[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Double checked we were right with the proposed patch (some misconfiguration happened in our last tests)... so proceeding further with the SRU. ** Description changed: + [ Impact ] + + Some users may face an unpleasant segmentation fault if they combine configurations options like + server=/domain/# with server|address=/domain/ since the domain matching functionality was rewritten in + version 2.86. + + The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server + datastructure associated with it is passed to forward_query() call without been properly reserved and filled + due to resolvconf servers didn't belong to the priority list. + + Without resolving this, dnsmasq stops running due to the SEGV and (non- + experienced) users might not notice it. + + + [ Test Plan ] + + #0.Prepare a VM or Container. i.e: + # lxc launch ubuntu-daily:jammy Jdnsmasq + + #1. Install dnsmasq + # apt update && apt upgrade -y + # apt install -y dnsmasq + + #2. Disable systemd-resolved service and enabling resolution through + dnsmasq, configuring DNS servers through it. + + # systemctl disable --now systemd-resolved.service + # rm -f /etc/resolv.conf + # cat > /etc/resolv.conf << __EOF__ + nameserver 127.0.0.1 + __EOF__ + # echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer) + # (Optional) echo "log-queries" >> /etc/dnsmasq.conf + # (optional) echo "log-debug" >> /etc/dnsmasq.conf + # systemctl start dnsmasq.service + + 3. Copy netflix-nov6.conf into /etc/dnsmasq.d/ + # cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__ + # Null response on these domains + server=/netflix.com/# + address=/netflix.com/:: + server=/netflix.net/# + address=/netflix.net/:: + server=/nflxext.com/# + address=/nflxext.com/:: + server=/example.com/# + address=/example.com/:: + __EOF__ + + #4. Restart/reload dnsmasq + # systemctl restart dnsmasq + + #5. Verify that dnsmasq resolves domains correctly: + + root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 + 185.125.190.21 + 185.125.190.20 + 185.125.190.29 + root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 + 2620:2d:4000:1::28 + 2620:2d:4000:1::26 + 2620:2d:4000:1::27 + + #6. Perform a type65 / HTTPS recordtype query for netflix.com towards + the dnsmasq server twice: + + root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 + + ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 + ;; global options: +cmd + ;; Got answer: + ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730 + ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 + + ;; OPT PSEUDOSECTION: + ; EDNS: version: 0, flags:; udp: 1232 + ; EDE: 23 (Network Error) + ;; QUESTION SECTION: + ;netflix.com. IN A + + ;; Query time: 23 msec + ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) + ;; WHEN: Wed Nov 15 16:46:19 UTC 2023 + ;; MSG SIZE rcvd: 46 + + root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1 + ;; communications error to 127.0.0.1#53: timed out + ;; communications error to 127.0.0.1#53: connection refused + ;; communications error to 127.0.0.1#53: connection refused + + #7. Check logs to verify segfault: + # journalctl -u dnsmasq + + Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. + Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 + Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: config error is REFUSED (EDE: network error) + Apr 27 11:22:54 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 + Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV + Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. + + + [ Where problems could occur ] + + This cherry picked commit from upstream incorporates a rewrite of the server priority list in the dnsmasq header file. + Fortunately, that headers are not exported outside dnsmasq, so it cannot impact other third-party pieces of software. + However, it can lend to think about the matching domain functionality that is being patched: could it be affect in + some way to other types of server displaced on that list? Does anything change for the rest? In other words... Is the + matching domain functionality working as expected, without behavioral changes? + + This change is supported yet in lastest version of dnsmasq, so we can suppose it is well tested. But, anyway, in + [Other Info] section I included some query examples for well-known domains, so we can be more confident with this change. + Is true that there is always room for disruption in the way the domain queries are answered due to this kind of changes: that's + the situation on which problems can occur (in this case, mistmached domain: then, yes, it can affect other third parties that uses dnsmasq). + + Could another SEGV situation happen attending to this matching domain
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
The DEP-8 tests will be more suitable to be submitted to the development version, so I'll split them from here. While working on a more specific test for this instead of the ones submitted for review, Sergio discovered that the error wasn't enough reproducible with the following netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: It needs another double line of server/address: with that, we always get the segmentation fault. The bad news are that the proposed patch doesn't mitigate the error... so it would need another change introduced in upper versions. Looking for that change now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Hi again, I'm working on a set of DEP-8 tests to check the matching domain functionality modified by this change that fixes the issue to make a stronger SRU submission. Also, I could cover bug LP#1677827. I found a DEP8 proposal on Debian at https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1034135, and I'm using it as a starting point (to avoid the maximum diverge, in case it would be accepted in the future). ** Bug watch added: Debian Bug tracker #1034135 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034135 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Merge proposal linked: https://code.launchpad.net/~mirespace/ubuntu/+source/dnsmasq/+git/dnsmasq/+merge/442007 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to:
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Kinetic and Jammy packages are pretty much the same: https://paste.ubuntu.com/p/S39n5Yy9gT/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions --
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Hi Gordon, I prepared a package with the fix, as suggested by Bryce. Would you be so kind as to test it and share your results? The package is in the following PPA: https://launchpad.net/~mirespace/+archive/ubuntu/dnsmasq-lp2015562 I could check that the SIGSEV scenario goes away with the fix (thanks, Sergio, for the help and extra pair of eyes on checking the setup for the steps to reproduce!). A curious thing to me is that the error is not present in Kinetic, but Kinetic and Jammy share the same upstream version: 2.86-1.1. I'm taking a look at the ubuntu modifications that are different between them to see if we can narrow it down to the bits that make it possible, and maybe that would be more feasible to be SRUed to Jammy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Changed in: dnsmasq (Ubuntu Jammy) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions -- Mailing list:
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Kinetic doesn't seem to be affected. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: Triaged Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
I see that Miriam will work on this one (thanks!). I was able to reproduce the issue (thank you Gordon for the great bug description), and confirmed that it manifests on Jammy but is fixed in Lunar. I'm trying to reproduce it on Kinetic; will update the bug with results once I have them. ** Also affects: dnsmasq (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: dnsmasq (Ubuntu Jammy) Status: New => Triaged ** Changed in: dnsmasq (Ubuntu Jammy) Assignee: (unassigned) => Miriam España Acebal (mirespace) ** Changed in: dnsmasq (Ubuntu) Status: New => Fix Released ** Changed in: dnsmasq (Ubuntu) Assignee: Miriam España Acebal (mirespace) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: Triaged Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Changed in: dnsmasq (Ubuntu) Assignee: (unassigned) => Miriam España Acebal (mirespace) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: New Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to :
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: New Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Thanks for reporting the bug with steps to reproduce, and identifying a possible patch from upstream. On a cursory glance, the upstream commit is longer than we usually want for SRU purposes, so I'm not sure it's going to qualify for SRU as is. The patch includes some refactoring changes but I'm not sure if untangling those would necessarily shorten the patch much. But should be straightforward to at least add the patched package to a PPA for you to check, and we can decide from there. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: New Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. --
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: New Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Patch added: "Proposed commit from upstream suggested as possible fix" https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+attachment/5664796/+files/fix_segfault_combining_hash_server_with_address.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: New Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to:
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Description changed: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). - I also have a static domain entry to serve NXDOMAIN for `use- - application-dns.net`, signalling application not to use DoH (attached as - dns-no-doh.conf). This is done to prevent applications from using DoH to - bypass my local DNS server (and lose the ability to block ads). - Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be - reproduced reliably, and always occurs after one or a few TYPE65 queries + reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - - 2. Copy netflix-nov6.conf and dns-no-doh.conf into /etc/dnsmasq.d/ + - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: - - - dns-no-doh.conf: - ## Prevent well-behaving applications from using DoH - server=/use-application-dns.net/ - - -- You received this
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
After further testing, I can also see the crash occurs without with the `dns-no-doh.conf` config snippet loaded, even for a regular `A` record (so the TYPE65 query is also a red herring): root@budgie:~# dig +short -tA test.netflix.net @127.0.0.1 root@budgie:~# dig +short -tA test.netflix.net @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached root@budgie:~# journalctl -fu dnsmasq ... Apr 07 14:53:50 budgie dnsmasq[116972]: query[A] occ-0-4415-3211.1.nflxso.net from 127.0.0.1 Apr 07 14:53:50 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:53:50 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. This further makes me think the commit I linked in my initial bug report is indeed the fix for this segfault. The reproduction steps can be narrowed down to only using the netflix- nov6.conf configuration snippet, and performing a simple A record query on the subdomain of any of the domains listed in the snippet. Coredump attached of the segfault during this simplified repro. ** Attachment added: "_usr_sbin_dnsmasq.0.crash" https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+attachment/5661981/+files/_usr_sbin_dnsmasq.0.crash ** Description changed: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). I also have a static domain entry to serve NXDOMAIN for `use- application-dns.net`, signalling application not to use DoH (attached as dns-no-doh.conf). This is done to prevent applications from using DoH to bypass my local DNS server (and lose the ability to block ads). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few TYPE65 queries towards the "blocked" domain entries. - I found a commit message which seems to fix this issue, which made it into 2.87: + I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: - Installed: 2.86-1.1ubuntu0.2 - Candidate: 2.86-1.1ubuntu0.2 - Version table: - *** 2.86-1.1ubuntu0.2 500 - 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages - 100 /var/lib/dpkg/status - 2.86-1.1ubuntu0.1 500 - 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages - 2.86-1.1 500 - 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages + Installed: 2.86-1.1ubuntu0.2 + Candidate: 2.86-1.1ubuntu0.2 + Version table: + *** 2.86-1.1ubuntu0.2 500 + 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages + 100 /var/lib/dpkg/status + 2.86-1.1ubuntu0.1 500 + 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages + 2.86-1.1 500 + 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for