Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 583
    • Issues 583
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 110
    • Merge Requests 110
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #819

Closed
Open
Opened Jan 16, 2019 by Petr Menšík@pemensikContributor

Corrupted zone is not always refused with error

Summary

Broken zone file is not always refused with error.

BIND version used

BIND 9.11.5-RedHat-9.11.5-2.fc29 (Extended Support Version) <id:3b0b204>
running on Linux x86_64 4.19.14-300.fc29.x86_64 #1 SMP Wed Jan 9 21:30:35 UTC 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' '--with-libidn2' '--enable-openssl-hash' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-atf=/usr' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE'
compiled by GCC 8.2.1 20181011 (Red Hat 8.2.1-4)
compiled with OpenSSL version: OpenSSL 1.1.1 FIPS  11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 FIPS  11 Sep 2018
compiled with libxml2 version: 2.9.8
linked to libxml2 version: 20908
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Steps to reproduce

when header->first_node_offset is greater than filesize, computed offset is outside memory mapped range.

What is the current bug behavior?

it loads the file but fail when interpreting it.

What is the expected correct behavior?

Should reject file as invalid.

Relevant configuration files

none. ju

Relevant logs and/or screenshots

no configuration required, just unit test with a bit of luck or reliable reproducer.

Discovered by running unit tests, which do corrupt the file at random.

$ kyua test rbt_serialize_test
rbt_serialize_test:deserialize_corrupt  ->  broken: Premature exit; test case received signal 11 (core dumped)  [0.644s]
rbt_serialize_test:serialize  ->  passed  [0.027s]
rbt_serialize_test:serialize_align  ->  passed  [0.017s]

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.) 0001-Reproducer-for-crash-in-serialize_test.patch

0002-Fix-possible-crash-when-loading-corrupted-file.patch

I think specially crafted file could crash named, but I assume binary zones are not usually obtained from trusted sources. Anyway, leaving up to you if this should be public issue or not. Feel free to switch it public.

Edited Jan 16, 2019 by Petr Menšík
Assignee
Assign to
BIND 9.17 Backburner
Milestone
BIND 9.17 Backburner
Assign milestone
Time tracking
None
Due date
None
Reference: isc-projects/bind9#819