Use-after-free triggers a crash in reactivate_node()
The following ASAN issue was triggered on main:
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2876943
It looks like node->locknum is accessed after node has already been
freed. Apparently this happened on shutdown. Full named.log is
available (search for the string AddressSanitizer as the ASAN
crash did not happen at the end of the test, but during one of the
frequent server restarts in the rpz test).
Could this have been caused by !7012 (merged)?
Click to expand/collapse ASAN report
=================================================================
==20807==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000502ba at pc 0x7fe6becda9cc bp 0x7fe6b3a90360 sp 0x7fe6b3a90358
READ of size 2 at 0x60d0000502ba thread T16
#0 0x7fe6becda9cb in reactivate_node /builds/isc-projects/bind9/lib/dns/rbtdb.c:2032
#1 0x7fe6becdb2a2 in reference_iter_node /builds/isc-projects/bind9/lib/dns/rbtdb.c:8947
#2 0x7fe6becf6a97 in dbiterator_next /builds/isc-projects/bind9/lib/dns/rbtdb.c:9348
#3 0x7fe6beaf1412 in dns_dbiterator_next /builds/isc-projects/bind9/lib/dns/dbiterator.c:89
#4 0x7fe6beedcd80 in update_nodes /builds/isc-projects/bind9/lib/dns/rpz.c:1833
#5 0x7fe6beee0ef0 in update_rpz_cb /builds/isc-projects/bind9/lib/dns/rpz.c:1919
#6 0x7fe6bfe232ae in isc__work_cb /builds/isc-projects/bind9/lib/isc/work.c:27
#7 0x7fe6bd734ea5 in uv__queue_work /usr/src/libuv-v1.44.1/src/threadpool.c:326
#8 0x7fe6bd73462d in worker /usr/src/libuv-v1.44.1/src/threadpool.c:122
#9 0x7fe6bccc3e2c in start_thread (/lib64/libc.so.6+0x8ce2c)
#10 0x7fe6bcd48363 in __GI___clone (/lib64/libc.so.6+0x111363)
0x60d0000502ba is located 90 bytes inside of 130-byte region [0x60d000050260,0x60d0000502e2)
freed by thread T1 here:
#0 0x7fe6c06ab368 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9368)
#1 0x7fe6bfdc31a8 in sdallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:72
#2 0x7fe6bfdc31a8 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:365
#3 0x7fe6bfdc7161 in isc__mem_put /builds/isc-projects/bind9/lib/isc/mem.c:791
#4 0x7fe6becafc6f in freenode /builds/isc-projects/bind9/lib/dns/rbt.c:2178
#5 0x7fe6becbc837 in dns_rbt_deletenode /builds/isc-projects/bind9/lib/dns/rbt.c:1423
#6 0x7fe6becd5148 in delete_node /builds/isc-projects/bind9/lib/dns/rbtdb.c:1873
#7 0x7fe6becd7bf5 in decrement_reference /builds/isc-projects/bind9/lib/dns/rbtdb.c:2208
#8 0x7fe6beced136 in prune_tree /builds/isc-projects/bind9/lib/dns/rbtdb.c:2254
#9 0x7fe6bfe085b3 in task_run /builds/isc-projects/bind9/lib/isc/task.c:470
#10 0x7fe6bfe08c3e in task__run /builds/isc-projects/bind9/lib/isc/task.c:287
#11 0x7fe6bfd9ee27 in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75
#12 0x7fe6bd7445bb in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68
#13 0x7fe6bd73abe7 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384
#14 0x7fe6bfdba473 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:267
#15 0x7fe6bfdba473 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:294
#16 0x7fe6bfe20478 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:198
#17 0x7fe6bccc3e2c in start_thread (/lib64/libc.so.6+0x8ce2c)
previously allocated by thread T1 here:
#0 0x7fe6c06ac68f in __interceptor_malloc (/lib64/libasan.so.8+0xba68f)
#1 0x7fe6bfdc4dd3 in mallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:57
#2 0x7fe6bfdc4dd3 in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:343
#3 0x7fe6bfdc6e47 in isc__mem_get /builds/isc-projects/bind9/lib/isc/mem.c:774
#4 0x7fe6becb0d5e in create_node /builds/isc-projects/bind9/lib/dns/rbt.c:1507
#5 0x7fe6becb7f5c in dns_rbt_addnode /builds/isc-projects/bind9/lib/dns/rbt.c:581
#6 0x7fe6bece129f in findnodeintree /builds/isc-projects/bind9/lib/dns/rbtdb.c:2891
#7 0x7fe6bece1dca in findnode /builds/isc-projects/bind9/lib/dns/rbtdb.c:2935
#8 0x7fe6beae9080 in dns_db_findnode /builds/isc-projects/bind9/lib/dns/db.c:434
#9 0x7fe6beaf34e6 in diff_apply /builds/isc-projects/bind9/lib/dns/diff.c:307
#10 0x7fe6beaf6871 in dns_diff_apply /builds/isc-projects/bind9/lib/dns/diff.c:459
#11 0x7fe6be084c1a in do_one_tuple /builds/isc-projects/bind9/lib/ns/update.c:453
#12 0x7fe6be0957d6 in update_one_rr /builds/isc-projects/bind9/lib/ns/update.c:504
#13 0x7fe6be0957d6 in update_action /builds/isc-projects/bind9/lib/ns/update.c:3236
#14 0x7fe6bfe085b3 in task_run /builds/isc-projects/bind9/lib/isc/task.c:470
#15 0x7fe6bfe08c3e in task__run /builds/isc-projects/bind9/lib/isc/task.c:287
#16 0x7fe6bfd9ee27 in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75
#17 0x7fe6bd7445bb in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68
#18 0x7fe6bd73abe7 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384
#19 0x7fe6bfdba473 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:267
#20 0x7fe6bfdba473 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:294
#21 0x7fe6bfe20478 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:198
#22 0x7fe6bccc3e2c in start_thread (/lib64/libc.so.6+0x8ce2c)
Thread T16 created by T10 here:
#0 0x7fe6c063d3e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7fe6bd74dd01 in uv_thread_create_ex /usr/src/libuv-v1.44.1/src/unix/thread.c:279
#2 0x7fe6bd74dbfb in uv_thread_create /usr/src/libuv-v1.44.1/src/unix/thread.c:233
#3 0x7fe6bd734a7a in init_threads /usr/src/libuv-v1.44.1/src/threadpool.c:230
#4 0x7fe6bd734b07 in init_once /usr/src/libuv-v1.44.1/src/threadpool.c:257
#5 0x7fe6bccc8e36 in __pthread_once_slow (/lib64/libc.so.6+0x91e36)
Thread T10 created by T0 here:
#0 0x7fe6c063d3e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7fe6bfe0d365 in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70
#2 0x7fe6bfdbfccb in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:468
#3 0x443d1a in main /builds/isc-projects/bind9/bin/named/main.c:1545
#4 0x7fe6bcc6054f in __libc_start_call_main (/lib64/libc.so.6+0x2954f)
Thread T1 created by T0 here:
#0 0x7fe6c063d3e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7fe6bfe0d365 in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70
#2 0x7fe6bfdbfccb in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:468
#3 0x443d1a in main /builds/isc-projects/bind9/bin/named/main.c:1545
#4 0x7fe6bcc6054f in __libc_start_call_main (/lib64/libc.so.6+0x2954f)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/isc-projects/bind9/lib/dns/rbtdb.c:2032 in reactivate_node
Shadow bytes around the buggy address:
0x0c1a80002000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1a80002010: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1a80002020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1a80002030: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80002040: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c1a80002050: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa
0x0c1a80002060: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c1a80002070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1a80002080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80002090: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1a800020a0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20807==ABORTING