[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
This bug was fixed in the package dnsmasq - 2.86-1.1ubuntu0.4 --- dnsmasq (2.86-1.1ubuntu0.4) jammy; urgency=medium * src/dnsmasq.h, src/domain-match.c: Fix confusion when using resolvconf servers (combining server|address for a domain), resulting in the struct server datastructure for server=/domain/# getting passed to forward_query(), rapidly followed by a SEGV. This fix makes server=/domain/# a fully fledged member of the priority list. The code added here is a cherry pick released in upstream version 2.87, originating at https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d69 (LP: #2015562) -- Miriam España Acebal Thu, 20 Apr 2023 11:00:27 +0200 ** Changed in: dnsmasq (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: Fix Released Bug description: [ Impact ] Some users may face an unpleasant segmentation fault if they combine configurations options like server=/domain/# with server|address=/domain/ since the domain matching functionality was rewritten in version 2.86. The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server datastructure associated with it is passed to forward_query() call without been properly reserved and filled due to resolvconf servers didn't belong to the priority list. Without resolving this, dnsmasq stops running due to the SEGV and (non-experienced) users might not notice it. [ Test Plan ] #0.Prepare a VM or Container. i.e: # lxc launch ubuntu-daily:jammy Jdnsmasq #1. Install dnsmasq # apt update && apt upgrade -y # apt install -y dnsmasq #2. Disable systemd-resolved service and enabling resolution through dnsmasq, configuring DNS servers through it. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 127.0.0.1 __EOF__ # echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer) # (Optional) echo "log-queries" >> /etc/dnsmasq.conf # (optional) echo "log-debug" >> /etc/dnsmasq.conf # systemctl start dnsmasq.service 3. Copy netflix-nov6.conf into /etc/dnsmasq.d/ # cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__ # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/example.com/# address=/example.com/:: __EOF__ #4. Restart/reload dnsmasq # systemctl restart dnsmasq #5. Verify that dnsmasq resolves domains correctly: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 #6. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server twice: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 23 (Network Error) ;; QUESTION SECTION: ;netflix.com. IN A ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 15 16:46:19 UTC 2023 ;; MSG SIZE rcvd: 46 root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused #7. Check logs to verify segfault: # journalctl -u dnsmasq Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 27 11:22:54 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. [ Where problems could occur ] This cherry picked commit from upstream incorporates a rewrite of the server priority list in the dnsmasq header file. Fortunately, that
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Hey, while passing by I admit I only looked at the test plan and tried to get this moving by executing it. Thanks for hinting at these further things to check ... I still had the environment around root@Jdnsmasq:~# apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.4 Candidate: 2.86-1.1ubuntu0.4 That resolved well, asking the configured dns (8.8.8.8 in my case) and returning a proper answer. root@Jdnsmasq:~# dig +short A www.thekelleys.org.uk @127.0.0.1 thekelleys.org.uk. 85.119.82.65 root@Jdnsmasq:~# dig +short A www.thekelleys.org.uk @127.0.0.1 thekelleys.org.uk. 85.119.82.65 root@Jdnsmasq:~# dig +short A www.thekelleys.org.uk @127.0.0.1 thekelleys.org.uk. 85.119.82.65 Since the original issue was about repeating queries (in other context and situation) I ran it a few times. The log (we still have verbose logging enabled from the first test) shows the forward resolving just as expected: Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: query[A] www.thekelleys.org.uk from 127.0.0.1 Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: forwarded www.thekelleys.org.uk to 8.8.8.8 Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: reply www.thekelleys.org.uk is Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: reply thekelleys.org.uk is 85.119.82.65 --- Now dnsmasqs version of a static entry root@Jdnsmasq:~# echo "address=/domain/1.2.3.4" >> /etc/dnsmasq.conf root@Jdnsmasq:~# systemctl restart dnsmasq root@Jdnsmasq:~# dig +short A domain 1.2.3.4 --- Since I had that running over night I also see in the verbose logs all kind of expected background action and all that worked as well. Like: Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.54 Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.59 Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.58 Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.55 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: query[] canonical-bos01.cdn.snapcraftcontent.com from 127.0.0.1 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: forwarded canonical-bos01.cdn.snapcraftcontent.com to 8.8.8.8 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: query[A] canonical-bos01.cdn.snapcraftcontent.com from 127.0.0.1 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: forwarded canonical-bos01.cdn.snapcraftcontent.com to 8.8.8.8 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: reply canonical-bos01.cdn.snapcraftcontent.com is NODATA-IPv6 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: reply canonical-bos01.cdn.snapcraftcontent.com is 91.189.91.43 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: reply canonical-bos01.cdn.snapcraftcontent.com is 91.189.91.42 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: query[] api.snapcraft.io from 127.0.0.1 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is NODATA-IPv6 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: query[A] api.snapcraft.io from 127.0.0.1 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: forwarded api.snapcraft.io to 8.8.8.8 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.58 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.55 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.54 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.59 ... Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 185.125.190.39 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 91.189.91.81 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 91.189.91.83 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4000:1::16 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4002:1::103 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4002:1::102 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4000:1::19 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4002:1::101 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 185.125.190.36 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 91.189.91.81 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 91.189.91.83 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 91.189.91.82 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 185.125.190.39 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4000:1::16 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4002:1::101 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4002:1::103 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4000:1::19 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4002:1::102 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: query[SRV] _https._tcp.motd.ubuntu.com from 127.0.0.1 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: forwarded _https._tcp.motd.ubuntu.com to
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
"Where problems could occur" says "...in [Other Info] section I included some query examples for well-known domains, so we can be more confident with this change", but I don't see these carried out as part of the SRU verification. Admittedly they weren't documented as part of the Test Plan, but if that's the case, why weren't they? Or, if they were intended to be part of the Test Plan, then presumably these tests should be performed before we release this update? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: Fix Committed Bug description: [ Impact ] Some users may face an unpleasant segmentation fault if they combine configurations options like server=/domain/# with server|address=/domain/ since the domain matching functionality was rewritten in version 2.86. The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server datastructure associated with it is passed to forward_query() call without been properly reserved and filled due to resolvconf servers didn't belong to the priority list. Without resolving this, dnsmasq stops running due to the SEGV and (non-experienced) users might not notice it. [ Test Plan ] #0.Prepare a VM or Container. i.e: # lxc launch ubuntu-daily:jammy Jdnsmasq #1. Install dnsmasq # apt update && apt upgrade -y # apt install -y dnsmasq #2. Disable systemd-resolved service and enabling resolution through dnsmasq, configuring DNS servers through it. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 127.0.0.1 __EOF__ # echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer) # (Optional) echo "log-queries" >> /etc/dnsmasq.conf # (optional) echo "log-debug" >> /etc/dnsmasq.conf # systemctl start dnsmasq.service 3. Copy netflix-nov6.conf into /etc/dnsmasq.d/ # cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__ # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/example.com/# address=/example.com/:: __EOF__ #4. Restart/reload dnsmasq # systemctl restart dnsmasq #5. Verify that dnsmasq resolves domains correctly: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 #6. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server twice: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 23 (Network Error) ;; QUESTION SECTION: ;netflix.com. IN A ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 15 16:46:19 UTC 2023 ;; MSG SIZE rcvd: 46 root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused #7. Check logs to verify segfault: # journalctl -u dnsmasq Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 27 11:22:54 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. [ Where problems could occur ] This cherry picked commit from upstream incorporates a rewrite of the server priority list in the dnsmasq header file. Fortunately, that headers are not exported outside dnsmasq, so it cannot impact other third-party pieces of software. However, it can lend to think about the matching domain functionality that is being patched: could it be affect in some way to other types of server displaced on that list? Does anything change for the rest? In other words... Is the
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Verifying according to the instructions - Before the update I got this as expected: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; no servers could be reached Jan 02 11:13:01 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Jan 02 11:13:01 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. --- Upgrade ... Preparing to unpack .../12-dnsmasq-base_2.86-1.1ubuntu0.4_amd64.deb ... Unpacking dnsmasq-base (2.86-1.1ubuntu0.4) over (2.86-1.1ubuntu0.3) ... Preparing to unpack .../13-dnsmasq_2.86-1.1ubuntu0.4_all.deb ... Unpacking dnsmasq (2.86-1.1ubuntu0.4) over (2.86-1.1ubuntu0.3) ... ... worked without issues --- root@Jdnsmasq:~# systemctl status dnsmasq ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-01-02 11:18:03 UTC; 3s ago Process: 4327 ExecStartPre=/etc/init.d/dnsmasq checkconfig (code=exited, status=0/SUCCESS) Process: 4335 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS) Process: 4344 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS) Main PID: 4343 (dnsmasq) Tasks: 1 (limit: 38247) Memory: 588.0K CPU: 45ms CGroup: /system.slice/dnsmasq.service └─4343 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bb> Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for netflix.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: reading /etc/resolv.conf Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using nameserver 8.8.8.8#53 Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: ignoring nameserver 127.0.0.1 - local interface Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for example.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for nflxext.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for netflix.net Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for netflix.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: read /etc/hosts - 7 addresses Jan 02 11:18:03 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. --- Trying the issue trigger again: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.29 185.125.190.20 185.125.190.21 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::27 2620:2d:4000:1::28 2620:2d:4000:1::26 root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63180 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;netflix.com. IN A ;; ANSWER SECTION: netflix.com.60 IN A 18.200.8.190 netflix.com.60 IN A 54.155.246.232 netflix.com.60 IN A 54.73.148.110 ;; Query time: 16 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Jan 02 11:18:36 UTC 2024 ;; MSG SIZE rcvd: 88 root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29034 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;netflix.com. IN A ;; ANSWER SECTION: netflix.com.52 IN A 54.73.148.110 netflix.com.52 IN A 54.155.246.232 netflix.com.52 IN A 18.200.8.190 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Jan 02 11:18:44 UTC 2024 ;; MSG SIZE rcvd: 88 --- working fine now, no segfault log only has the start: Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile --- Setting as verified ** Tags removed: verification-needed verification-needed-jammy ** Tags added: verification-done verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Hello Gordon, or anyone else affected, Accepted dnsmasq into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dnsmasq/2.86-1.1ubuntu0.4 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: dnsmasq (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: Fix Committed Bug description: [ Impact ] Some users may face an unpleasant segmentation fault if they combine configurations options like server=/domain/# with server|address=/domain/ since the domain matching functionality was rewritten in version 2.86. The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server datastructure associated with it is passed to forward_query() call without been properly reserved and filled due to resolvconf servers didn't belong to the priority list. Without resolving this, dnsmasq stops running due to the SEGV and (non-experienced) users might not notice it. [ Test Plan ] #0.Prepare a VM or Container. i.e: # lxc launch ubuntu-daily:jammy Jdnsmasq #1. Install dnsmasq # apt update && apt upgrade -y # apt install -y dnsmasq #2. Disable systemd-resolved service and enabling resolution through dnsmasq, configuring DNS servers through it. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 127.0.0.1 __EOF__ # echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer) # (Optional) echo "log-queries" >> /etc/dnsmasq.conf # (optional) echo "log-debug" >> /etc/dnsmasq.conf # systemctl start dnsmasq.service 3. Copy netflix-nov6.conf into /etc/dnsmasq.d/ # cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__ # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/example.com/# address=/example.com/:: __EOF__ #4. Restart/reload dnsmasq # systemctl restart dnsmasq #5. Verify that dnsmasq resolves domains correctly: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 #6. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server twice: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 23 (Network Error) ;; QUESTION SECTION: ;netflix.com. IN A ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 15 16:46:19 UTC 2023 ;; MSG SIZE rcvd: 46 root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused #7. Check logs to verify segfault: # journalctl -u dnsmasq Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]:
Re: [Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
On Friday, December 08 2023, Timo Aaltonen wrote: > man/dnsmasq.8.orig | 2582 > + > > this must be a leftover from applying the commit? Hm, I don't see this difference. In fact, if I look at the dnsmasq package that's currently shipped in Jammy, man/dnsmasq.8.orig already exists there. -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: [ Impact ] Some users may face an unpleasant segmentation fault if they combine configurations options like server=/domain/# with server|address=/domain/ since the domain matching functionality was rewritten in version 2.86. The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server datastructure associated with it is passed to forward_query() call without been properly reserved and filled due to resolvconf servers didn't belong to the priority list. Without resolving this, dnsmasq stops running due to the SEGV and (non-experienced) users might not notice it. [ Test Plan ] #0.Prepare a VM or Container. i.e: # lxc launch ubuntu-daily:jammy Jdnsmasq #1. Install dnsmasq # apt update && apt upgrade -y # apt install -y dnsmasq #2. Disable systemd-resolved service and enabling resolution through dnsmasq, configuring DNS servers through it. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 127.0.0.1 __EOF__ # echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer) # (Optional) echo "log-queries" >> /etc/dnsmasq.conf # (optional) echo "log-debug" >> /etc/dnsmasq.conf # systemctl start dnsmasq.service 3. Copy netflix-nov6.conf into /etc/dnsmasq.d/ # cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__ # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/example.com/# address=/example.com/:: __EOF__ #4. Restart/reload dnsmasq # systemctl restart dnsmasq #5. Verify that dnsmasq resolves domains correctly: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 #6. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server twice: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 23 (Network Error) ;; QUESTION SECTION: ;netflix.com. IN A ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 15 16:46:19 UTC 2023 ;; MSG SIZE rcvd: 46 root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused #7. Check logs to verify segfault: # journalctl -u dnsmasq Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 27 11:22:54 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. [ Where problems could occur ] This cherry picked commit from upstream incorporates a rewrite of the server priority list in the dnsmasq header file. Fortunately, that headers are not exported outside dnsmasq, so it cannot impact other third-party pieces of software. However, it can lend to think about the matching domain functionality that is being patched: could it be affect in some way to other types of server displaced on that list? Does anything change for the rest? In other words... Is the matching domain functionality working as expected,
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
man/dnsmasq.8.orig | 2582 + this must be a leftover from applying the commit? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: [ Impact ] Some users may face an unpleasant segmentation fault if they combine configurations options like server=/domain/# with server|address=/domain/ since the domain matching functionality was rewritten in version 2.86. The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server datastructure associated with it is passed to forward_query() call without been properly reserved and filled due to resolvconf servers didn't belong to the priority list. Without resolving this, dnsmasq stops running due to the SEGV and (non-experienced) users might not notice it. [ Test Plan ] #0.Prepare a VM or Container. i.e: # lxc launch ubuntu-daily:jammy Jdnsmasq #1. Install dnsmasq # apt update && apt upgrade -y # apt install -y dnsmasq #2. Disable systemd-resolved service and enabling resolution through dnsmasq, configuring DNS servers through it. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 127.0.0.1 __EOF__ # echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer) # (Optional) echo "log-queries" >> /etc/dnsmasq.conf # (optional) echo "log-debug" >> /etc/dnsmasq.conf # systemctl start dnsmasq.service 3. Copy netflix-nov6.conf into /etc/dnsmasq.d/ # cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__ # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/example.com/# address=/example.com/:: __EOF__ #4. Restart/reload dnsmasq # systemctl restart dnsmasq #5. Verify that dnsmasq resolves domains correctly: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 #6. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server twice: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 23 (Network Error) ;; QUESTION SECTION: ;netflix.com. IN A ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 15 16:46:19 UTC 2023 ;; MSG SIZE rcvd: 46 root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused #7. Check logs to verify segfault: # journalctl -u dnsmasq Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 27 11:22:54 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. [ Where problems could occur ] This cherry picked commit from upstream incorporates a rewrite of the server priority list in the dnsmasq header file. Fortunately, that headers are not exported outside dnsmasq, so it cannot impact other third-party pieces of software. However, it can lend to think about the matching domain functionality that is being patched: could it be affect in some way to other types of server displaced on that list? Does anything change for the rest? In other words... Is the matching domain functionality working as expected, without behavioral changes? This change is supported yet in lastest version of dnsmasq, so we can suppose it is well tested. But, anyway, in [Other Info] section I included some query examples for well-known domains, so we can be more confident with this change. Is true
