Potential assertion in isc-bind-9.12.2
A new issue reported by Robert Święcki robert@swiecki.net to security-officer:
With some fuzzing of ISC-BIND-9.12.2 with honggfuzz setup (from here https://github.com/google/honggfuzz/tree/master/examples/bind) I', able to hit some asserion which ends-up with SIGABRT.
dispatch.c:2464: INSIST(disp->tcpbuffers == 0) failed.
#0 0x00007ffff6caf6a0 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6caf6a0 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cb0cf7 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x000000000052d2ae in assertion_failed (file=0xde92a0 <.str> "resolver.c", line=7033, type=isc_assertiontype_require,
cond=0xded340 <.str.213> "(__builtin_expect(!!((query) != ((void*)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(query))->magic == ((('Q') << 24 | ('!') << 16 | ('!') << 8 | ('!')))), 1))") at ./main.c:252
#3 0x0000000000bb9c97 in isc_assertion_failed (file=0x2 <error: Cannot access memory at address 0x2>, line=-446762384, type=isc_assertiontype_require, cond=0x7ffff6caf6a0 <raise+272> "H\213\214$\b\001") at assertions.c:51
#4 0x00000000009aa838 in resquery_response (task=0x7fffe3d253b8, event=0x7fffe37dff08) at resolver.c:7033
#5 0x0000000000c46658 in dispatch (manager=<optimized out>) at task.c:1139
#6 0x0000000000c4135d in run (uap=0x2) at task.c:1311
#7 0x00007ffff77a351a in start_thread (arg=0x7fffe55f0700) at pthread_create.c:465
#8 0x00007ffff6d703ef in clone () from /lib/x86_64-linux-gnu/libc.so.6Have you seen it before?
If not, I'll try to gather some more info on it, and send you the details, though I'm attaching my config, so you can check it for obvious problems.
And the report from honggfuzz, which is not particularly more informative:
=====================================================================
TIME: 2018-07-11.14:26:50
=====================================================================
FUZZER ARGS:
mutationsPerRun : 6
externalCmd : NULL
fuzzStdin : FALSE
timeout : 10 (sec)
ignoreAddr : (nil)
ASLimit : 0 (MiB)
RSSLimit : 0 (MiB)
DATALimit : 0 (MiB)
targetPid : 0
targetCmd :
wordlistFile : NULL
dynFileMethod:
fuzzTarget : /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named -A client:1:1:1:1:1:1 -f -c /usr/local/google/home/swiecki/fuzz/bind/dist/etc/named.conf
ORIG_FNAME: IN.req-response//8b6e4a1f05567f57d1a8dd3cbb50fc9f.00000127.honggfuzz.cov
FUZZ_FNAME: ./SIGABRT.PC.7ffff6caf6a0.STACK.cfb0c006c.CODE.-6.ADDR.(nil).INSTR.mov____0x108(%rsp),%rcx.fuzz
PID: 47832
SIGNAL: SIGABRT (6)
FAULT ADDRESS: (nil)
INSTRUCTION: mov____0x108(%rsp),%rcx
STACK HASH: 0000000cfb0c006c
STACK:
<0x00007ffff6cb0cf7> [[UNKNOWN]():0 at /lib/x86_64-linux-gnu/libc-2.26.so]
<0x0000000000bb9ca1> [isc_assertion_failed():52 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x00000000006c9550> [dispatch_free():2465 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x00000000006c8658> [destroy_disp():549 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x0000000000c46658> [dispatch():1142 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x0000000000c4135d> [run():1320 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x00007ffff77a351a> [[UNKNOWN]():0 at /lib/x86_64-linux-gnu/libpthread-2.26.so]
<0x00007ffff6d703ef> [[UNKNOWN]():0 at /lib/x86_64-linux-gnu/libc-2.26.so]
=====================================================================