Bug 1663439

Summary: 9.9.4-RedHat-9.9.4-72.el7 keeps crashing due to assertion failure.
Product: Red Hat Enterprise Linux 7 Reporter: Eskil Brun <eskil>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.6CC: pemensik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: bind-9.9.4-73.el7_6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-04 18:39:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eskil Brun 2019-01-04 10:50:19 UTC 
Description of problem:
bind keeps crashing due to assertion failure.
Most likely due to receiving malformed requests.

Version-Release number of selected component (if applicable):
bind-9.9.4-72.el7.x86_64

How reproducible:
Likely reproducible with exposing the bind server to the world.

Steps to Reproduce:
1. Install bind-9.9.4-72
2. Expose it to the world.
3. Watch it crash (anywhere from 4 to 140 times a day).

Actual results:
bind crashing with these messages in the log:
jan. 04 11:00:55 ifi.uio.no named[23928]: buffer.c:420: REQUIRE(l <= ((b)->length - (b)->used)) failed, back trace
jan. 04 11:00:55 ifi.uio.no named[23928]: #0 0x56194a75d090 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #1 0x7fe0809dd31a in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #2 0x7fe0809dfb10 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #3 0x7fe0820985e7 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #4 0x7fe08209a133 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #5 0x7fe0820a2ed8 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #6 0x7fe0820a3bea in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #7 0x7fe0820a3f6f in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #8 0x7fe08212e9c6 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #9 0x7fe080a00276 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #10 0x7fe0805b0dd5 in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: #11 0x7fe07f623ead in ??
jan. 04 11:00:55 ifi.uio.no named[23928]: exiting (due to assertion failure)
jan. 04 11:00:55 ifi.uio.no systemd[1]: named.service: main process exited, code=killed, status=6/ABRT

Expected results:
bind running normally without having to have systemd restart it multiple times every day.

Additional info:

https://www.isc.org/blogs/summer_security_vulnerabilities/

The above web page describes the problem. You may likely have bind crash using the AFL (american fuzzy lop) program mentioned.

I request that bind for Red Hat Enterprise Linux 7 be upgraded to the latest available 9.9 version.
Comment 2 Eskil Brun 2019-01-18 11:19:58 UTC 
Any news on this bug?

It may be that the CentOS people have found a working patch:
 
  https://bugs.centos.org/view.php?id=15528
Comment 3 Eskil Brun 2019-01-25 14:37:13 UTC 
I am more than a little dissapointed with the lack of response on the bugs present in bind-9.9.4-72 for RHEL7.6.

Another bug has also been present (I reported on a possible solution in my last comment), giving error messages like this:

jan. 24 10:55:40 ifi.uio.no named[22712]: buffer.c:420: REQUIRE(l <= ((b)->length - (b)->used)) failed, back trace
jan. 24 10:55:40 ifi.uio.no named[22712]: #0 0x55e43e528090 in ??
jan. 24 10:55:40 ifi.uio.no named[22712]: #1 0x7f261db2131a in ??
jan. 24 10:55:40 ifi.uio.no named[22712]: #2 0x7f261db23b10 in ??
jan. 24 10:55:40 ifi.uio.no named[22712]: #3 0x7f261f1dc5e7 in ??
jan. 24 10:55:40 ifi.uio.no named[22712]: #4 0x7f261f1de133 in ??
jan. 24 10:55:40 ifi.uio.no systemd[1]: named.service: main process exited, code=killed, status=6/ABRT

This bug (buffer.c:420) resulted in 3642 kills of our named process on the 23rd of january.
On the same day, the assertion failure bug resulted in only 521 kills.

We have two bind servers both with RHEL7:bind-9.9.4-72, one internal (which have no trouble) and one externally exposed which were killed over 4000 times a day.

Needing to find a solution to our troubled externally exposed bind server I ran a simple configure -> make install of the bind-9.11.5-P1 version available from www.isc.org.
This self-compiled version has now run trouble-free without a crash for over a day. Our bind config were not changed a bit.
I will let the ISC version of bind run until Red Hat releases an updated bind package.

We rely heavily on Red Hat to fix bugs and security issues. I hope we can continue to trust that Red Hat Enterprise Linux is a trustworthy OS platform.
Please either update the bind version released with RHEL7 to a less buggy one or fix the fatal bugs that are present in bind-9.9.4-72
Comment 4 Petr Menšík 2019-02-04 18:39:57 UTC 
I am sorry for this bug. It is fixed in bug #1647539 and should be already fixed in updates.

Please update to build bind-9.9.4-73.el7_6. It would fix the problem. Workaround is to lower trace (debug level) to 9 or less.

This is described on link https://access.redhat.com/security/cve/cve-2018-5742
Comment 5 Petr Menšík 2019-02-04 18:44:43 UTC 

*** This bug has been marked as a duplicate of bug 1662916 ***