fctx_cancelquery() attempts to process a query which has already been freed
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2108955
Click to expand/collapse AddressSanitizer report
==4603==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000ad810 at pc 0x7fef0381a873 bp 0x7feef9e24e80 sp 0x7feef9e24e78
READ of size 8 at 0x6170000ad810 thread T7
#0 0x7fef0381a872 in fctx_cancelquery /builds/isc-projects/bind9/lib/dns/resolver.c:1256
#1 0x7fef03843a95 in rctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:9438
#2 0x7fef0384a49c in resquery_response /builds/isc-projects/bind9/lib/dns/resolver.c:7343
#3 0x7fef0345c22c in udp_recv /builds/isc-projects/bind9/lib/dns/dispatch.c:583
#4 0x7fef0478ddc7 in isc__nm_async_readcb netmgr/netmgr.c:2778
#5 0x7fef0478e426 in isc__nm_readcb netmgr/netmgr.c:2751
#6 0x7fef047caed5 in udp_recv_cb netmgr/udp.c:637
#7 0x7fef047cef11 in isc__nm_udp_read_cb netmgr/udp.c:1021
#8 0x7fef020d8a41 in uv__udp_recvmsg /usr/src/libuv-v1.42.0/src/unix/udp.c:302
#9 0x7fef020d8365 in uv__udp_io /usr/src/libuv-v1.42.0/src/unix/udp.c:178
#10 0x7fef020df3ad in uv__io_poll /usr/src/libuv-v1.42.0/src/unix/epoll.c:374
#11 0x7fef020c3b5b in uv_run /usr/src/libuv-v1.42.0/src/unix/core.c:389
#12 0x7fef04791c34 in nm_thread netmgr/netmgr.c:688
#13 0x7fef0488cde4 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:185
#14 0x7fef01ea6298 in start_thread (/lib64/libpthread.so.0+0x9298)
#15 0x7fef0145c352 in clone (/lib64/libc.so.6+0x100352)
0x6170000ad810 is located 16 bytes inside of 720-byte region [0x6170000ad800,0x6170000adad0)
freed by thread T7 here:
#0 0x7fef05112647 in free (/lib64/libasan.so.6+0xae647)
#1 0x7fef0482ff97 in sdallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:38
#2 0x7fef0482ff97 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:361
#3 0x7fef0482ff97 in isc__mem_put /builds/isc-projects/bind9/lib/isc/mem.c:770
#4 0x7fef03819f4b in resquery_destroy /builds/isc-projects/bind9/lib/dns/resolver.c:1194
#5 0x7fef03819f4b in resquery_detach /builds/isc-projects/bind9/lib/dns/resolver.c:1219
#6 0x7fef0381bd10 in fctx_cancelquery /builds/isc-projects/bind9/lib/dns/resolver.c:1433
#7 0x7fef0381d2e7 in fctx_cancelqueries /builds/isc-projects/bind9/lib/dns/resolver.c:1485
#8 0x7fef03820412 in fctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:1746
#9 0x7fef038439f0 in rctx_next /builds/isc-projects/bind9/lib/dns/resolver.c:9348
#10 0x7fef038439f0 in rctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:9431
#11 0x7fef0384a49c in resquery_response /builds/isc-projects/bind9/lib/dns/resolver.c:7343
#12 0x7fef0345c22c in udp_recv /builds/isc-projects/bind9/lib/dns/dispatch.c:583
#13 0x7fef0478ddc7 in isc__nm_async_readcb netmgr/netmgr.c:2778
#14 0x7fef0478e426 in isc__nm_readcb netmgr/netmgr.c:2751
#15 0x7fef047caed5 in udp_recv_cb netmgr/udp.c:637
#16 0x7fef047cef11 in isc__nm_udp_read_cb netmgr/udp.c:1021
#17 0x7fef020d8a41 in uv__udp_recvmsg /usr/src/libuv-v1.42.0/src/unix/udp.c:302
#18 0x7fef020d8365 in uv__udp_io /usr/src/libuv-v1.42.0/src/unix/udp.c:178
#19 0x7fef020df3ad in uv__io_poll /usr/src/libuv-v1.42.0/src/unix/epoll.c:374
#20 0x7fef020c3b5b in uv_run /usr/src/libuv-v1.42.0/src/unix/core.c:389
#21 0x7fef04791c34 in nm_thread netmgr/netmgr.c:688
#22 0x7fef0488cde4 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:185
#23 0x7fef01ea6298 in start_thread (/lib64/libpthread.so.0+0x9298)
previously allocated by thread T7 here:
#0 0x7fef0511293f in __interceptor_malloc (/lib64/libasan.so.6+0xae93f)
#1 0x7fef0482f3de in mallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:30
#2 0x7fef0482f3de in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:340
#3 0x7fef0482f3de in isc__mem_get /builds/isc-projects/bind9/lib/isc/mem.c:753
#4 0x7fef0382a923 in fctx_query /builds/isc-projects/bind9/lib/dns/resolver.c:2003
#5 0x7fef03844334 in rctx_resend /builds/isc-projects/bind9/lib/dns/resolver.c:9322
#6 0x7fef03844334 in rctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:9452
#7 0x7fef0384749b in rctx_timedout /builds/isc-projects/bind9/lib/dns/resolver.c:7740
#8 0x7fef0384749b in resquery_response /builds/isc-projects/bind9/lib/dns/resolver.c:7223
#9 0x7fef0345c22c in udp_recv /builds/isc-projects/bind9/lib/dns/dispatch.c:583
#10 0x7fef0478ddc7 in isc__nm_async_readcb netmgr/netmgr.c:2778
#11 0x7fef0478e426 in isc__nm_readcb netmgr/netmgr.c:2751
#12 0x7fef0478e9fc in isc__nmsocket_readtimeout_cb netmgr/netmgr.c:2066
#13 0x7fef020beb19 in uv__run_timers /usr/src/libuv-v1.42.0/src/timer.c:178
#14 0x7fef020c3afb in uv_run /usr/src/libuv-v1.42.0/src/unix/core.c:380
#15 0x7fef04791c34 in nm_thread netmgr/netmgr.c:688
#16 0x7fef0488cde4 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:185
#17 0x7fef01ea6298 in start_thread (/lib64/libpthread.so.0+0x9298)
Thread T7 created by T0 here:
#0 0x7fef050ba8d6 in pthread_create (/lib64/libasan.so.6+0x568d6)
#1 0x7fef0487b4b9 in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:79
#2 0x7fef04776c4a in isc__netmgr_create netmgr/netmgr.c:328
#3 0x7fef0482cd42 in isc_managers_create /builds/isc-projects/bind9/lib/isc/managers.c:36
#4 0x43d99a in create_managers /builds/isc-projects/bind9/bin/named/main.c:920
#5 0x43d99a in setup /builds/isc-projects/bind9/bin/named/main.c:1184
#6 0x43d99a in main /builds/isc-projects/bind9/bin/named/main.c:1452
#7 0x7fef01383b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/isc-projects/bind9/lib/dns/resolver.c:1256 in fctx_cancelquery
Shadow bytes around the buggy address:
0x0c2e8000dab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000dac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000dad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000dae0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2e8000daf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e8000db00: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db50: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
===4803==ABORTING
Looks like a reference counting issue? resquery_destroy() is only
called when the reference count for the query reaches 0, but rctx
still wants to access it. AFAICT, rctx_respinit() does not
resquery_attach() to the query structure and instead uses a plain
assignment, but I am not sure how easily this could be changed.
As a side note, could this maybe be related to #3013 (closed)? It may be a long shot, but the code location mentioned in the ASAN backtrace above matches a branch handling a question section mismatch, so it made me think of that one.
7338 default:
7339 result = same_question(fctx, query->rmessage);
7340 if (result != ISC_R_SUCCESS) {
7341 FCTXTRACE3("response did not match question", result);
7342 rctx.nextitem = true;
7343 rctx_done(&rctx, result);
7344 return;
7345 }
7346 break;
7347 }