[CVE-2019-6476] resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace causes BIND to die
Summary
BIND died after this log:
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back traceBIND version used
BIND 9.14.5 (Stable Release) <id:c2c2b6d>
running on FreeBSD amd64 11.2-RELEASE-p14-HBSD FreeBSD 11.2-RELEASE-p14-HBSD 07680caafe9(stable/19.7)
built by make with '--localstatedir=/var' '--disable-linux-caps' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-openssl=/usr/local' '--sysconfdir=/usr/local/etc/namedb' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--without-gssapi' '--with-libidn2=/usr/local' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DHARDENEDBSD -DLIBICONV_PLUG -fPIE -fPIC -fstack-protector-all -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -Wl,-rpath,/usr/local/lib -pie -Wl,-z,relro -Wl,-z,now -fstack-protector-all ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565)
compiled with OpenSSL version: OpenSSL 1.0.2s 28 May 2019
linked to OpenSSL version: OpenSSL 1.0.2s 28 May 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
Steps to reproduce
Unknown
What is the current bug behavior?
bind dies
What is the expected correct behavior?
bind stays alive
Relevant configuration files
controls {
inet 127.0.0.1 port 9530 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_log" {
file "/var/log/named/named.log" versions 3 size 5242880;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_log" {
file "/var/log/named/query.log" versions 3 size 5242880;
print-time yes;
};
channel "rpz_log" {
file "/var/log/named/rpz.log" versions 3 size 5242880;
print-time yes;
};
category "default" {
"default_log";
};
category "general" {
"default_log";
};
category "queries" {
"query_log";
};
category "rpz" {
"rpz_log";
};
};
options {
directory "/usr/local/etc/namedb/working";
dump-file "/var/dump/named_dump.db";
listen-on port 53530 {
10.99.201.1/32;
};
listen-on-v6 port 53530 {
::1/128;
};
pid-file "/var/run/named/pid";
statistics-file "/var/stats/named.stats";
dnssec-validation auto;
max-cache-size 80%;
response-policy {
zone "whitelist.localdomain";
zone "blacklist.localdomain";
};
forwarders {
1.1.1.1;
1.0.0.1;
};
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "localhost" {
type master;
file "/usr/local/etc/namedb/master/localhost-forward.db";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
};
zone "0.ip6.arpa" {
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
};
zone "whitelist.localdomain" {
type master;
check-names ignore;
file "/usr/local/etc/namedb/master/whitelist.db";
notify no;
};
zone "blacklist.localdomain" {
type master;
check-names ignore;
file "/usr/local/etc/namedb/master/blacklist.db";
notify no;
};Relevant logs and/or screenshots
08-Sep-2019 14:01:29.753 general: critical: exiting (due to assertion failure)
08-Sep-2019 14:01:29.753 general: critical: #7 0x0 in ??
08-Sep-2019 14:01:29.753 general: critical: #6 0x3e007b0dc36 in ??
08-Sep-2019 14:01:29.753 general: critical: #5 0x3b13830d1ed in ??
08-Sep-2019 14:01:29.753 general: critical: #4 0x3b138244169 in ??
08-Sep-2019 14:01:29.753 general: critical: #3 0x3b13823b04c in ??
08-Sep-2019 14:01:29.753 general: critical: #2 0x3b138234728 in ??
08-Sep-2019 14:01:29.753 general: critical: #1 0x3b1382ed18a in ??
08-Sep-2019 14:01:29.753 general: critical: #0 0x3b138102120 in ??
08-Sep-2019 14:01:29.753 general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
08-Sep-2019 14:01:29.745 lame-servers: info: chase DS servers resolving 'd10u1qvpabtlks.cloudfront.net/DS/IN': 1.0.0.1#53
08-Sep-2019 14:01:29.514 lame-servers: info: chase DS servers resolving 'd10u1qvpabtlks.cloudfront.net/DS/IN': 1.1.1.1#53Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders
Edited by Michał Kępień