Bug 2096248 - delv crashes with malformed /etc/bind.keys file
Summary: delv crashes with malformed /etc/bind.keys file
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-13 11:34 UTC by Frantisek Sumsal
Modified: 2022-08-25 10:39 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-25 10:39:57 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Internet Systems Consortium (ISC) isc-projects bind9 merge_requests 6468 0 None merged Reset bind.keys parser after error on file 2022-08-23 14:14:08 UTC

Description Frantisek Sumsal 2022-06-13 11:34:16 UTC
Description of problem:
When playing around with delv I accidentally served it a malformed /etc/bind.keys file, which caused it to crash with SIGABRT.

Version-Release number of selected component (if applicable):
bind-utils-9.16.29-1.fc36.x86_64

Steps to Reproduce:
# cat >/etc/bind.keys <<EOF
trusted-keys {
. static-key 257 3 13 "F7gtEWo5fFkrhkZOgAtJnLSR01YLb3oM+cNFjeqjkRJSNCIZ3revdJmNeTpNNO+85xbb8AJkM7hW55eUwVmG3w==";
};
EOF
# delv localhost

Actual results:
# delv localhost
;; /etc/bind.keys:1: option 'trusted-keys' is deprecated
;; /etc/bind.keys:2: expected number near 'static-key'
../../../lib/isccfg/parser.c:3595: INSIST(elt != ((void *)0)) failed, back trace
#0 0x7f95b621e10a in ??
#1 0x7f95b621d2e0 in ??
#2 0x7f95b62a8a1d in ??
#3 0x7f95b62b0302 in ??
#4 0x7f95b62a52b0 in ??
#5 0x7f95b62af0c3 in ??
#6 0x7f95b62af442 in ??
#7 0x55914d5f2469 in ??
#8 0x7f95b6029550 in ??
#9 0x7f95b6029609 in ??
#10 0x55914d5f32f5 in ??
Aborted (core dumped)

Additional info:

```
This GDB supports auto-downloading debuginfo from the following URLs:
https://debuginfod.fedoraproject.org/ 
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
b[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `delv localhost'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44	      return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7f95b55b4dc0 (LWP 1184201))]
(gdb) bt full
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = <optimized out>
        old_mask = {__val = {94082587223744, 140280982582996, 200, 140737358749456, 200, 15988063896004879360, 94082587223744, 140280982582996, 451, 94082607107920, 451, 140280982618310, 5, 0, 
            94082607107920, 450}}
        ret = <optimized out>
#1  0x00007f95b608eca3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
No locals.
#2  0x00007f95b603e9c6 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x00007f95b60287f4 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x269, sa_sigaction = 0x269}, sa_mask = {__val = {18446744073709551216, 0, 140280982835710, 285, 72, 94082587223768, 140280980951347, 
              94082607111712, 140280982621269, 283, 94082587223744, 94082607109632, 140280982621269, 94082607107952, 15988063896004879360, 94082607108064}}, sa_flags = 1348489040, 
          sa_restorer = 0x0}
        sigs = {__val = {32, 0, 94082587029312, 140280982532478, 1024, 0, 94082607108064, 140280982578434, 24, 283467841536, 94082607107952, 15988063896004879360, 1024, 18446744073709551216, 0, 
            15988063896004879360}}
#4  0x00007f95b621d2e5 in isc_assertion_failed (file=file@entry=0x7f95b62b3014 "../../../lib/isccfg/parser.c", line=line@entry=3595, type=type@entry=isc_assertiontype_insist, 
    cond=cond@entry=0x7f95b62b3313 "elt != ((void *)0)") at ../../../lib/isc/assertions.c:49
No locals.
#5  0x00007f95b62a8a1d in cfg_gettoken (pctx=pctx@entry=0x559150604f50, options=options@entry=0) at ../../../lib/isccfg/parser.c:3595
        elt = <optimized out>
        result = 0
#6  0x00007f95b62b0302 in cfg_parse_mapbody (pctx=0x559150604f50, type=<optimized out>, ret=0x7ffff8466180) at ../../../lib/isccfg/parser.c:2379
        elt = 0x559150605850
        clausesets = 0x7f95b62bce50 <bindkeys_clausesets>
        result = <optimized out>
        clauseset = <optimized out>
        clause = <optimized out>
        value = 0x0
        obj = 0x5591506054d0
        eltobj = 0x0
        includename = 0x0
        symval = {as_pointer = 0x559150605660, as_cpointer = 0x559150605660, as_integer = 1348490848, as_uinteger = 1348490848}
        list = 0x0
        redo = <optimized out>
#7  0x00007f95b62a52b0 in cfg_parse_obj (pctx=pctx@entry=0x559150604f50, type=type@entry=0x7f95b62c21c0 <cfg_type_bindkeys>, ret=ret@entry=0x7ffff8466180) at ../../../lib/isccfg/parser.c:243
        result = <optimized out>
#8  0x00007f95b62af0c3 in parse2 (pctx=pctx@entry=0x559150604f50, type=type@entry=0x7f95b62c21c0 <cfg_type_bindkeys>, ret=ret@entry=0x7ffff8466290) at ../../../lib/isccfg/parser.c:625
        result = <optimized out>
        obj = 0x0
#9  0x00007f95b62af442 in cfg_parse_buffer (pctx=0x559150604f50, buffer=buffer@entry=0x7ffff84662c0, file=file@entry=0x0, line=line@entry=0, type=0x7f95b62c21c0 <cfg_type_bindkeys>, 
    flags=flags@entry=0, ret=0x7ffff8466290) at ../../../lib/isccfg/parser.c:698
        result = <optimized out>
#10 0x000055914d5f2469 in setup_dnsseckeys (client=0x55914f363be0) at ../../../bin/delv/delv.c:855
        b = {magic = 1114990113, base = 0x55914d5f8040 <anchortext>, length = 1991, used = 1991, current = 1991, active = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, 
          mctx = 0x0, autore = false}
        trusted_keys = 0x0
        managed_keys = 0x0
--Type <RET> for more, q to quit, c to continue without paging--c
        trust_anchors = 0x0
        result = <optimized out>
        parser = 0x559150604f50
        bindkeys = 0x0
        filename = 0x55914d5f5f44 "/etc/bind.keys"
        cleanup = <optimized out>
        result = <optimized out>
        parser = <optimized out>
        trusted_keys = <optimized out>
        managed_keys = <optimized out>
        trust_anchors = <optimized out>
        bindkeys = <optimized out>
        filename = <optimized out>
        cleanup = <optimized out>
        b = <optimized out>
#11 main (argc=<optimized out>, argv=<optimized out>) at ../../../bin/delv/delv.c:1791
        client = 0x55914f363be0
        result = <optimized out>
        qfn = {name = {magic = 4165362544, ndata = 0x7f95b652a817 <_dl_map_object_deps+1095> "H\203\275x\373\377\377", length = 1, labels = 0, attributes = 3046054144, offsets = 0x7ffff8466390 "", buffer = 0x7f95b652a817 <_dl_map_object_deps+1095>, link = {prev = 0x1, next = 0x7f95b58f1400}, list = {head = 0x7ffff84663b0, tail = 0x7f95b652a817 <_dl_map_object_deps+1095>}}, offsets = "\001\000\000\000\000\000\000\000\000\017\217\265\225\177\000\000\320cF\370\377\177\000\000\027\250R\266\225\177\000\000\001\000\000\000\000\000\000\000\000\n\217\265\225\177\000\000\360cF\370\377\177\000\000s\302\t\266\225\177\000\000\001\000\000\000\000\000\000\000\000#.O\221U\000\000\000\000\000\000\000\000\000\000\027\250R\266\225\177\000\000\001\000\000\000\000\000\000\000\200|\037\266\225\177\000\000\000\000\000\000\000\000\000\000\250\376\377\377\377\377\377\377", buffer = {magic = 1328386352, base = 0x55914f2d8ffc, length = 7, used = 0, current = 3054095546, active = 32661, link = {prev = 0x55914f2d9130, next = 0x55914f2e22e0}, mctx = 0x55914f2d9130, autore = 176}, data = "\340\".O\221U\000\000և͵\225\177\000\000\346W\373\357\000\000\000\000\000d\236\257g\003\341\335\a\000\000\000\000\000\000\000\020\220-O\221U\000\000\340\".O\221U\000\000\020\220-O\221U\000\000\340\".O\221U\000\000\235\332ε\225\177\000\000\a\000\000\000\000\000\000\000\361\rѵ\225\177\000\000peF\370\377\177\000\000\000u\365\265\225\177\000\000\340\217-O\221U\000\000\000d\236\257g\003\341\335 y\361\265\225\177\000\000\313\006赕\177\000\000\000\000\000\000\000\000\000\000\240iF\370\377\177\000\000\200!.O\221U\000\000\000a㵕\177\000\000\001\000\000\000\000\000\000\000:\023ѵ\225\177\000\000default\000\300_R\266\225\177\000\000P"...}
        query_name = 0x0
        response_name = <optimized out>
        namestr = "\001\000\000\000\000\000\000\000 I0O\221U\000\000\360eF\370\377\177\000\000}2ε\225\177\000\000\300\243\365\265\225\177\000\000 I0O\221U\000\000\360eF\370\377\177\000\000`\337˵\225\177", '\000' <repeats 14 times>, "\225\177", '\000' <repeats 50 times>, "\001\000\000\000\001\000\000\000 \000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\f\000\000\000\000\000\000\000\352\022浕\177\000\000\002\000\000\000\225\177\000\000@fF\370\377\177\000\000\b\000\000\000\000\000\000\000\b\000\000\000\000\000\000\000\035\032浕\177"...
        rdataset = <optimized out>
        namelist = {head = 0x0, tail = 0x7f95b652ae86 <_dl_map_object_deps+2742>}
        resopt = <optimized out>
        clopt = 32768
        actx = 0x55914f3171c0
        netmgr = 0x55914f3173e0
        taskmgr = 0x55914f327f30
        socketmgr = 0x55914f327fc0
        timermgr = 0x55914f361310
        style = 0x55914f361590
        sa = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {18446744067267100671, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x0}

```

Comment 1 Petr Menšík 2022-06-21 16:35:48 UTC
Oh, interesting bug. delv code uses the same parser buffer on delv.c:849. But it does not ensure file is always closed on return. cfg_parse_file might return parser with unclosed lexer.

Have candidate fix, just call cfg_parser_reset() on the parser after a failure. That should ensure original source would be closed.

Comment 2 Petr Menšík 2022-08-23 14:14:41 UTC
Upstream proposal was modified and merged.

Comment 3 Petr Menšík 2022-08-23 20:36:32 UTC
Would be part of 9.16.33 release, merged right after 9.16.32 release.

Comment 4 Petr Menšík 2022-08-25 10:39:57 UTC
Postponing the fix to next release rebase, I think it is not important to fix now.


Note You need to log in before you can comment on or make changes to this bug.