Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 530
    • Issues 530
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 98
    • Merge requests 98
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #3244
Closed
Open
Created Mar 31, 2022 by Ondřej Surý@ondrejOwner

use-after-free in dighost.c/dig.c

The following issue has been reported to the security-officer by Brian Carpenter:

printf "K3kKQDAgK3Fy" | base64 -d | dig -f - @localhost

-
 type: DIG_ERROR
 message: |
   communications error to 127.0.0.1#53: connection refused
-
 type: MESSAGE
 message:
   type: RECURSIVE_QUERY
   query_time: !!timestamp 2022-03-31T10:40:41.451Z
   message_size: 40b
   socket_family: INET6
   socket_protocol: UDP
   response_address: ::1
   response_port: 53
   query_address: ::0
   query_port: 0
   query_message_data:
     opcode: QUERY
     status: NOERROR
     id: 5760
     flags: rd ad
     QUESTION: 1
     ANSWER: 0
     AUTHORITY: 0
     ADDITIONAL: 1
     OPT_PSEUDOSECTION:
       EDNS:
         version: 0
         flags:
         udp: 1232
         COOKIE: 25e7919de3df9c33
     QUESTION_SECTION:
       - . IN NS
-
 type: MESSAGE
 message:
   type: RECURSIVE_QUERY
   query_time: !!timestamp 2022-03-31T10:40:41.451Z
   message_size: 40b
   socket_family: INET6
   socket_protocol: UDP
   response_address: ::1
   response_port: 53
=================================================================
==128803==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000011140 at pc 0x7f557227c2a2 bp 0x7f556dbf8490 sp 0x7f556dbf8488
READ of size 4 at 0x613000011140 thread T1
   #0 0x7f557227c2a1 in isc_nmhandle_localaddr /root/bind9/lib/isc/netmgr/netmgr.c:2391:2
   #1 0x4ca384 in printmessage /root/bind9/bin/dig/dig.c:789:5
   #2 0x4fac6e in send_udp /root/bind9/bin/dig/dighost.c:3062:3
   #3 0x4fac6e in udp_ready /root/bind9/bin/dig/dighost.c:3115:2
   #4 0x7f557227d0f2 in isc__nm_async_connectcb /root/bind9/lib/isc/netmgr/netmgr.c:2662:2
   #5 0x7f5572273153 in process_netievent /root/bind9/lib/isc/netmgr/netmgr.c:911:3
   #6 0x7f5572280e9c in process_queue /root/bind9/lib/isc/netmgr/netmgr.c:948:8
   #7 0x7f557226986e in process_all_queues /root/bind9/lib/isc/netmgr/netmgr.c:710:25
   #8 0x7f557226986e in async_cb /root/bind9/lib/isc/netmgr/netmgr.c:739:6
   #9 0x7f5571640ea7  (/lib/x86_64-linux-gnu/libuv.so.1+0xfea7)
   #10 0x7f5571651b7f in uv__io_poll (/lib/x86_64-linux-gnu/libuv.so.1+0x20b7f)
   #11 0x7f557164184b in uv_run (/lib/x86_64-linux-gnu/libuv.so.1+0x1084b)
   #12 0x7f5572269a4b in nm_thread /root/bind9/lib/isc/netmgr/netmgr.c:641:11
   #13 0x7f5572320ffa in isc__trampoline_run /root/bind9/lib/isc/trampoline.c:187:11
   #14 0x7f55719d8608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
   #15 0x7f5571781162 in clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x613000011140 is located 0 bytes inside of 360-byte region [0x613000011140,0x6130000112a8)
freed by thread T1 here:
   #0 0x49952d in free (/usr/local/bin/dig+0x49952d)
   #1 0x7f55722e64e3 in sdallocx /root/bind9/lib/isc/./jemalloc_shim.h:43:2
   #2 0x7f55722e64e3 in mem_put /root/bind9/lib/isc/mem.c:365:2
   #3 0x7f55722e64e3 in isc__mem_put /root/bind9/lib/isc/mem.c:776:2
   #4 0x7f557226f04a in isc__nmhandle_detach /root/bind9/lib/isc/netmgr/netmgr.c:1724:3
   #5 0x7f55722773c8 in isc___nm_uvreq_put /root/bind9/lib/isc/netmgr/netmgr.c:2461:3
   #6 0x7f557227d64e in isc__nm_async_readcb /root/bind9/lib/isc/netmgr/netmgr.c:2708:2
   #7 0x7f5572272fac in process_netievent /root/bind9/lib/isc/netmgr/netmgr.c:912:3

previously allocated by thread T1 here:
   #0 0x4997ad in malloc (/usr/local/bin/dig+0x4997ad)
   #1 0x7f55722e5f6e in mallocx /root/bind9/lib/isc/./jemalloc_shim.h:35:10
   #2 0x7f55722e5f6e in mem_get /root/bind9/lib/isc/mem.c:344:8
   #3 0x7f55722e5f6e in isc__mem_get /root/bind9/lib/isc/mem.c:759:8
   #4 0x4ecc9a in start_udp /root/bind9/bin/dig/dighost.c:3181:2
   #5 0x4ce43e in query_finished /root/bind9/bin/dig/dig.c:2924:3
   #6 0x4efad1 in clear_current_lookup /root/bind9/bin/dig/dighost.c:1810:2
   #7 0x4f328e in recv_done /root/bind9/bin/dig/dighost.c:4369:3
   #8 0x7f557227d641 in isc__nm_async_readcb /root/bind9/lib/isc/netmgr/netmgr.c:2706:2
   #9 0x7f5572272fac in process_netievent /root/bind9/lib/isc/netmgr/netmgr.c:912:3

Thread T1 created by T0 here:
   #0 0x48455a in pthread_create (/usr/local/bin/dig+0x48455a)
   #1 0x7f5572311a49 in isc_thread_create /root/bind9/lib/isc/thread.c:81:8
   #2 0x7f557226931c in isc__netmgr_create /root/bind9/lib/isc/netmgr/netmgr.c:286:3
   #3 0x7f55722e411f in isc_managers_create /root/bind9/lib/isc/managers.c:31:2
   #4 0x4e2953 in setup_libs /root/bind9/bin/dig/dighost.c:1390:2
   #5 0x4c93f6 in dig_setup /root/bind9/bin/dig/dig.c:3019:2

SUMMARY: AddressSanitizer: heap-use-after-free /root/bind9/lib/isc/netmgr/netmgr.c:2391:2 in isc_nmhandle_localaddr
Shadow bytes around the buggy address:
 0x0c267fffa1d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x0c267fffa1e0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
 0x0c267fffa1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c267fffa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c267fffa210: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c267fffa220: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
 0x0c267fffa230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x0c267fffa240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x0c267fffa250: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
 0x0c267fffa260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x0c267fffa270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable:           00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone:       fa
 Freed heap region:       fd
 Stack left redzone:      f1
 Stack mid redzone:       f2
 Stack right redzone:     f3
 Stack after return:      f5
 Stack use after scope:   f8
 Global redzone:          f9
 Global init order:       f6
 Poisoned by user:        f7
 Container overflow:      fc
 Array cookie:            ac
 Intra object redzone:    bb
 ASan internal:           fe
 Left alloca redzone:     ca
 Right alloca redzone:    cb
 Shadow gap:              cc
==128803==ABORTING

This is most probably error introduced in !5954 (merged) or !5967 (merged), in the udp_send() we look at the head of the lookup list and I think we might be accessing the wrong "query"...

The way we use query->handle probably hides some errors, so as part for the fix, we might just get rid of it.

Assignee
Assign to
Time tracking