Package: docker.io Version: 19.03.7+dfsg1-1 Severity: critical Tags: patch upstream Justification: breaks unrelated software
Dear Maintainer, The update to 19.03.7 led to a reproducible issue with docker shortly after starting the daemon: Apr 20 14:30:27 fsn dockerd[488555]: panic: runtime error: invalid memory address or nil pointer dereference Apr 20 14:30:27 fsn dockerd[488555]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x11 pc=0x55a05b5ac02b] Apr 20 14:30:27 fsn dockerd[488555]: goroutine 2029 [running]: Apr 20 14:30:27 fsn dockerd[488555]: github.com/docker/libnetwork.(*resolver).ServeDNS(0xc000e38380, 0x55a05cbea2c0, 0xc0014b94a0, 0xc0018bd5f0) Apr 20 14:30:27 fsn dockerd[488555]: /build/docker.io-CrAKu8/docker.io-19.03.7+dfsg1/.gopath/src/github.com/docker/libnetwork/resolver.go:487 +0x79b Apr 20 14:30:27 fsn dockerd[488555]: github.com/miekg/dns.(*Server).serveDNS(0xc000dab200, 0xc000c0f200, 0x21, 0x200, 0xc0014b94a0) Apr 20 14:30:27 fsn dockerd[488555]: /build/docker.io-CrAKu8/docker.io-19.03.7+dfsg1/.gopath/src/github.com/miekg/dns/server.go:609 +0x2e2 Apr 20 14:30:27 fsn dockerd[488555]: github.com/miekg/dns.(*Server).serveUDPPacket(0xc000dab200, 0xc0011cf6b0, 0xc000c0f200, 0x21, 0x200, 0xc00020a7e0, 0xc000fa7c00) Apr 20 14:30:27 fsn dockerd[488555]: /build/docker.io-CrAKu8/docker.io-19.03.7+dfsg1/.gopath/src/github.com/miekg/dns/server.go:549 +0xb4 Apr 20 14:30:27 fsn dockerd[488555]: created by github.com/miekg/dns.(*Server).serveUDP Apr 20 14:30:27 fsn dockerd[488555]: /build/docker.io-CrAKu8/docker.io-19.03.7+dfsg1/.gopath/src/github.com/miekg/dns/server.go:479 +0x28c Apr 20 14:30:27 fsn systemd[1]: docker.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Still testing out, but https://github.com/SamWhited/libnetwork/commit/bea32b018c874ef35396ef46a3908ca0f9367d76 was merged in upstream, seems relevant and is part of upstream 19.03.8 So either apply that to 19.3.7 or update to 19.3.8? -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.5.0-2-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages docker.io depends on: ii adduser 3.118 ii iptables 1.8.4-3 ii libc6 2.30-4 ii libdevmapper1.02.1 2:1.02.167-1+b1 ii libltdl7 2.4.6-14 ii libnspr4 2:4.25-1 ii libnss3 2:3.51-1 ii libseccomp2 2.4.3-1+b1 ii libsystemd0 245.5-1 ii lsb-base 11.1.0 ii runc 1.0.0~rc10+dfsg1-1 ii tini 0.18.0-1+b1 Versions of packages docker.io recommends: ii ca-certificates 20190110 ii cgroupfs-mount 1.4 ii git 1:2.26.1-1 ii needrestart 3.5-1 ii xz-utils 5.2.4-1+b1 Versions of packages docker.io suggests: pn aufs-tools <none> ii btrfs-progs 5.6-1 ii debootstrap 1.0.123 pn docker-doc <none> ii e2fsprogs 1.45.6-1 pn rinse <none> ii xfsprogs 5.4.0-1 ii zfsutils-linux [zfsutils] 0.8.3-2 -- no debconf information
>From bea32b018c874ef35396ef46a3908ca0f9367d76 Mon Sep 17 00:00:00 2001 From: Sam Whited <s...@samwhited.com> Date: Wed, 18 Mar 2020 12:06:23 -0400 Subject: [PATCH] Fixes a panic in the DNS resolver Under certain conditions it appears that the DNS response and returned error can be nil. When this happens, checking resp.Truncated results in a nil panic so we must first check that the response is not nil before checking if a truncated response was received. See moby/moby#40715 Signed-off-by: Sam Whited <s...@samwhited.com> --- resolver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resolver.go b/resolver.go index 7e02a37a5b..e32522a254 100644 --- a/resolver.go +++ b/resolver.go @@ -484,7 +484,7 @@ func (r *resolver) ServeDNS(w dns.ResponseWriter, query *dns.Msg) { resp, err = co.ReadMsg() // Truncated DNS replies should be sent to the client so that the // client can retry over TCP - if err != nil && !resp.Truncated { + if err != nil && (resp != nil && !resp.Truncated) { r.forwardQueryEnd() logrus.Debugf("[resolver] read from DNS server failed, %s", err) continue