Skip to content
GitLab
Closed
Issue created by Holger Wirtz@HW

[CVE-2020-8619] An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c

Summary

Sudden crash of the named process (1-10 minutes after restart)

BIND version used

BIND 9.11.17 (Extended Support Version) <id:65c9496>
running on Linux x86_64 3.16.0-10-amd64 #1 SMP Debian 3.16.81-1 (2020-01-17)
built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--enable-ipv6' '--enable-filter-aaaa'
compiled by GCC 4.9.2
compiled with OpenSSL version: OpenSSL 1.0.1t  3 May 2016
linked to OpenSSL version: OpenSSL 1.0.1t  3 May 2016
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with libjson-c version: 0.11.99
linked to libjson-c version: 0.11.99
compiled with zlib version: 1.2.8
linked to zlib version: 1.2.8
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock

Steps to reproduce

# Created bind as usual (works with <= 9.11.14):
VERSION=9.11.17
wget -O bind-$(VERSION).tar.gz https://downloads.isc.org/isc/bind9/$(VERSION)/bind-$(VERSION).tar.gz
wget -O bind-$(VERSION).tar.gz.sha512.asc https://downloads.isc.org/isc/bind9/$(VERSION) /bind-$(VERSION).tar.gz.sha512.asc
gpg --verify bind-$(VERSION).tar.gz.sha512.asc bind-$(VERSION).tar.gz
tar -zxf bind-$(VERSION).tar.gz
bind-$(VERSION)
./configure --prefix=/usr \
                --mandir=\$${prefix}/share/man \
                --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
                --infodir=\$${prefix}/share/info \
                --sysconfdir=/etc/bind \
                --with-python=python3 \
                --localstatedir=/ \
                --enable-threads \
                --enable-largefile \
                --with-libtool \
                --enable-shared \
                --enable-static \
                --with-openssl=/usr \
                --with-gssapi=/usr \
                --with-gnu-ld \
                --enable-ipv6 \
                --enable-filter-aaaa
make && make install

What is the current bug behavior?

After a few minutes, bind crashes with the following message in general.log:

01-Apr-2020 11:24:11.101 general: rbtdb.c:2097: INSIST(!((void *)((node)->deadlink.prev) != (void *)(-1))) failed, back trace
01-Apr-2020 11:24:11.101 general: #0 0x43fecd in ??
01-Apr-2020 11:24:11.101 general: #1 0x7ff0f7cedcaa in ??
01-Apr-2020 11:24:11.101 general: #2 0x7ff0f8fb2da5 in ??
01-Apr-2020 11:24:11.101 general: #3 0x7ff0f8fc2d6c in ??
01-Apr-2020 11:24:11.101 general: #4 0x44e3fd in ??
01-Apr-2020 11:24:11.101 general: #5 0x4585b8 in ??
01-Apr-2020 11:24:11.101 general: #6 0x4353f6 in ??
01-Apr-2020 11:24:11.101 general: #7 0x7ff0f7d179c7 in ??
01-Apr-2020 11:24:11.101 general: #8 0x7ff0f6e98064 in ??
01-Apr-2020 11:24:11.101 general: #9 0x7ff0f686662d in ??
01-Apr-2020 11:24:11.101 general: exiting (due to assertion failure)

What is the expected correct behavior?

No crash.

Relevant configuration files

named.conf:

include "/etc/bind/named.conf.local"; // only ACLs, logging and statistic channels
include "/etc/bind/named.conf.options"; // look down

include "/etc/bind/bind.keys";

include "/etc/bind/named.conf.namedboot";
include "/etc/bind/tsig.key";

named.options:

options {
        directory "/var/cache/bind";
        pid-file "/var/run/named/named.pid";

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { ::1; ********;  };
        listen-on { 127.0.0.1; *********;  };

        allow-query {  any;  }; 
        allow-transfer {  ******;  };
        recursion no;
        version "0";
        dnssec-enable yes;
        dnssec-validation yes;

        tcp-clients 1500;

        rate-limit {
                responses-per-second 50;
        };
};

controls {
        inet 127.0.0.1 allow { 127.0.0.1; ::1; };
};

Relevant logs and/or screenshots

general.log:

...
01-Apr-2020 11:24:11.101 general: rbtdb.c:2097: INSIST(!((void *)((node)->deadlink.prev) != (void *)(-1))) failed, back trace
01-Apr-2020 11:24:11.101 general: #0 0x43fecd in ??
01-Apr-2020 11:24:11.101 general: #1 0x7ff0f7cedcaa in ??
01-Apr-2020 11:24:11.101 general: #2 0x7ff0f8fb2da5 in ??
01-Apr-2020 11:24:11.101 general: #3 0x7ff0f8fc2d6c in ??
01-Apr-2020 11:24:11.101 general: #4 0x44e3fd in ??
01-Apr-2020 11:24:11.101 general: #5 0x4585b8 in ??
01-Apr-2020 11:24:11.101 general: #6 0x4353f6 in ??
01-Apr-2020 11:24:11.101 general: #7 0x7ff0f7d179c7 in ??
01-Apr-2020 11:24:11.101 general: #8 0x7ff0f6e98064 in ??
01-Apr-2020 11:24:11.101 general: #9 0x7ff0f686662d in ??
01-Apr-2020 11:24:11.101 general: exiting (due to assertion failure)

Possible fixes

see above...

Edited by Michał Kępień