Skip to content

BIND can crash with assertion in the situation when a `tls` entry is used multiple times to establish an outgoing connection

BIND can crash with assertion in the situation when a tls entry is used multiple times to establish an outgoing connection to other servers via TLS.

04-Dec-2023 13:38:33.746 tls.c:1187: REQUIRE(pstore != ((void *)0) && *pstore != ((void *)0)) failed
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc_backtrace_log+0x49) [0x7ffff7f4e6d7]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/bin/named/.libs/named() [0x42c0c6]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc_assertion_failed+0x31) [0x7ffff7f4e052]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc_tls_cert_store_free+0x42) [0x7ffff7f87ebd]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(dns_transport_get_tlsctx+0x6f1) [0x7ffff7de49f4]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(+0x696e6) [0x7ffff7c696e6]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(dns_dispatch_connect+0xb6) [0x7ffff7c69d32]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(+0x20acf2) [0x7ffff7e0acf2]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(dns_xfrin_create+0x2c0) [0x7ffff7e09469]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(+0x255a9b) [0x7ffff7e55a9b]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc__async_cb+0x186) [0x7ffff7f4e500]
04-Dec-2023 13:38:33.746 /nix/store/lsp8kyfkyi35shk51alffb4vsll7030q-libuv-1.46.0/lib/libuv.so.1(+0x10543) [0x7ffff7730543]
04-Dec-2023 13:38:33.746 /nix/store/lsp8kyfkyi35shk51alffb4vsll7030q-libuv-1.46.0/lib/libuv.so.1(+0x238e5) [0x7ffff77438e5]
04-Dec-2023 13:38:33.746 /nix/store/lsp8kyfkyi35shk51alffb4vsll7030q-libuv-1.46.0/lib/libuv.so.1(uv_run+0xb0) [0x7ffff77311c0]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(+0x571e0) [0x7ffff7f6c1e0]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(+0x6e669) [0x7ffff7f83669]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(+0x6e6ad) [0x7ffff7f836ad]
04-Dec-2023 13:38:33.746 /nix/store/qn3ggz5sf3hkjs2c797xf7nan3amdxmp-glibc-2.38-27/lib/libc.so.6(+0x8b084) [0x7ffff6e62084]
04-Dec-2023 13:38:33.746 /nix/store/qn3ggz5sf3hkjs2c797xf7nan3amdxmp-glibc-2.38-27/lib/libc.so.6(+0x10d60c) [0x7ffff6ee460c]
04-Dec-2023 13:38:33.746 exiting (due to assertion failure)

In particular, the problem reveals itself when multiple threads are trying to initialise a transport-specific TLS context and associated data from the context of multiple threads, like in the following situation:

tls tls-v1.3 {
	protocols { TLSv1.3; };
	prefer-server-ciphers yes;
};

zone "example-1" {
	type secondary;
	primaries port 22168 { 10.53.0.1 tls tls-v1.3; };
	file "example-1.db";
	allow-transfer { any; };
};

zone "example-2" {
	type secondary;
	primaries port 22169 { 10.53.0.1 tls tls-v1.3; };
	file "example-2.db";
	allow-transfer { any; };
};

zone "example-3" {
	type secondary;
	primaries port 22170 { 10.53.0.1 tls tls-v1.3; };
	file "example-3.db";
	allow-transfer { any; };
};

The error handling code is not correct for this case, as in some cases, freeing a TLS certificate store is not required. In this particular case it can be NULL.

The problem does not reveal itself on each run.

Edited by Artem Boldariev
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information