buffer overflows when building without jemalloc
Summary
When attempting to run dig or named -V for a build of bind 9.20.0 without jemalloc, it crashes with a buffer overflow error. I looked further into it and found that the regression happened in 9.19.11, due to the merge here - 7481. This issue shows up in 9.20.0 in the proposed pocket of the upcoming Ubuntu 24.10 release. I verified that reverting the commit fixes the regression by creating a PPA here - ppa:lvoytek/bind9-fix-buffer-overflow.
BIND version affected
BIND 9.20.0-2ubuntu1-Ubuntu (Stable Release) <id:>
running on Linux x86_64 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/bind9-Xt2vMx/bind9-9.20.0=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/bind9-Xt2vMx/bind9-9.20.0=/usr/src/bind9-1:9.20.0-2ubuntu1 -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=3'
compiled by GCC 14.2.0
compiled with OpenSSL version: OpenSSL 3.3.1 4 Jun 2024
linked to OpenSSL version: OpenSSL 3.2.2 4 Jun 2024
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with liburcu version: 0.14.0
compiled with libnghttp2 version: 1.62.1
linked to libnghttp2 version: 1.62.1
compiled with libxml2 version: 2.12.7
linked to libxml2 version: 21207
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3.1
linked to zlib version: 1.3
linked to maxminddb version: 1.10.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
*** buffer overflow detected ***: terminated
Aborted (core dumped)Steps to reproduce
- Build bind without jemalloc
- Run
dig -x 127.0.0.1 @127.0.0.1ornamed -V
What is the current bug behavior?
See above version info or the following dig run:
$ dig -x 127.0.0.1 @127.0.0.1
*** buffer overflow detected ***: terminated
Aborted (core dumped)What is the expected correct behavior?
Version with PPA:
$ named -V
BIND 9.20.0-2ubuntu2~ppa1-Ubuntu (Stable Release) <id:>
running on Linux x86_64 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/bind9-2wsGkq/bind9-9.20.0=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/bind9-2wsGkq/bind9-9.20.0=/usr/src/bind9-1:9.20.0-2ubuntu2~ppa1 -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=3'
compiled by GCC 14.2.0
compiled with OpenSSL version: OpenSSL 3.2.2 4 Jun 2024
linked to OpenSSL version: OpenSSL 3.2.2 4 Jun 2024
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with liburcu version: 0.14.0
compiled with libnghttp2 version: 1.62.1
linked to libnghttp2 version: 1.62.1
compiled with libxml2 version: 2.12.7
linked to libxml2 version: 21207
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3
linked to zlib version: 1.3
linked to maxminddb version: 1.10.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
geoip-directory: /usr/share/GeoIPdig run:
$ dig -x 127.0.0.1 @127.0.0.1
; <<>> DiG 9.20.0-2ubuntu2~ppa1-Ubuntu <<>> -x 127.0.0.1 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17928
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 997a4aa4d607dfed0100000066c63e16c27d7fd1dacd2c27 (good)
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Aug 21 19:20:54 UTC 2024
;; MSG SIZE rcvd: 102