Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!
On Mon, 28 Aug 2017, Kevin Darbyshire-Bryant wrote: > My workaround is to only call memset if the difference between buffer begin > and buffer limit is bigger than the query length, thus it retains Simon's > intent of clearing memory most of the time but avoids the SIGSEGV trampling. Thanks, with your patch dnsmasq doesn't crash anymore when receiving odd EDNS packets from dnseval. And thanks for requesting the CVE - I thought about this too, as the bug constitutes some kind of DoS issue, but since nobody else complained, I suspected it to be some variation of PEBKAC on my part :) Christian. -- BOFH excuse #247: Due to Federal Budget problems we have been forced to cut back on the number of users able to access the system at one time. (namely none allowed) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!
On Mon, 28 Aug 2017, Christian Kujau wrote: > On Mon, 28 Aug 2017, Kevin Darbyshire-Bryant wrote: > > My workaround is to only call memset if the difference between buffer begin > > and buffer limit is bigger than the query length, thus it retains Simon's > > intent of clearing memory most of the time but avoids the SIGSEGV trampling. > > Thanks, with your patch dnsmasq doesn't crash anymore when receiving odd > EDNS packets from dnseval. > > And thanks for requesting the CVE - I thought about this too, as the bug > constitutes some kind of DoS issue, but since nobody else complained, I > suspected it to be some variation of PEBKAC on my part :) Oh, I believe it was Juan Manuel requesting the CVE - thanks! C. -- BOFH excuse #247: Due to Federal Budget problems we have been forced to cut back on the number of users able to access the system at one time. (namely none allowed) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] reproducible segmentation fault
On Sun, 27 Aug 2017, Christian Kujau wrote: > > can u say what gdb says when u type > > # frame 2 > > # print daemon->edns_pktsz > > Hm, this doesn't work: Hah, in another attempt this worked: (gdb) frame 2 #2 0x0040d047 in receive_query (listen=listen@entry=0x8202c0, now=now@entry=1503822478) at forward.c:1433 1433 m = answer_request(header, ((char *) header) + udp_size, (size_t)n, (gdb) print daemon->edns_pktsz $1 = 4096 This is from dnsmasq v2.77, cross-compiled for MIPS 24K and linked against musl, so it would run on my ar71xx type router (where I noticed the crash in the first place). Christian. -- BOFH excuse #185: system consumed all the paper for paging ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] reproducible segmentation fault
On Sun, 27 Aug 2017, AW wrote: > m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, ... > it seems like udp_size is 0, which causes memset to be called with weird > parameters, which causes the segmentation violation... > so we should find out, what sets udp_size to 0... See my other mail[0] I sent a few minutes ago, it seems to be related to EDNS requests. These can be sent via TCP, so maybe that's why udp_size is set to 0. > can u say what gdb says when u type > # frame 2 > # print daemon->edns_pktsz Hm, this doesn't work: (gdb) frame 2 #2 0x5556cb86 in receive_query (listen=0x5579eeb0, now=1503819304) at forward.c:1433 1433 m = answer_request(header, ((char *) header) + udp_size, (size_t)n, (gdb) print daemon->edns_pktsz Attempt to extract a component of a value that is not a structure pointer. And m and udp_size are , n=40 - even though it's compiled with -Og -g. Thanks for responding, Christian. [0] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011704.html -- BOFH excuse #90: Budget cuts ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] reproducible segmentation fault - bisected!
OK, so I should have done this in the first place and used git bisect to find out which commit in Dnsmasq introduced this behaviour: fa78573778cb23337f67f5d0c9de723169919047 is the first bad commit commit fa78573778cb23337f67f5d0c9de723169919047 Author: Simon Kelley Date: Fri Jul 22 20:56:01 2016 +0100 Zero packet buffers before building output, to reduce risk of information leakage. The whole commit cannot be reverted cleanly now, but in my case reverting only the change to src/rfc1035.c did the trick (as it appears to have have a problem there, see the GDB dump[0]). I've attached a patch as a temporary (!) workaround to this email. However, commenting out this section is clearly not the correct solution, maybe somebody can have another look on what this routine was supposed to do here and try again. For completeness' sake, I was curious to see what exactly dnseval[1] was sending to Dnsmasq and why it would crash the dnsmasq process in the first place. So, this dnseval thingy is a Python script and in commit efeccef[2] ("Fix text alignment") they not only changed the "text anlignment" but switched to sending EDNS queries too. Their ENDS routine was later modified again and its current version (v1.6.3) doesn't make dnsmasq crash - but their v1.4.0 does and that's the version that made it to the Debian distribution :-\ Thanks for listening, Christian. [0] https://paste.fedoraproject.org/paste/awbvnGEvj57ru1TtAuA3ag [1] https://github.com/farrokhi/dnsdiag/blob/master/dnseval.py [2] https://github.com/farrokhi/dnsdiag/commit/efeccef -- BOFH excuse #72: Satan did itdiff --git a/Makefile b/Makefile index 73ea23e..be7ec72 100644 --- a/Makefile +++ b/Makefile @@ -24,8 +24,8 @@ MANDIR= $(PREFIX)/share/man LOCALEDIR = $(PREFIX)/share/locale BUILDDIR = $(SRC) DESTDIR = -CFLAGS= -Wall -W -O2 -LDFLAGS = +CFLAGS= -Wall -W -Og -g -fstack-protector-strong -Wformat -Werror=format-security +LDFLAGS = -Wl,-z,relro COPTS = RPM_OPT_FLAGS = LIBS = diff --git a/src/rfc1035.c b/src/rfc1035.c index 26f5301..fb5e0fb 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1225,8 +1225,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, /* Clear buffer beyond request to avoid risk of information disclosure. */ - memset(((char *)header) + qlen, 0, -(limit - ((char *)header)) - qlen); +// memset(((char *)header) + qlen, 0, +// (limit - ((char *)header)) - qlen); if (ntohs(header->ancount) != 0 || ntohs(header->nscount) != 0 || ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] reproducible segmentation fault
On Mon, 21 Aug 2017, AW wrote: > i found something > similar:http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011691.html > what happens, if u compile dnsmasq with -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64 ? Sorry for the late reply. Unfortunately, these adding these options doesn't help, dnsmasq is still crashing :-\ More ideas welcome :-) Christian. -- BOFH excuse #95: Pentium FDIV bug ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] reproducible segmentation fault
Hi, while playing around with the "dnseval" tool from the dnsdiag package[0], I accidently crashed my dnsmasq instance that was running on my router. This router is running Dnsmasq version 2.77 on a current LEDE operating system, where similar have been reported in the past: > sending SIGSEGV to dnsmasq for invalid read access from > https://bugs.lede-project.org/index.php?do=details&task_id=251 > Intermittent SIGSEGV crash of dnsmasq-full > https://bugs.lede-project.org/index.php?do=details&task_id=766 However, both bugs were closed because they either were related to some busybox machinery errors or were pointing to the upstream project to look at this. In the dnsmasq-discuss archives I found a thread from last year[1] with a crash message that looked very much like the message I receive when dnsmasq crashes on the LEDE router: === kernel: [ 2860.890789] do_page_fault(): sending SIGSEGV to dnsmasq for invalid write access to 00552000 kernel: [ 2860.899402] epc = 77cd488c in libc.so[77c62000+92000] kernel: [ 2860.904552] ra = 00406c41 in dnsmasq[40+21000] === So, I tried to reproduce this scenario on a Debian/amd64 VM and compiled today's git checkout with -Og -g and used a fairly simple configuration file to start dnsmasq: === $ cat ~/test/dnsmasq.conf.bug listen-address=192.168.56.130 bind-interfaces no-daemon no-hosts no-resolv log-queries=extra server=8.8.8.8 $ sudo -H src/dnsmasq -C ~/test/dnsmasq.conf.bug dnsmasq: started, version 2.78test2-6-g69a815a cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: cleared cache dnsmasq: 1 192.168.56.1/59405 query[A] www.aol.com from 192.168.56.1 Segmentation fault === The segfault happened after I started "dnseval" against this newly spawned dnsmasq instance. This "dnseval" thingy is described as: > dnseval: - bulk ping utility that sends an arbitrary DNS query to > a list of DNS servers Per default, "bulk" means it sends 10 requests to the DNS server, but dnsmasq segfaults pretty quickly: GDB output (still carries optimized out values, hm...) https://paste.fedoraproject.org/paste/awbvnGEvj57ru1TtAuA3ag tcpdump for this run: https://paste.fedoraproject.org/paste/X-9Qa67oKT-jlmpKb4IU7A Ideas welcome :-) Thanks, Christian. [0] https://github.com/farrokhi/dnsdiag [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q3/010830.html -- BOFH excuse #37: heavy gravity fluctuation, move computer to floor rapidly ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss