Skip to content

9.16.3 segmentation fault

Summary

BIND-9.16.3 terminated with signal 11, Segmentation fault.

BIND version used

BIND 9.16.3-RedHat-9.16.3-20200604153203.alios6 (Stable Release) <id:5ea41c1>
running on Linux x86_64 2.6.32-220.23.2.ali878.el6.x86_64 #1 SMP Mon Jan 28 17:12:52 CST 2013
built by make with '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-epoll' '--with-tuning=large' '--with-pic' '--with-python=/home/tops/bin/python2.7' '--with-python-install-dir=/home/tops' '--disable-geoip' '--enable-auto-validation=no' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--disable-shared' 'LIBUV_CFLAGS=-I/home/admin/145_20200603144849066_144601007_code/rpm_workspace/rpm/.dep_create/include' 'LIBUV_LIBS=-L/home/admin/145_20200603144849066_144601007_code/rpm_workspace/rpm/.dep_create/lib -luv -lrt -lpthread -lnsl -ldl' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 4.4.6 20110731 (Red Hat 4.4.6-3)
compiled with OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
compiled with libxml2 version: 2.7.6
linked to libxml2 version: 20706
compiled with zlib version: 1.2.3
linked to zlib version: 1.2.3
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Not sure, some TCP flows cause the issue.

What is the current bug behavior?

BIND crashes.

What is the expected correct behavior?

Not crash.

Relevant configuration files

(Paste any relevant configuration files - please use code blocks (```) to format console output. If submitting the contents of your configuration file in a non-confidential Issue, it is advisable to obscure key secrets: this can be done automatically by using named-checkconf -px.)

Relevant logs and/or screenshots

Core was generated by `/usr/sbin/named -u named -t /var/named/chroot'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000655f9d in isc__nm_tcpdns_send ()
Missing separate debuginfos, use: debuginfo-install bind911-9.16.3-20200604153203.alios6.x86_64
(gdb) bt
#0  0x0000000000655f9d in isc__nm_tcpdns_send ()
#1  0x00000000004788be in client_sendpkg ()
#2  0x000000000047a26d in ns_client_send ()
#3  0x000000000047a5cf in ns_client_error ()
#4  0x000000000048a0b1 in query_error ()
#5  0x000000000049286f in ns_query_done ()
#6  0x000000000049082b in query_gotanswer ()
#7  0x000000000049783d in fetch_callback ()
#8  0x0000000000662f81 in run ()
#9  0x00007f115cad4aa1 in start_thread () from /lib64/libpthread.so.0
#10 0x00007f115c40493d in clone () from /lib64/libc.so.6

Possible fixes

t->region = (isc_region_t){ .base = isc_mem_get(t->mctx,
							region->length + 2),
				    .length = region->length + 2 };

*(uint16_t *)t->region.base = htons(region->length);
memmove(t->region.base + 2, region->base, region->length);

I guess t->region needs overflow check?

Edited by Mark Andrews
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information