Skip to content

"INSIST(0);" assertion failure in isc__nmsocket_reset()

The following crash occurred in GitLab CI on FreeBSD:

https://gitlab.isc.org/isc-projects/bind9/-/jobs/2326508

Click to expand/collapse backtrace 
D:rndc:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/named -D rndc-ns6 -X named.lock -m no'.
D:rndc:Program terminated with signal SIGABRT, Aborted.
D:rndc:Sent by thr_kill() from pid 7136 and user 1001.
D:rndc:#0  0x000000080150669a in thr_kill () from /lib/libc.so.7
D:rndc:[Current thread is 1 (LWP 101302)]
D:rndc:#0  0x000000080150669a in thr_kill () from /lib/libc.so.7
D:rndc:#1  0x0000000801504af4 in raise () from /lib/libc.so.7
D:rndc:#2  0x000000080147a719 in abort () from /lib/libc.so.7
D:rndc:#3  0x000000000023c240 in assertion_failed (file=0x8002e9282 "netmgr/netmgr.c", line=<optimized out>, type=<optimized out>, cond=<optimized out>) at main.c:238
D:rndc:#4  0x0000000800318afa in isc_assertion_failed (file=0x18bb6 <error: Cannot access memory at address 0x18bb6>, line=6, type=isc_assertiontype_require, cond=0x8015066ba <thr_self+10> "\017\202\024I") at assertions.c:49
D:rndc:#5  0x00000008003076e0 in isc__nmsocket_reset (sock=0x802dea000) at netmgr/netmgr.c:2862
D:rndc:#6  0x0000000800307616 in isc__nmsocket_writetimeout_cb (timer=<optimized out>) at netmgr/netmgr.c:2039
D:rndc:#7  0x000000080110ade6 in ?? () from /usr/local/lib/libuv.so.1
D:rndc:#8  0x000000080110df87 in uv_run () from /usr/local/lib/libuv.so.1
D:rndc:#9  0x0000000800302cdb in nm_thread (worker0=0x8018ae7a0) at netmgr/netmgr.c:700
D:rndc:#10 0x000000080033d856 in isc__trampoline_run (arg=0x8018e0740) at trampoline.c:187
D:rndc:#11 0x000000080133008c in ?? () from /lib/libthr.so.3
D:rndc:#12 0x0000000000000000 in ?? ()
D:rndc:Backtrace stopped: Cannot access memory at address 0x7fffdfbfc000

Looking at the backtrace, it seems like !5848 (merged) is the likely culprit as there was no isc__nmsocket_writetimeout_cb() function before that MR.

The relevant code is:

2852 void                                                                            
2853 isc__nmsocket_reset(isc_nmsocket_t *sock) {                                     
2854         REQUIRE(VALID_NMSOCK(sock));                                            
2855                                                                                 
2856         switch (sock->type) {                                                   
2857         case isc_nm_tcpdnssocket:                                               
2858         case isc_nm_tlsdnssocket:                                               
2859                 REQUIRE(sock->parent == NULL);                                  
2860                 break;                                                          
2861         default:                                                                
2862 >>>             INSIST(0);                                                      
2863                 ISC_UNREACHABLE();                                              
2864                 break;                                                          
2865         }

It looks like isc__nmsocket_writetimeout_cb() is calling isc__nmsocket_reset() for an unexpected socket type.

Out of abundance of caution, I am opening this as a confidential issue for now as a crash is involved, but I would be surprised if this turns out to be exploitable.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information