UAF in TCP dispatch
This afternoon we saw an event where bind crashed due to assertion failure.
01-Nov-2022 07:01:30.212 general: critical: message.c:4692: REQUIRE(msg->state == (-1)) failed, back trace
01-Nov-2022 07:01:30.212 general: critical: /usr/local/sbin/named() [0x42bd8f]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc_assertion_failed+0xa) [0x7efc8264d3ea]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libdns-9.18.7.so(dns_message_setclass+0x93) [0x7efc822c1813]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libdns-9.18.7.so(+0x11ea6b) [0x7efc8233ca6b]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libdns-9.18.7.so(+0x5d713) [0x7efc8227b713]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc__nm_async_readcb+0x9c) [0x7efc8263b4fc]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc__nm_readcb+0xb5) [0x7efc8263b635]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc__nm_tcpdns_processbuffer+0x11c) [0x7efc826430ec]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc__nm_process_sock_buffer+0x88) [0x7efc82638438]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc__nm_tcpdns_read_cb+0xb8) [0x7efc82643288]
01-Nov-2022 07:01:30.213 general: critical: /lib64/libuv.so.1(+0x1a4a4) [0x7efc80e964a4]
01-Nov-2022 07:01:30.213 general: critical: /lib64/libuv.so.1(+0x1ae0c) [0x7efc80e96e0c]
01-Nov-2022 07:01:30.213 general: critical: /lib64/libuv.so.1(+0x22983) [0x7efc80e9e983]
01-Nov-2022 07:01:30.213 general: critical: /lib64/libuv.so.1(uv_run+0x128) [0x7efc80e8bc88]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(+0x24348) [0x7efc8263d348]
01-Nov-2022 07:01:30.213 general: critical: /usr/local/lib/libisc-9.18.7.so(isc__trampoline_run+0x15) [0x7efc82673855]
01-Nov-2022 07:01:30.213 general: critical: /lib64/libpthread.so.0(+0x7ea5) [0x7efc802d8ea5]
01-Nov-2022 07:01:30.213 general: critical: /lib64/libc.so.6(clone+0x6d) [0x7efc80001b0d]
01-Nov-2022 07:01:30.213 general: critical: exiting (due to assertion failure)The query (which is resp->arg) has already been destroyed:
(gdb) print *(resquery_t *)resp->arg
$7 = {magic = 557825056, references = 139621354865616, fctx = 0x0, rmessage = 0x0, mctx = 0x2632be0, dispatchmgr = 0x7efc780008e0, dispatch = 0x0, addrinfo = 0x7efc217d78d0, start = {seconds = 1667286089, nanoseconds = 244483829}, id = 32757, dispentry = 0x0, link = {
prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, buffer = {magic = 0, base = 0x0, length = 0, used = 0, current = 0, active = 0, link = {prev = 0x0, next = 0x0}, mctx = 0x0, autore = false}, tsig = 0x0, tsigkey = 0x0, dscp = -1, ednsversion = 0,
options = 35, attributes = 2, udpsize = 1232, data = "\177\365\000\020\000\001\000\000\000\000\000\001\002ns\ainetdns\002eu\000\000\001\000\001\000\000)\004\320\000\000\200", '\000' <repeats 472 times>}So there seem to be a reference counting problem.
Edited by Ondřej Surý