use-after-free in dighost.c/dig.c
The following issue has been reported to the security-officer by Brian Carpenter:
printf "K3kKQDAgK3Fy" | base64 -d | dig -f - @localhost
-
type: DIG_ERROR
message: |
communications error to 127.0.0.1#53: connection refused
-
type: MESSAGE
message:
type: RECURSIVE_QUERY
query_time: !!timestamp 2022-03-31T10:40:41.451Z
message_size: 40b
socket_family: INET6
socket_protocol: UDP
response_address: ::1
response_port: 53
query_address: ::0
query_port: 0
query_message_data:
opcode: QUERY
status: NOERROR
id: 5760
flags: rd ad
QUESTION: 1
ANSWER: 0
AUTHORITY: 0
ADDITIONAL: 1
OPT_PSEUDOSECTION:
EDNS:
version: 0
flags:
udp: 1232
COOKIE: 25e7919de3df9c33
QUESTION_SECTION:
- . IN NS
-
type: MESSAGE
message:
type: RECURSIVE_QUERY
query_time: !!timestamp 2022-03-31T10:40:41.451Z
message_size: 40b
socket_family: INET6
socket_protocol: UDP
response_address: ::1
response_port: 53
=================================================================
==128803==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000011140 at pc 0x7f557227c2a2 bp 0x7f556dbf8490 sp 0x7f556dbf8488
READ of size 4 at 0x613000011140 thread T1
#0 0x7f557227c2a1 in isc_nmhandle_localaddr /root/bind9/lib/isc/netmgr/netmgr.c:2391:2
#1 0x4ca384 in printmessage /root/bind9/bin/dig/dig.c:789:5
#2 0x4fac6e in send_udp /root/bind9/bin/dig/dighost.c:3062:3
#3 0x4fac6e in udp_ready /root/bind9/bin/dig/dighost.c:3115:2
#4 0x7f557227d0f2 in isc__nm_async_connectcb /root/bind9/lib/isc/netmgr/netmgr.c:2662:2
#5 0x7f5572273153 in process_netievent /root/bind9/lib/isc/netmgr/netmgr.c:911:3
#6 0x7f5572280e9c in process_queue /root/bind9/lib/isc/netmgr/netmgr.c:948:8
#7 0x7f557226986e in process_all_queues /root/bind9/lib/isc/netmgr/netmgr.c:710:25
#8 0x7f557226986e in async_cb /root/bind9/lib/isc/netmgr/netmgr.c:739:6
#9 0x7f5571640ea7 (/lib/x86_64-linux-gnu/libuv.so.1+0xfea7)
#10 0x7f5571651b7f in uv__io_poll (/lib/x86_64-linux-gnu/libuv.so.1+0x20b7f)
#11 0x7f557164184b in uv_run (/lib/x86_64-linux-gnu/libuv.so.1+0x1084b)
#12 0x7f5572269a4b in nm_thread /root/bind9/lib/isc/netmgr/netmgr.c:641:11
#13 0x7f5572320ffa in isc__trampoline_run /root/bind9/lib/isc/trampoline.c:187:11
#14 0x7f55719d8608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#15 0x7f5571781162 in clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x613000011140 is located 0 bytes inside of 360-byte region [0x613000011140,0x6130000112a8)
freed by thread T1 here:
#0 0x49952d in free (/usr/local/bin/dig+0x49952d)
#1 0x7f55722e64e3 in sdallocx /root/bind9/lib/isc/./jemalloc_shim.h:43:2
#2 0x7f55722e64e3 in mem_put /root/bind9/lib/isc/mem.c:365:2
#3 0x7f55722e64e3 in isc__mem_put /root/bind9/lib/isc/mem.c:776:2
#4 0x7f557226f04a in isc__nmhandle_detach /root/bind9/lib/isc/netmgr/netmgr.c:1724:3
#5 0x7f55722773c8 in isc___nm_uvreq_put /root/bind9/lib/isc/netmgr/netmgr.c:2461:3
#6 0x7f557227d64e in isc__nm_async_readcb /root/bind9/lib/isc/netmgr/netmgr.c:2708:2
#7 0x7f5572272fac in process_netievent /root/bind9/lib/isc/netmgr/netmgr.c:912:3
previously allocated by thread T1 here:
#0 0x4997ad in malloc (/usr/local/bin/dig+0x4997ad)
#1 0x7f55722e5f6e in mallocx /root/bind9/lib/isc/./jemalloc_shim.h:35:10
#2 0x7f55722e5f6e in mem_get /root/bind9/lib/isc/mem.c:344:8
#3 0x7f55722e5f6e in isc__mem_get /root/bind9/lib/isc/mem.c:759:8
#4 0x4ecc9a in start_udp /root/bind9/bin/dig/dighost.c:3181:2
#5 0x4ce43e in query_finished /root/bind9/bin/dig/dig.c:2924:3
#6 0x4efad1 in clear_current_lookup /root/bind9/bin/dig/dighost.c:1810:2
#7 0x4f328e in recv_done /root/bind9/bin/dig/dighost.c:4369:3
#8 0x7f557227d641 in isc__nm_async_readcb /root/bind9/lib/isc/netmgr/netmgr.c:2706:2
#9 0x7f5572272fac in process_netievent /root/bind9/lib/isc/netmgr/netmgr.c:912:3
Thread T1 created by T0 here:
#0 0x48455a in pthread_create (/usr/local/bin/dig+0x48455a)
#1 0x7f5572311a49 in isc_thread_create /root/bind9/lib/isc/thread.c:81:8
#2 0x7f557226931c in isc__netmgr_create /root/bind9/lib/isc/netmgr/netmgr.c:286:3
#3 0x7f55722e411f in isc_managers_create /root/bind9/lib/isc/managers.c:31:2
#4 0x4e2953 in setup_libs /root/bind9/bin/dig/dighost.c:1390:2
#5 0x4c93f6 in dig_setup /root/bind9/bin/dig/dig.c:3019:2
SUMMARY: AddressSanitizer: heap-use-after-free /root/bind9/lib/isc/netmgr/netmgr.c:2391:2 in isc_nmhandle_localaddr
Shadow bytes around the buggy address:
0x0c267fffa1d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffa1e0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c267fffa1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fffa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fffa210: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c267fffa220: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c267fffa230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffa240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffa250: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffa260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffa270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==128803==ABORTINGThis is most probably error introduced in !5954 (merged) or !5967 (merged), in the udp_send() we look at the head of the lookup list and I think we might be accessing the wrong "query"...
The way we use query->handle probably hides some errors, so as part for the fix, we might just get rid of it.