Skip to content

AddressSanitizer: heap-use-after-free in lib/dns/rpz.c

rpz system test fails with Clang 15 ASAN.

Job #2753728 failed for 63da9166:

==8378==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000000778 at pc 0x7fcba0e24577 bp 0x7ffdf3723af0 sp 0x7ffdf3723ae8
08-Sep-2022 20:17:27.405 calling free_rbtdb(.)
READ of size 8 at 0x618000000778 thread T0
08-Sep-2022 20:17:27.405 done free_rbtdb(.)
    #0 0x7fcba0e24576 in dns_rpz_update_taskaction /builds/isc-projects/bind9/lib/dns/rpz.c:1656:2
    #1 0x7fcba18e3250 in timer_cb /builds/isc-projects/bind9/lib/isc/timer.c:126:2
    #2 0x7fcb9f913a57 in uv__run_timers /usr/src/libuv-v1.44.1/src/timer.c:178:5
    #3 0x7fcb9f91884d in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:382:5
    #4 0x7fcba186c9c7 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:266:6
    #5 0x7fcba186c9c7 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:293:2
    #6 0x7fcba186b827 in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:473:2
    #7 0x56291736375e in main /builds/isc-projects/bind9/bin/named/main.c:1441:2
    #8 0x7fcb9f3aed09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #9 0x56291726db29 in _start (/builds/isc-projects/bind9/bin/named/.libs/named+0xe8b29) (BuildId: 244d982f283adcd1b08c04c43271bef9a2de5ba0)

0x618000000778 is located 760 bytes inside of 832-byte region [0x618000000480,0x6180000007c0)
freed by thread T8 here:
    #0 0x5629172f2442 in free (/builds/isc-projects/bind9/bin/named/.libs/named+0x16d442) (BuildId: 244d982f283adcd1b08c04c43271bef9a2de5ba0)
    #1 0x7fcba1879409 in sdallocx /builds/isc-projects/bind9/lib/isc/./jemalloc_shim.h:43:2
    #2 0x7fcba1879409 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:365:2
    #3 0x7fcba187ba53 in isc__mem_put /builds/isc-projects/bind9/lib/isc/mem.c:779:2
    #4 0x7fcba0e267b1 in rpz_destroy /builds/isc-projects/bind9/lib/dns/rpz.c:2065:2
    #5 0x7fcba0e267b1 in rpz_detach /builds/isc-projects/bind9/lib/dns/rpz.c:2083:3
    #6 0x7fcba0e25aa7 in dns_rpz_detach_rpzs /builds/isc-projects/bind9/lib/dns/rpz.c:2112:5
    #7 0x7fcba0f32c13 in destroy /builds/isc-projects/bind9/lib/dns/view.c:298:3
    #8 0x7fcba0f3206c in dns_view_weakdetach /builds/isc-projects/bind9/lib/dns/view.c:612:3
    #9 0x7fcba0f85e63 in zone_free /builds/isc-projects/bind9/lib/dns/zone.c:1271:3
    #10 0x7fcba0f81a45 in zone_shutdown /builds/isc-projects/bind9/lib/dns/zone.c:15190:3
    #11 0x7fcba183b7a3 in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75:2
    #12 0x7fcb9f92201a in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68:1
    #13 0x7fcb9f918868 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384:5
    #14 0x7fcba186c9c7 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:266:6
    #15 0x7fcba186c9c7 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:293:2
    #16 0x7fcba18f5fe8 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:189:11
    #17 0x7fcb9f6cfea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T0 here:
    #0 0x5629172f26ee in malloc (/builds/isc-projects/bind9/bin/named/.libs/named+0x16d6ee) (BuildId: 244d982f283adcd1b08c04c43271bef9a2de5ba0)
    #1 0x7fcba1879fd1 in mallocx /builds/isc-projects/bind9/lib/isc/./jemalloc_shim.h:35:10
    #2 0x7fcba1879fd1 in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:344:8
    #3 0x7fcba1879d9b in isc__mem_get /builds/isc-projects/bind9/lib/isc/mem.c:762:8
    #4 0x7fcba0e22fce in dns_rpz_new_zone /builds/isc-projects/bind9/lib/dns/rpz.c:1543:8
    #5 0x5629173d9e67 in configure_rpz_zone /builds/isc-projects/bind9/bin/named/server.c:2267:11
    #6 0x5629173d9e67 in configure_rpz /builds/isc-projects/bind9/bin/named/server.c:2611:12
    #7 0x5629173c4d23 in configure_view /builds/isc-projects/bind9/bin/named/server.c:4157:3
    #8 0x5629173b0bc9 in load_configuration /builds/isc-projects/bind9/bin/named/server.c:9263:12
    #9 0x5629173a8d84 in run_server /builds/isc-projects/bind9/bin/named/server.c:10045:2
    #10 0x7fcba18d9614 in task_run /builds/isc-projects/bind9/lib/isc/task.c:470:4
    #11 0x7fcba18d9614 in task__run /builds/isc-projects/bind9/lib/isc/task.c:287:24
    #12 0x7fcba183b7a3 in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75:2
    #13 0x7fcb9f92201a in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68:1
    #14 0x7fcb9f918868 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384:5
    #15 0x7fcba186c9c7 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:266:6
    #16 0x7fcba186c9c7 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:293:2
    #17 0x7fcba186b827 in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:473:2
    #18 0x56291736375e in main /builds/isc-projects/bind9/bin/named/main.c:1441:2
    #19 0x7fcb9f3aed09 in __libc_start_main csu/../csu/libc-start.c:308:16

Thread T8 created by T0 here:
    #0 0x5629172db59c in __interceptor_pthread_create (/builds/isc-projects/bind9/bin/named/.libs/named+0x15659c) (BuildId: 244d982f283adcd1b08c04c43271bef9a2de5ba0)
    #1 0x7fcba18da85b in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70:8
    #2 0x7fcba186b6ab in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:467:3
    #3 0x56291736375e in main /builds/isc-projects/bind9/bin/named/main.c:1441:2
    #4 0x7fcb9f3aed09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /builds/isc-projects/bind9/lib/dns/rpz.c:1656:2 in dns_rpz_update_taskaction
Shadow bytes around the buggy address:
  0x0c307fff8090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff80a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c307fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c307fff80f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c307fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8378==ABORTING

named.run

See also #3531 (closed).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information