ondrej/Projects/bind9/lib/ns/query.c:5515 (libns.so.1502+0x3f6a0)
#5 ns__query_start /home/ondrej/Projects/bind9/lib/ns/query.c:5441 (libns.so.1502+0x40209)
#6 query_setup /home/ondrej/Projects/bind9/lib/ns/query.c:5162 (libns.so.1502+0x48c13)
#7 ns_query_start /home/ondrej/Projects/bind9/lib/ns/query.c:11239 (libns.so.1502+0x49444)
#8 ns__client_request /home/ondrej/Projects/bind9/lib/ns/client.c:2157 (libns.so.1502+0x15890)
#9 udp_recv_cb /home/ondrej/Projects/bind9/lib/isc/netmgr/udp.c:317 (libisc.so.1504+0x46926)
#10 <null> <null> (libuv.so.1+0x1d6d4)
#11 <null> <null> (libtsan.so.0+0x29b3d)
Previous write of size 2 at 0x7b3000026adc by thread T6 (mutexes: read M633172806149932752, read M641898633507182144):
#0 mark_header_stale /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1557 (libdns.so.1505+0x10bd67)
#1 check_stale_header /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4345 (libdns.so.1505+0x10bd67)
#2 cache_find /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4797 (libdns.so.1505+0x122c03)
#3 dns_db_findext /home/ondrej/Projects/bind9/lib/dns/db.c:551 (libdns.so.1505+0x6673c)
#4 query_lookup /home/ondrej/Projects/bind9/lib/ns/query.c:5515 (libns.so.1502+0x3f6a0)
#5 ns__query_start /home/ondrej/Projects/bind9/lib/ns/query.c:5441 (libns.so.1502+0x40209)
#6 query_setup /home/ondrej/Projects/bind9/lib/ns/query.c:5162 (libns.so.1502+0x48c13)
#7 ns_query_start /home/ondrej/Projects/bind9/lib/ns/query.c:11239 (libns.so.1502+0x49444)
#8 ns__client_request /home/ondrej/Projects/bind9/lib/ns/client.c:2157 (libns.so.1502+0x15890)
#9 udp_recv_cb /home/ondrej/Projects/bind9/lib/isc/netmgr/udp.c:317 (libisc.so.1504+0x46926)
#10 <null> <null> (libuv.so.1+0x1d6d4)
#11 <null> <null> (libtsan.so.0+0x29b3d)
Location is heap block of size 181 at 0x7b3000026ac0 allocated by thread T11:
#0 malloc <null> (libtsan.so.0+0x2b1a3)
#1 default_memalloc /home/ondrej/Projects/bind9/lib/isc/mem.c:685 (libisc.so.1504+0x33fee)
#2 mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:598 (libisc.so.1504+0x34c7e)
#3 mem_allocateunlocked /home/ondrej/Projects/bind9/lib/isc/mem.c:1222 (libisc.so.1504+0x34c7e)
#4 isc___mem_allocate /home/ondrej/Projects/bind9/lib/isc/mem.c:1242 (libisc.so.1504+0x34c7e)
#5 isc__mem_allocate /home/ondrej/Projects/bind9/lib/isc/mem.c:2387 (libisc.so.1504+0x3be64)
#6 isc___mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:1007 (libisc.so.1504+0x3c6ca)
#7 isc__mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:2365 (libisc.so.1504+0x3aef1)
#8 dns_rdataslab_fromrdataset /home/ondrej/Projects/bind9/lib/dns/rdataslab.c:266 (libdns.so.1505+0x17a212)
#9 addrdataset /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:6461 (libdns.so.1505+0x119b45)
#10 dns_db_addrdataset /home/ondrej/Projects/bind9/lib/dns/db.c:744 (libdns.so.1505+0x673cf)
#11 cache_name /home/ondrej/Projects/bind9/lib/dns/resolver.c:6316 (libdns.so.1505+0x19404b)
#12 cache_message /home/ondrej/Projects/bind9/lib/dns/resolver.c:6413 (libdns.so.1505+0x1ae663)
#13 resquery_response /home/ondrej/Projects/bind9/lib/dns/resolver.c:7631 (libdns.so.1505+0x1ae663)
#14 dispatch /home/ondrej/Projects/bind9/lib/isc/task.c:1134 (libisc.so.1504+0x56fa6)
#15 run /home/ondrej/Projects/bind9/lib/isc/task.c:1319 (libisc.so.1504+0x56fa6)
#16 <null> <null> (libtsan.so.0+0x29b3d)
Mutex M633172806149932752 is already destroyed.
Mutex M641898633507182144 is already destroyed.
Thread T2 'isc-net-0001' (tid=7987, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_nm_start /home/ondrej/Projects/bind9/lib/isc/netmgr/netmgr.c:149 (libisc.so.1504+0x3ec7a)
#3 create_managers main.c:895 (named+0x1ae90)
#4 setup main.c:1235 (named+0x1ae90)
#5 main main.c:1515 (named+0x1ae90)
Thread T6 'isc-net-0005' (tid=8016, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_nm_start /home/ondrej/Projects/bind9/lib/isc/netmgr/netmgr.c:149 (libisc.so.1504+0x3ec7a)
#3 create_managers main.c:895 (named+0x1ae90)
#4 setup main.c:1235 (named+0x1ae90)
#5 main main.c:1515 (named+0x1ae90)
Thread T11 'isc-worker0002' (tid=8040, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_taskmgr_create /home/ondrej/Projects/bind9/lib/isc/task.c:1410 (libisc.so.1504+0x59d63)
#3 create_managers main.c:902 (named+0x1aeec)
#4 setup main.c:1235 (named+0x1aeec)
#5 main main.c:1515 (named+0x1aeec)
SUMMARY: ThreadSanitizer: data race /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1545 in mark_header_stale
```
```
WARNING: ThreadSanitizer: data race (pid=7941)
Read of size 2 at 0x7b340000271c by thread T3 (mutexes: read M633172806149932752, read M641617158530471408):
#0 mark_header_stale /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1545 (libdns.so.1505+0x10bd0b)
#1 check_stale_header /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4345 (libdns.so.1505+0x10bd0b)
#2 find_deepest_zonecut /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4503 (libdns.so.1505+0x10eed1)
#3 cache_find /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4758 (libdns.so.1505+0x1236b0)
#4 dns_db_findext /home/ondrej/Projects/bind9/lib/dns/db.c:551 (libdns.so.1505+0x6673c)
#5 query_lookup /home/ondrej/Projects/bind9/lib/ns/query.c:5515 (libns.so.1502+0x3f6a0)
#6 ns__query_start /home/ondrej/Projects/bind9/lib/ns/query.c:5441 (libns.so.1502+0x40209)
#7 query_setup /home/ondrej/Projects/bind9/lib/ns/query.c:5162 (libns.so.1502+0x48c13)
#8 ns_query_start /home/ondrej/Projects/bind9/lib/ns/query.c:11239 (libns.so.1502+0x49444)
#9 ns__client_request /home/ondrej/Projects/bind9/lib/ns/client.c:2157 (libns.so.1502+0x15890)
#10 udp_recv_cb /home/ondrej/Projects/bind9/lib/isc/netmgr/udp.c:317 (libisc.so.1504+0x46926)
#11 <null> <null> (libuv.so.1+0x1d6d4)
#12 <null> <null> (libtsan.so.0+0x29b3d)
Previous write of size 2 at 0x7b340000271c by thread T5 (mutexes: read M633172806149932752, read M641617158530471408):
#0 mark_header_stale /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1557 (libdns.so.1505+0x10bd67)
#1 check_stale_header /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4345 (libdns.so.1505+0x10bd67)
#2 find_deepest_zonecut /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4503 (libdns.so.1505+0x10eed1)
#3 cache_find /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4758 (libdns.so.1505+0x1236b0)
#4 dns_db_findext /home/ondrej/Projects/bind9/lib/dns/db.c:551 (libdns.so.1505+0x6673c)
#5 query_lookup /home/ondrej/Projects/bind9/lib/ns/query.c:5515 (libns.so.1502+0x3f6a0)
#6 ns__query_start /home/ondrej/Projects/bind9/lib/ns/query.c:5441 (libns.so.1502+0x40209)
#7 query_setup /home/ondrej/Projects/bind9/lib/ns/query.c:5162 (libns.so.1502+0x48c13)
#8 ns_query_start /home/ondrej/Projects/bind9/lib/ns/query.c:11239 (libns.so.1502+0x49444)
#9 ns__client_request /home/ondrej/Projects/bind9/lib/ns/client.c:2157 (libns.so.1502+0x15890)
#10 udp_recv_cb /home/ondrej/Projects/bind9/lib/isc/netmgr/udp.c:317 (libisc.so.1504+0x46926)
#11 <null> <null> (libuv.so.1+0x1d6d4)
#12 <null> <null> (libtsan.so.0+0x29b3d)
Location is heap block of size 197 at 0x7b3400002700 allocated by thread T11:
#0 malloc <null> (libtsan.so.0+0x2b1a3)
#1 default_memalloc /home/ondrej/Projects/bind9/lib/isc/mem.c:685 (libisc.so.1504+0x33fee)
#2 mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:598 (libisc.so.1504+0x34c7e)
#3 mem_allocateunlocked /home/ondrej/Projects/bind9/lib/isc/mem.c:1222 (libisc.so.1504+0x34c7e)
#4 isc___mem_allocate /home/ondrej/Projects/bind9/lib/isc/mem.c:1242 (libisc.so.1504+0x34c7e)
#5 isc__mem_allocate /home/ondrej/Projects/bind9/lib/isc/mem.c:2387 (libisc.so.1504+0x3be64)
#6 isc___mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:1007 (libisc.so.1504+0x3c6ca)
#7 isc__mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:2365 (libisc.so.1504+0x3aef1)
#8 dns_rdataslab_fromrdataset /home/ondrej/Projects/bind9/lib/dns/rdataslab.c:266 (libdns.so.1505+0x17a212)
#9 addrdataset /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:6461 (libdns.so.1505+0x119b45)
#10 dns_db_addrdataset /home/ondrej/Projects/bind9/lib/dns/db.c:744 (libdns.so.1505+0x673cf)
#11 cache_name /home/ondrej/Projects/bind9/lib/dns/resolver.c:6316 (libdns.so.1505+0x19404b)
#12 cache_message /home/ondrej/Projects/bind9/lib/dns/resolver.c:6413 (libdns.so.1505+0x1ae663)
#13 resquery_response /home/ondrej/Projects/bind9/lib/dns/resolver.c:7631 (libdns.so.1505+0x1ae663)
#14 dispatch /home/ondrej/Projects/bind9/lib/isc/task.c:1134 (libisc.so.1504+0x56fa6)
#15 run /home/ondrej/Projects/bind9/lib/isc/task.c:1319 (libisc.so.1504+0x56fa6)
#16 <null> <null> (libtsan.so.0+0x29b3d)
Mutex M633172806149932752 is already destroyed.
Mutex M641617158530471408 is already destroyed.
Thread T3 'isc-net-0002' (tid=7993, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_nm_start /home/ondrej/Projects/bind9/lib/isc/netmgr/netmgr.c:149 (libisc.so.1504+0x3ec7a)
#3 create_managers main.c:895 (named+0x1ae90)
#4 setup main.c:1235 (named+0x1ae90)
#5 main main.c:1515 (named+0x1ae90)
Thread T5 'isc-net-0004' (tid=8008, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_nm_start /home/ondrej/Projects/bind9/lib/isc/netmgr/netmgr.c:149 (libisc.so.1504+0x3ec7a)
#3 create_managers main.c:895 (named+0x1ae90)
#4 setup main.c:1235 (named+0x1ae90)
#5 main main.c:1515 (named+0x1ae90)
Thread T11 'isc-worker0002' (tid=8040, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_taskmgr_create /home/ondrej/Projects/bind9/lib/isc/task.c:1410 (libisc.so.1504+0x59d63)
#3 create_managers main.c:902 (named+0x1aeec)
#4 setup main.c:1235 (named+0x1aeec)
#5 main main.c:1515 (named+0x1aeec)
SUMMARY: ThreadSanitizer: data race /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1545 in mark_header_stale
```
```
WARNING: ThreadSanitizer: data race (pid=7941)
Read of size 2 at 0x7b34000310fc by thread T5 (mutexes: read M633172806149932752, read M641617158530471408):
#0 check_stale_header /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4336 (libdns.so.1505+0x10bceb)
#1 find_deepest_zonecut /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4503 (libdns.so.1505+0x10eed1)
#2 cache_find /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4758 (libdns.so.1505+0x1236b0)
#3 dns_db_findext /home/ondrej/Projects/bind9/lib/dns/db.c:551 (libdns.so.1505+0x6673c)
#4 query_lookup /home/ondrej/Projects/bind9/lib/ns/query.c:5515 (libns.so.1502+0x3f6a0)
#5 ns__query_start /home/ondrej/Projects/bind9/lib/ns/query.c:5441 (libns.so.1502+0x40209)
#6 query_setup /home/ondrej/Projects/bind9/lib/ns/query.c:5162 (libns.so.1502+0x48c13)
#7 ns_query_start /home/ondrej/Projects/bind9/lib/ns/query.c:11239 (libns.so.1502+0x49444)
#8 ns__client_request /home/ondrej/Projects/bind9/lib/ns/client.c:2157 (libns.so.1502+0x15890)
#9 udp_recv_cb /home/ondrej/Projects/bind9/lib/isc/netmgr/udp.c:317 (libisc.so.1504+0x46926)
#10 <null> <null> (libuv.so.1+0x1d6d4)
#11 <null> <null> (libtsan.so.0+0x29b3d)
Previous write of size 2 at 0x7b34000310fc by thread T11 (mutexes: write M57556908275267488, read M633172806149932752, read M641617158530471408):
#0 mark_header_stale /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:1557 (libdns.so.1505+0x10bd67)
#1 check_stale_header /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4345 (libdns.so.1505+0x10bd67)
#2 find_deepest_zonecut /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4503 (libdns.so.1505+0x10eed1)
#3 cache_find /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4758 (libdns.so.1505+0x1236b0)
#4 dns_db_find /home/ondrej/Projects/bind9/lib/dns/db.c:511 (libdns.so.1505+0x6648d)
#5 dns_view_find /home/ondrej/Projects/bind9/lib/dns/view.c:1019 (libdns.so.1505+0x1f6fdd)
#6 dbfind_name /home/ondrej/Projects/bind9/lib/dns/adb.c:3678 (libdns.so.1505+0x3f65f)
#7 dns_adb_createfind /home/ondrej/Projects/bind9/lib/dns/adb.c:3070 (libdns.so.1505+0x529ad)
#8 findname /home/ondrej/Projects/bind9/lib/dns/resolver.c:3382 (libdns.so.1505+0x186a47)
#9 fctx_getaddresses /home/ondrej/Projects/bind9/lib/dns/resolver.c:3669 (libdns.so.1505+0x19a933)
#10 fctx_try /home/ondrej/Projects/bind9/lib/dns/resolver.c:4029 (libdns.so.1505+0x1a1a94)
#11 fctx_start /home/ondrej/Projects/bind9/lib/dns/resolver.c:4651 (libdns.so.1505+0x1a5a0b)
#12 dispatch /home/ondrej/Projects/bind9/lib/isc/task.c:1134 (libisc.so.1504+0x56fa6)
#13 run /home/ondrej/Projects/bind9/lib/isc/task.c:1319 (libisc.so.1504+0x56fa6)
#14 <null> <null> (libtsan.so.0+0x29b3d)
Location is heap block of size 197 at 0x7b34000310e0 allocated by thread T10:
#0 malloc <null> (libtsan.so.0+0x2b1a3)
#1 default_memalloc /home/ondrej/Projects/bind9/lib/isc/mem.c:685 (libisc.so.1504+0x33fee)
#2 mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:598 (libisc.so.1504+0x34c7e)
#3 mem_allocateunlocked /home/ondrej/Projects/bind9/lib/isc/mem.c:1222 (libisc.so.1504+0x34c7e)
#4 isc___mem_allocate /home/ondrej/Projects/bind9/lib/isc/mem.c:1242 (libisc.so.1504+0x34c7e)
#5 isc__mem_allocate /home/ondrej/Projects/bind9/lib/isc/mem.c:2387 (libisc.so.1504+0x3be64)
#6 isc___mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:1007 (libisc.so.1504+0x3c6ca)
#7 isc__mem_get /home/ondrej/Projects/bind9/lib/isc/mem.c:2365 (libisc.so.1504+0x3aef1)
#8 dns_rdataslab_fromrdataset /home/ondrej/Projects/bind9/lib/dns/rdataslab.c:266 (libdns.so.1505+0x17a212)
#9 addrdataset /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:6461 (libdns.so.1505+0x119b45)
#10 dns_db_addrdataset /home/ondrej/Projects/bind9/lib/dns/db.c:744 (libdns.so.1505+0x673cf)
#11 cache_name /home/ondrej/Projects/bind9/lib/dns/resolver.c:6316 (libdns.so.1505+0x19404b)
#12 cache_message /home/ondrej/Projects/bind9/lib/dns/resolver.c:6413 (libdns.so.1505+0x1ae663)
#13 resquery_response /home/ondrej/Projects/bind9/lib/dns/resolver.c:7631 (libdns.so.1505+0x1ae663)
#14 dispatch /home/ondrej/Projects/bind9/lib/isc/task.c:1134 (libisc.so.1504+0x56fa6)
#15 run /home/ondrej/Projects/bind9/lib/isc/task.c:1319 (libisc.so.1504+0x56fa6)
#16 <null> <null> (libtsan.so.0+0x29b3d)
Mutex M633172806149932752 is already destroyed.
Mutex M641617158530471408 is already destroyed.
Mutex M57556908275267488 is already destroyed.
Thread T5 'isc-net-0004' (tid=8008, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_nm_start /home/ondrej/Projects/bind9/lib/isc/netmgr/netmgr.c:149 (libisc.so.1504+0x3ec7a)
#3 create_managers main.c:895 (named+0x1ae90)
#4 setup main.c:1235 (named+0x1ae90)
#5 main main.c:1515 (named+0x1ae90)
Thread T11 'isc-worker0002' (tid=8040, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_taskmgr_create /home/ondrej/Projects/bind9/lib/isc/task.c:1410 (libisc.so.1504+0x59d63)
#3 create_managers main.c:902 (named+0x1aeec)
#4 setup main.c:1235 (named+0x1aeec)
#5 main main.c:1515 (named+0x1aeec)
Thread T10 'isc-worker0001' (tid=8038, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2be1b)
#1 isc_thread_create /home/ondrej/Projects/bind9/lib/isc/pthreads/thread.c:75 (libisc.so.1504+0x7bcc4)
#2 isc_taskmgr_create /home/ondrej/Projects/bind9/lib/isc/task.c:1410 (libisc.so.1504+0x59d63)
#3 create_managers main.c:902 (named+0x1aeec)
#4 setup main.c:1235 (named+0x1aeec)
#5 main main.c:1515 (named+0x1aeec)
SUMMARY: ThreadSanitizer: data race /home/ondrej/Projects/bind9/lib/dns/rbtdb.c:4336 in check_stale_header
```August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1456always check return from isc_refcount_decrement2020-08-04T09:45:08ZMark Andrewsalways check return from isc_refcount_decrementCoverity, correctly, complains that isc_refcount_decrement return is not always checked.
Additionally isc_refcount_decrement shouldn't be calling inside INSIST, INSIST should not
have side effects as it can be compiled out.Coverity, correctly, complains that isc_refcount_decrement return is not always checked.
Additionally isc_refcount_decrement shouldn't be calling inside INSIST, INSIST should not
have side effects as it can be compiled out.August 2020 (9.11.22, 9.11.22-S1, 9.16.6, 9.17.4)Mark AndrewsMark Andrews