Bugzilla Bug 158664

Happens to me on 2 different boxes... one has 200 zones the other about 25, so
the core dumping was a major PITA >_<

Bind wouldn't stay up for more than about 15 minutes.

Workaround: downgrade to 9.2.7 which appears to be stable.

info on box1:

Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5,
2.6.17-hardened-r1 i686)
=================================================================
System uname: 2.6.17-hardened-r1 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 12:00:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  0.4.2-r1
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer -fweb -frename-registers
-funit-at-a-time"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control
/var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer -fweb
-frename-registers -funit-at-a-time"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache confcache distlocks parallel-fetch sandbox sfperms
strict stricter userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://ftp.roedu.net/pub/mirrors/gentoo.org/
http://gentoo.inode.at/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X509 acpi aim apache2 avi berkdb bzip2 cdb cli contentcache cracklib crypt
ctype curl dba devmap dlloader elibc_glibc encode exif expat fam fastbuild
foomaticdb force-cgi-redirect fortran ftp gd gdbm gif gmp hardened hash iconv
idn imap imlib inode input_devices_keyboard input_devices_mouse ipv6 jpeg
kernel_linux libg++ libwww logrotate mad maildir memlimit mhash mp3 mpeg mysql
mysqli ncurses nls nptl ogg pam pcntl pcre pdflib perl pic png posix python
qmail readline reflection rrdtool sdl session sharedmem simplexml slang snmp
soap sockets spamassassin spell spl sqlite sse2 ssl sysvipc tcltk tcpd threads
tiff tokenizer truetype truetype-fonts udev unicode userland_GNU userlocales
vhosts vorbis x86 xml xml2 xorg xsl xv zip zlib zlibi"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY


info on box2:

Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5,
2.6.11-hardened-r14 i686)
=================================================================
System uname: 2.6.11-hardened-r14 i686 Intel(R) XEON(TM) CPU 1.80GHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 10:00:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r2, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe -funit-at-a-time -fweb
-frename-registers"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe -funit-at-a-time -fweb
-frename-registers"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox
sfperms strict stricter userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.blueyonder.co.uk/ http://194.117.143.69
ftp://194.117.143.69/mirrors/gentoo http://194.117.143.71
ftp://194.117.143.72/mirrors/gentoo http://distfiles.gentoo.org
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LINGUAS="en"
MAKEOPTS="-j5"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X509 acl apache2 berkdb bzip2 cdb chroot cli crypt ctype curl dlloader
elibc_glibc erandom exif extraengine fastbuild flash ftp gd glibc-omitfp gmp
hardened hpn iconv idn imap inifile innodb input_devices_keyboard
input_devices_mouse ipv6 java jpeg kernel_linux linguas_en logrotate maildir
mcal mhash ming mpm-prefork mysql ncurses nls nptl nptlonly pam pcntl pcre perl
php pic pie png python readline rrdtool sasl session sftplogging sharedext
sharedmem snmp sockets spamassassin spell sqlite ssl sysvipc tcpd threads tiff
tokenizer truetype unicode userland_GNU userlocales utf8 x86 xml xml2 xmlrpc
xorg xsl zip zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

It core dumps on lookup of its own zones ...
Normal caching and forwarding is working fine.

Same problem with hardened amd64:

Portage 2.1.1-r2 (hardened/amd64/multilib, gcc-3.4.6, glibc-2.3.6-r5,
2.6.18-hardened x86_64)
=================================================================
System uname: 2.6.18-hardened x86_64 Intel(R) Xeon(TM) CPU 2.80GHz
Gentoo Base System version 1.12.6
Last Sync: Thu, 21 Dec 2006 08:30:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=x86-64 -O2 -fomit-frame-pointer -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=x86-64 -O2 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg candy ccache distlocks fixpackages
metadata-transfer nodoc noinfo noman notitles parallel-fetch sandbox sfperms
strict"
GENTOO_MIRRORS="ftp://cs.ubishops.ca/pub/gentoo
ftp://pandemonium.tiscali.de/pub/gentoo ftp://ftp.heanet.ie/pub/gentoo"
MAKEOPTS="-j5"
PKGDIR="/pkgs"
PORTAGE_RSYNC_EXTRA_OPTS="--timeout=180"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage-snix"
SYNC="rsync://10.5.4.252/gentoo-portage"
USE="amd64 acpi alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw
alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix
alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty
alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks
alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa
alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter
alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null
alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route
alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2
bash-completion berkdb bzip2 caps clamav crypt elibc_glibc gif hardened
hardenedphp idn input_devices_keyboard input_devices_mouse ipv6 jpeg
kernel_linux mbox multilib mysql ncurses nls nptl offensive pcre perl php pic
png python readline sasl server sse2 ssl symlink tcpd threads tiff truetype
unicode userland_GNU vhosts xml xml2 zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS

in my report i said that downgrading to 9.2.7 worked around the problem... but
it didnt.

i've cross-graded to djbdns for the mean time.

(In reply to comment #1)
> It core dumps on lookup of its own zones ...
> Normal caching and forwarding is working fine.
> 
The same problem on my PIII, hardened profile, all packages compiled with stack
protector.
Strace during lookup of its own zone:
select(27, [20 21 22 23 24], [], NULL, {21, 403998}) = 1 (in [20], left {7,
256000})
gettimeofday({1166712896, 537447}, NULL) = 0
recvmsg(20, {msg_name(16)={sa_family=AF_INET, sin_port=htons(32968),
sin_addr=inet_addr("192.168.1.123")},
msg_iov(1)=[{"\270\270\1\0\0\1\0\0\0\0\0\0\4king\3net\2pl\0\0\1\0\1t"...,
4096}], msg_controllen=20, {cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=0x1d
/* SCM_??? */, ...}, msg_flags=0}, 0) = 29
sendmsg(20, {msg_name(16)={sa_family=AF_INET, sin_port=htons(32968),
sin_addr=inet_addr("192.168.1.123")},
msg_iov(1)=[{"\270\270\205\200\0\1\0\1\0\2\0\2\4king\3net\2pl\0\0\1\0"...,
116}], msg_controllen=0, msg_flags=0}, 0) = 116
recvmsg(20, 0xbd744620, 0)              = -1 EAGAIN (Resource temporarily
unavailable)
rt_sigprocmask(SIG_BLOCK, ~[ABRT], NULL, 8) = 0
write(2, "named", 5)                    = 5
write(2, ": stack smashing attack in funct"..., 36) = 36
write(2, "query_find", 10)              = 10
write(2, "()\n", 3)                     = 3
rt_sigaction(SIGABRT, {SIG_DFL}, NULL, 8) = 0
getpid()                                = 19918
kill(19918, SIGABRT)                    = 0
--- SIGABRT (Aborted) @ 0 (0) ---

Somebody should compile this version with gcc -fbounds-checking aka
USE=boundschecking or newer gcc-4.x with mudflap. This is probably another
security problem showing itself in the query_find() function.

When i try to build bind-9.3.3 with the following:

rain ~ # CFLAGS="$CFLAGS -fbounds-checking" CXXFLAGS="$CXXFLAGS
-fbounds-checking"  emerge -va bind

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] net-dns/bind-9.3.3 [9.2.7] USE="berkdb threads -dlz -doc -idn
-ipv6 -ldap -mysql -odbc -postgres -resolvconf% (-selinux) -ssl (-bind-mysql%)"
0 kB


... build fails as shown...:

strip: i686-pc-linux-gnu-strip --strip-unneeded
   usr/lib/libisc.so.11.1.1
   usr/lib/libisccc.so.0.2.2
   usr/lib/libdns.so.22.0.7
   usr/lib/libisccfg.so.1.0.6
   usr/lib/libbind9.so.0.0.8
   usr/lib/liblwres.so.9.1.5
   usr/sbin/named
   usr/sbin/lwresd
   usr/sbin/rndc
   usr/sbin/rndc-confgen
   usr/sbin/dnssec-keygen
   usr/sbin/dnssec-signzone
   usr/sbin/named-checkconf
   usr/sbin/named-checkzone
   usr/lib/libisc.a
   usr/lib/libisccc.a
   usr/lib/libdns.a
   usr/lib/libisccfg.a
   usr/lib/libbind9.a
   usr/lib/liblwres.a
making executable: /usr/lib/libbind9.so.0.0.8
making executable: /usr/lib/libdns.so.22.0.7
making executable: /usr/lib/libisc.so.11.1.1
making executable: /usr/lib/libisccc.so.0.2.2
making executable: /usr/lib/libisccfg.so.1.0.6
making executable: /usr/lib/liblwres.so.9.1.5

QA Notice: the following files contain runtime text relocations
 Text relocations force the dynamic linker to perform extra
 work at startup, waste system resources, and may pose a security
 risk.  On some architectures, the code may not even function
 properly, if at all.
 For more information, see http://hardened.gentoo.org/pic-fix-guide.xml
 Please include this file in your report:
 /var/tmp/portage/bind-9.3.3/temp/scanelf-textrel.log
TEXTREL usr/lib/libisc.so.11.1.1
TEXTREL usr/lib/libisccc.so.0.2.2
TEXTREL usr/lib/libdns.so.22.0.7
TEXTREL usr/lib/libisccfg.so.1.0.6
TEXTREL usr/lib/libbind9.so.0.0.8
TEXTREL usr/lib/liblwres.so.9.1.5


!!! ERROR: net-dns/bind-9.3.3 failed.
Call stack:
  misc-functions.sh, line 417:   Called install_qa_check
  misc-functions.sh, line 164:   Called die

!!! Aborting due to QA concerns:  textrels,
!!! If you need support, post the topmost build error, and the call stack if
relevant.

!!! install_qa_check failed; exiting.

p.s @ solar: you can't use gcc4 on hardened profile yet.

(In reply to comment #6)
> p.s @ solar: you can't use gcc4 on hardened profile yet.

He didn't say anything to build gcc4 on hardened. He said someone should try to
emerge gcc4 with USE=mudflap :)

[ebuild   R   ] sys-devel/gcc-4.1.1-r1  USE="(-altivec) -bootstrap -build -doc
-fortran -gcj -gtk (-hardened) -ip28 -ip32r10k -mudflap (-multilib) -multislot
(-n32) (-n64) -nls -nocxx -objc -objc++ -objc-gc -test -vanilla"

I'm having the same problem (amd64 hardened) I have tried disabling threads to
no avail, and finally I have something to tell, the error is this:

/usr/sbin/named -u named -n 1 -t /chroot/dns -g

21-Dec-2006 21:21:40.079 client 213.98.44.141#33170: view external: query: XXX
IN MX +
named: stack smashing attack in function query_find()

I have tried bind 9.3.3 with and without threads and I have found a solution,
you have to disable ssp, I have gcc:

# gcc --version
gcc (GCC) 3.4.6 (Gentoo Hardened 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9)

I have tried adding this to the CFLAGS in make.conf, it works, before it died
in the first query:
-fno-stack-protector-all -fno-stack-protector

I have also tried switching to x86_64-pc-linux-gnu-3.4.6-hardenednossp and it
also seems to work.

I don't like to disable ssp protection, but there was no way to make bind
stable using it. It seems that there is a bug in the SSP checking code of gcc
3.4.6.

I hope it helps.

(In reply to comment #8)

> I don't like to disable ssp protection, but there was no way to make bind
> stable using it. It seems that there is a bug in the SSP checking code of gcc
> 3.4.6.

Do you have a reason for thinking the bug is in SSP vs this being a valid 
case when SSP is catching a real flaw in bind? 

(In reply to comment #9)
> (In reply to comment #8)
> 
> > I don't like to disable ssp protection, but there was no way to make bind
> > stable using it. It seems that there is a bug in the SSP checking code of gcc
> > 3.4.6.
> 
> Do you have a reason for thinking the bug is in SSP vs this being a valid 
> case when SSP is catching a real flaw in bind? 
> 

No, I don't. I suspect it can be that way because there exists a bug 135265
that says gcc-3.x SSP fails with C++, bind is C, but it seems very unlikely to
me that there could be a bug in bind that triggers SSP with each and every
query I have tried. For me bind was able to answer exactly one query and it
would die just after answering.

I had bind-9.3.2-r4 running stable since Tue Nov  7 12:58:05 2006 until it was
updated to bind-9.3.3 yesterday.

Can you try to debug this with gdb? We really dont want to filter ssp on such
an important service. http://www.gentoo.org/proj/en/qa/backtraces.xml

(In reply to comment #11)
> Can you try to debug this with gdb? We really dont want to filter ssp on such
> an important service. http://www.gentoo.org/proj/en/qa/backtraces.xml

I'm going to give it a try tomorrow.

In addition. http://gentoo-wiki.com/SECURITY_Debugging_with_Hardened_Gentoo

(In reply to comment #13)
> In addition. http://gentoo-wiki.com/SECURITY_Debugging_with_Hardened_Gentoo
> 

I have compiled it like this:

CFLAGS="-g3 -fno-pie -fno-stack-protector-all -nonow -norelro" LDFLAGS="-ggdb"
FEATURES="nostrip keepwork keeptemp" emerge -v bind

And it does not fail, in the recommended flags in the page above there is
-fno-stack-protector-all and this seems to avoid the problem.

I have recompiled bind removing flags until I get down to:
CFLAGS="-g3" LDFLAGS="-ggdb" FEATURES="nostrip keepwork keeptemp" emerge -v
bind

And it does not fail, I'm almost convinced it's a bug somewhere and it doesn't
seems to be in bind. CFLAGS="" FEATURES="" emerge -v bind seems stable. Only
ones left are -O2 -pipe -march=athlon64, but these flags work without SSP.

SSP enabled:
CFLAGS="-O2 -pipe" fails
CFLAGS="-O -pipe" works
CFLAGS="-pipe -march=athlon64" works
CFLAGS="-O -pipe -march=athlon64" works

So far I have compiled bind 16 times and I will settle with the last one, now
bind has SSP enabled and the only change has been from -O2 to -O.

fyi: bind{,-tools}-9.{2.7,3.3} are masked now.

I experienced similar problems with the net-dns/bind-9.3.4 that was recently
released.  This *DEFINITELY* needs to get masked ASAP.  core files appeared in
/chroot/dns/var/bind/core.<pid> after about 4-5 seconds of running.  

Here's my emerge --info:
# emerge --info
Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5,
2.6.17-hardened-r1 i686)
=================================================================
System uname: 2.6.17-hardened-r1 i686 Intel(R) Xeon(TM) CPU 3.20GHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 07 Feb 2007 04:50:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -pipe -O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control
/var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=pentium4 -pipe -O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://garlic.privatenet.mudbugmedia.com/gentoo-portage"
USE="x86 alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym
alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare
alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug
alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958
alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat
alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw
alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug
alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share
alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 bzip2 chroot clearpasswd
cli crypt curl dlloader elibc_glibc examples expat gd hardened hpn
input_devices_keyboard input_devices_mouse ipalias jpeg kernel_linux
lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk
lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb
lcd_devices_ncurses lcd_devices_text midi mpm-prefork multiuser munin-apache
mysql nls notlsbeforeauth nptl pam pcre pic png posix qmail readline ruby
sendfile session sftplogging spamassassin ssl symlink tcpd threads unicode
userland_GNU utf8 vchroot vhosts xml xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS


BIND is configured chrooted for me, and serving up about 440 zones.

reassigning to hardened. i can't fix it myself in near future, unfortunately.

I have the same issue with hardened and bind 9.3.4: stack smashing attack in
function query_find()

Bind 9.4.0_rc2 does not have the same issue. It just seg faults but no
additional message.

I'm getting this bug as of bind-9.3.4 "stable", I couldn't figure out why my
network was going insane after rebooting the box (hardware fiddling and I
didn't restart any services for a day after the upgrade), anyway, after
checking the status of bind I found out that bind was dead (someone should
really get /etc/init.d/* status to check if $PID is still alive and well).  I
ran bind in the foreground and got the above mentioned SSA kill after the first
query was performed, did the same through gdb, did a query, got the same kill
message, but wasn't able to get a backtrace as the stack was 'empty'.

I had a quick look at ./bin/named/query.c, but the function is about 1,000
lines long with recursions, bitwise manips, and gotos littered everywhere, no
wonder SSP doesn't like that mess.

I'll try masking 9.3.4, downgrading and see what happens.

All stable on 9.3.2.

*** Bug 166719 has been marked as a duplicate of this bug. ***

I can confirm that net-dns/bind-9.3.4 also dies after the first answer, I had
to mask it and downgrade to net-dns/bind-9.3.2-r4 again.

I have not tried playing with CFLAGS as I did in Comment #14.

Just another post to confirm that 9.3.2-r4 works and 9.3.4 dies (chrooted or
not).

Here's my info:

bpkroth@systems2 ~ $ sudo emerge --info && sudo emerge bind -pv
Portage 2.1.2-r9 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened
i686)
=================================================================
System uname: 2.6.18-hardened i686 Intel(R) Xeon(TM) CPU 2.40GHz
Gentoo Base System version 1.12.6
Timestamp of tree: Wed, 14 Feb 2007 07:00:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe -fforce-addr"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/hotplug /etc/hotplug.d
/etc/init.d /etc/revdep-rebuild /etc/terminfo /etc/udev"
CXXFLAGS="-march=pentium4 -O2 -pipe -fforce-addr"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks
metadata-transfer parallel-fetch sandbox sfperms strict userfetch"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/
ftp://gentoo.chem.wisc.edu/gentoo/ http://gentoo.mirrors.tds.net/gentoo
ftp://gentoo.mirrors.tds.net/gentoo http://gentoo.osuosl.org/
ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/
http://distro.ibiblio.org/pub/linux/distributions/gentoo/
http://distfiles.gentoo.org"
MAKEOPTS="-j5"
PKGDIR="/mnt/build/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/mnt/build/portage"
PORTDIR_OVERLAY="/mnt/build/portage-local"
SYNC="rsync://tux-mc.hslc.wisc.edu/gentoo-portage"
USE="acl acpi apache2 bash-completion berkdb bzip2 caps chroot cracklib crypt
erandom fam gmp gpm hardened jpeg lm_sensors logrotate maildir mmx ncurses nls
nptl pam pcre perl pic png python readline smp snmp sse sse2 ssl syslog tcpd
threads vhosts x86 xattr xml xpm" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix
dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mulaw multi null plug rate route share shm softvol" ELIBC="glibc"
INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS


These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] net-dns/bind-9.3.4 [9.3.2-r4] USE="berkdb ssl threads -dlz -doc
-idn -ipv6 -ldap -mysql -odbc -postgres -resolvconf% (-selinux)" 0 kB 

Total: 1 package (1 upgrade), Size of downloads: 0 kB

I'm seeing this with bind 9.3.4. I use -O3 which means you probably don't care
but I doubt this has anything to do with my cflags. Downgrading to 9.3.2-r4
fixed everything.

Portage 2.1.2-r9 (hardened/amd64, gcc-3.4.6, glibc-2.3.6-r5, 2.6.14-hardened-r8
x86_64)
=================================================================
System uname: 2.6.14-hardened-r8 x86_64 AMD Opteron(tm) Processor 144
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 15 Feb 2007 04:30:01 +0000
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg distlocks metadata-transfer parallel-fetch
sandbox sfperms strict"
GENTOO_MIRRORS=" http://mirror.datapipe.net/gentoo http://gentoo.ccccom.com
ftp://212.219.56.162/sites/www.ibiblio.org/gentoo/ http://194.117.143.69"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 apache2 berkdb crypt hardened mysql ncurses pam python readline ssl
tcpd vhosts" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty
extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null
plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

(In reply to comment #24)
> I'm seeing this with bind 9.3.4. I use -O3 which means you probably don't care
> but I doubt this has anything to do with my cflags. Downgrading to 9.3.2-r4
> fixed everything.
> 

If you see Comment #14 I compiled bind-9.3.3 16 times to find that downgrading
from -O2 to just -O fixed it. I don't known exactly what flag is causing bind
to fail, there are a bunch of them
(http://gcc.gnu.org/onlinedocs/gcc-3.4.6/gcc/Optimize-Options.html):

-O2 turns on all optimization flags specified by -O. It also turns on the
following optimization flags:
          -fforce-mem 
          -foptimize-sibling-calls 
          -fstrength-reduce 
          -fcse-follow-jumps  -fcse-skip-blocks 
          -frerun-cse-after-loop  -frerun-loop-opt 
          -fgcse  -fgcse-lm  -fgcse-sm  -fgcse-las 
          -fdelete-null-pointer-checks 
          -fexpensive-optimizations 
          -fregmove 
          -fschedule-insns  -fschedule-insns2 
          -fsched-interblock  -fsched-spec 
          -fcaller-saves 
          -fpeephole2 
          -freorder-blocks  -freorder-functions 
          -fstrict-aliasing 
          -funit-at-a-time 
          -falign-functions  -falign-jumps 
          -falign-loops  -falign-labels 
          -fcrossjumping

I did the debugging with bind 9.3.3 but the moment I saw bind 9.3.4 failing
again I masked it without trying to debug it again. I'm pretty sure that this
is a bug between SSP and some flag activated by -O2, you can try to change your
CFLAGS from -O3 to just -O and probably (I haven't tried with bind 9.3.4) it
will work fine.

(In reply to comment #25)
> (In reply to comment #24)
> > I'm seeing this with bind 9.3.4. I use -O3 which means you probably don't care
> > but I doubt this has anything to do with my cflags. Downgrading to 9.3.2-r4
> > fixed everything.
> > 
> 
> If you see Comment #14 I compiled bind-9.3.3 16 times to find that downgrading
> from -O2 to just -O fixed it. I don't known exactly what flag is causing bind
> to fail, there are a bunch of them
> (http://gcc.gnu.org/onlinedocs/gcc-3.4.6/gcc/Optimize-Options.html):
> 
> -O2 turns on all optimization flags specified by -O. It also turns on the
> following optimization flags:
>           -fforce-mem 
>           -foptimize-sibling-calls 
>           -fstrength-reduce 
>           -fcse-follow-jumps  -fcse-skip-blocks 
>           -frerun-cse-after-loop  -frerun-loop-opt 
>           -fgcse  -fgcse-lm  -fgcse-sm  -fgcse-las 
>           -fdelete-null-pointer-checks 
>           -fexpensive-optimizations 
>           -fregmove 
>           -fschedule-insns  -fschedule-insns2 
>           -fsched-interblock  -fsched-spec 
>           -fcaller-saves 
>           -fpeephole2 
>           -freorder-blocks  -freorder-functions 
>           -fstrict-aliasing 
>           -funit-at-a-time 
>           -falign-functions  -falign-jumps 
>           -falign-loops  -falign-labels 
>           -fcrossjumping
> 
> I did the debugging with bind 9.3.3 but the moment I saw bind 9.3.4 failing
> again I masked it without trying to debug it again. I'm pretty sure that this
> is a bug between SSP and some flag activated by -O2, you can try to change your
> CFLAGS from -O3 to just -O and probably (I haven't tried with bind 9.3.4) it
> will work fine.
> 

It's just very bad code, gcc isn't doing anything it shouldn't.

On the other note, as bind 9.3.4 has shown serious memory issues/weaknesses, I
believe it should hardmasked, unmasking it was probably a bad idea (especially
given that this bug is older than that event).  Just my opinion of course.

I'm seeing the same thing with 9.4.0rc2 (silent failure + coredump) on
hardened-sources-2.6.19-r6.  However, it seems tied more to the kernel version
& configs than BIND version - I ran 9.3.2-r5 happily over hardened-2.6.17-r1
for several months, then upgraded to 9.4.0-r2 with no issues.  Only when I
rebooted to the 2.6.19 series (8 days later) am I seeing any issues.  Grsec
reports the following: "signal 11 sent to /usr/sbin/named".  It will give one
clean response for its own zones, then drops a core.

Not sure what else to add that everyone else hasn't - my PaX & Grsec options
are lit up like an X-mas scan.

cat /etc/portage/env/net-dns/bind-9.3.4 
CFLAGS="-march=pentium4 -pipe -fforce-addr"
CXXFLAGS="-march=pentium4 -pipe -fforce-addr"

emerge -1 =net-dns/bind-9.3.4

/etc/init.d/named restart

This is working for me right now.  I just took out the -O2 from the CFLAGS and
CXXCFLAGS.  Simply -O did not work though.

I confirm that disabling -O2/-O3 and setting only -O cflag solves the issue
with 9.3.4 and 9.4.0_rc2 bind. No more crash.
A replace-flags "-O?" "-O" should be a good thing at least as a temporary
solution ? This should be a good thing since it let us solve the security issue
of bind on hardened systems...

9.3.4 is evil, woke up to dns dead for no apparent reason then remembered that
i had a bug with this with 9.3.3 too. 9.3.4 masked for me, back to 9.3.2-r4

Portage 2.1.2-r10 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5,
2.6.19-hardened-r5 i686)
=================================================================
System uname: 2.6.19-hardened-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 22 Feb 2007 01:47:01 +0000
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.5, 1.6.3, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control
/var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-Os -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.iinet.net.au/linux/Gentoo/
http://gentoo.osuosl.org/"
LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/qmr-portage /usr/local/overlays/trac
/usr/portage/local/layman/php-testing
/usr/portage/local/layman/php-experimental
/usr/portage/local/layman/postgresql-testing /usr/portage/local/layman/xeffects
/usr/portage/local/layman/xeffects-experimental
/usr/portage/local/layman/webapps-experimental
/usr/portage/local/layman/postgresql-experimental"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="apache2 authdaemond bash-completion berkdb crypt fam glibc-omitfp graphviz
hardened idea imap ithreads jpeg jpeg2k logrotate maildir midi nptl nptlonly
pam pic rc5 readline ssl tcpd threads urandom valias vhosts x86 xorg zlib"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS,
MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Well clearly we don't want to all our filter ssp. So how about we work around
this by doing something like the following in the ~arch ebuilds ?

gcc-specs-ssp && replace-flags -O[23] -O

Can somebody thats hitting this also please try with -Os

Created an attachment (id=111428) [details]
Test zone file

Tested and proven on 9.4.0-rc2.  Compiled with -O2 exhibits the crashing
behavior, whereas with -Os does not.  Attaching tested zone file, core is 39M.

PAX gave me more info this time, for whatever reason (kernel updated, different
machine)...

PAX: From 127.0.0.1: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /usr/sbin/named(named):16119, uid/euid: 40/40, PC:
42756621, SP: 4e9e08a0
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
PAX: bytes at SP-4: 42756621 4e9e08c0 000000ff 00000000 00000000 00000000
ffffffff ffffffff 00000000 155bc5ac 4e9e87e8 00000010 153c73f1 000001fc
4ea07aa8 00000088 00000001 153d5128 4ebf089f 000109ec 4d19e008

Don't want to be trolling or nothing, but why hasn't 9.3.4 been masked yet?

I just setup a new box (replacement for an older one) and it automagically
emerged bind 9.3.4. Bind dind't work on the new box, but did on the old box, so
after figuring out it was version difference, and checking here, i masked
9.3.4.

This bug appears to be really old however (2 or 3 weeks now?) so why is 9.3.4
still out there on hardened?

I just got a crash using -Os (although it seemed to take longer than usual, but
that might just be coincidence).  I'm going to go back to just -O.

committed 9.3.4-r2 and 9.4.0-r2 wrt comment #31

..and 9.2.8-r2.

A bit slow on the uptake, but I've done some minimal testing (re-ran my test
case) and this is coming up clean on 9.4.0-r2.  Tentatively clear from my POV.

*** Bug 165648 has been marked as a duplicate of this bug. ***

Not so clean with 9.3.4-r2 - I just went through this yesterday, rebuilt with
this version (the one that filters flags to just -O) and it still dies.  It
doesn't die right away, but after some time last night I had no more DNS (which
causes incoming mail to backup, etc).  I'm going back to 9.3.2 for now, but
that seems like a less than desirable work-around...

Any progress on this?  There are two Security Advisories for bind now,
200702-06 and 200708-13, and this is preventing me from upgrading.

AFAICT, since 9.4.0-r2 (comment #38) everything has been fine.  I have the
9.4.1 series running with zero issues - would say this is fixed.

I also report this to seem resolved. I'm running bind-9.4.1_p1 on
2.6.14-hardened-r6 and it does not crash anymore. I tested
queries/notifies/transfers and everything seems healthy.

I upgraded to bind-9.4.1_p1 and can confirm that it fixed the crash issue for
me also.

I guess this can get closed then.

9.3.3 (and 9.2.7) have been removed.