602264 – net-dns/ldns-utils memory corruption on `drill -x'

Bug 602264 - net-dns/ldns-utils memory corruption on `drill -x'

Summary: net-dns/ldns-utils memory corruption on `drill -x'

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Marc Schiffbauer

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-10 16:08 UTC by gentoo-user
Modified:	2017-12-02 09:19 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Output of failing drill -x (file_602264.txt,4.24 KB, text/plain) 2016-12-10 16:09 UTC, gentoo-user	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description gentoo-user 2016-12-10 16:08:22 UTC

When doing a reverse lookup on an argument that looks like an IPv6 address but contains too many octets, the process aborts with malloc(): memory corruption.
The memory corruption occurs both with 1.6.12 on a stable system and 1.6.17 and on a ~amd64 system.

i.e. `drill -x 2a01:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000' causes:
Output from above command attached

Reporting here instead of upstream because the issue is not reproducible on FreeBSD (using the same version of drill) and the error seems to be in the libc

Comment 1 gentoo-user 2016-12-10 16:09:13 UTC

Created attachment 455756 [details]
Output of failing drill -x

Comment 2 Marc Schiffbauer gentoo-dev

2016-12-18 01:59:14 UTC

So this is more likely a bug in glibc, not?

Comment 3 gentoo-user 2016-12-18 02:58:55 UTC

(In reply to Marc Schiffbauer from comment #2)
> So this is more likely a bug in glibc, not?

After running the failing command under gdb (with debug information) I get the following call stack:
#0  0x00007ffff73dc118 in raise () from /lib64/libc.so.6
#1  0x00007ffff73dd56a in abort () from /lib64/libc.so.6
#2  0x00007ffff7418b41 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff741e3d6 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007ffff7420329 in _int_malloc () from /lib64/libc.so.6
#5  0x00007ffff7422174 in malloc () from /lib64/libc.so.6
#6  0x00007ffff7bb2a26 in ldns_rdf_new_frm_data () from /usr/lib64/libldns.so.1
#7  0x00007ffff7bbb779 in ldns_str2rdf_dname.part () from /usr/lib64/libldns.so.1
#8  0x00007ffff7bb2da8 in ldns_rdf_new_frm_str () from /usr/lib64/libldns.so.1
#9  0x000000000040540b in main ()

So the error is (probably) not actually in the libc, the longish call stack just confused me. Then again, since the issue doesn't occur on FreeBSD it might be in relation to the glibc malloc implementation.

To be honest, I wasn't sure where to report this issue and it was definitely ldns related so I reported it here in the hope that someone with more knowledge could figure out which upstream to forward it to.

Comment 4 Marc Schiffbauer gentoo-dev

2016-12-18 03:04:41 UTC

Ok, thank you. Would you mind to report it ldns upstream then? TIA

Comment 5 gentoo-user 2016-12-18 04:04:42 UTC

(In reply to Marc Schiffbauer from comment #4)
> Ok, thank you. Would you mind to report it ldns upstream then? TIA

Sure.

Upstream Ticket here: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1192

Comment 6 gentoo-user 2016-12-21 02:05:08 UTC

The bug was fixed upstream and is in version 1.7.0 which was released yesterday.

As soon as that release hits the tree this can be closed.

Comment 7 Harri Nieminen (Moiman) 2017-12-02 09:19:26 UTC

Fixed with following commit.

commit cae976164ebd9191be909cf57f40992760f6a04a
Author: Marc Schiffbauer <mschiff@gentoo.org>
Date:   Wed Dec 21 15:37:00 2016 +0100

    net-dns/ldns-utils: bump version
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1