[Dnsmasq-discuss] DNSSEC validation causes SIGSEGV by strcpy from 0x0

Alex Xu alex_y_xu at yahoo.ca
Tue Mar 25 22:46:28 UTC 2014 

I am using the Firefox DNSSEC Validator addon, so perhaps that queries
in a peculiar fashion.

Dnsmasq is installed locally, only handles DNS, and has servers
configured through resolvconf. Servers are 8.8.4.4 and 74.82.42.42. Note
that the former is DNSSEC-compliant, whereas the latter passes through
DNSSEC records but does not support DNSSEC itself.

On 25/03/14 06:34 PM, Simon Kelley wrote:
> Thanks for that. The immediate fix is obvious, but I'm not sure why
> it's executing that code for that query. Could you share a little more
> of your configuration? What upstream server are you using?
> 
> Thinking about this made me look at the analogous code in for TCP,
> which may take a little while to sort out :(
> 
> Cheers,
> 
> Simon.
> 
> On 25/03/14 21:54, Alex Xu wrote:
>> *some* requests cause dnsmasq to segfault in DNSSEC code in both
>> 2.69rc1 and git master:
> 
>> Program received signal SIGSEGV, Segmentation fault. 
>> 0x00000034a92934e7 in __strcpy_sse2_unaligned () from
>> /lib64/libc.so.6 (gdb) bt #0  0x00000034a92934e7 in
>> __strcpy_sse2_unaligned () from /lib64/libc.so.6 #1
>> 0x000000000041864f in strcpy (__src=0x0, __dest=0x44b210 "org") at 
>> /usr/include/bits/string3.h:104 #2  send_check_sign
>> (now=1395783172, header=<optimized out>, plen=<optimized out>,
>> name=<optimized out>, keyname=0x44b210 "org") at forward.c:1331 #3
>> 0x00000000004183df in reply_query (fd=<optimized out>, 
>> family=<optimized out>, now=now at entry=1395783172) at forward.c:823 
>> #4  0x000000000041b38c in check_dns_listeners 
>> (set=set at entry=0x7fffffffe370, now=now at entry=1395783172) at
>> dnsmasq.c:1431 #5  0x000000000041caac in main (argc=<optimized
>> out>, argv=<optimized out>) at dnsmasq.c:951
> 
>> The chances of this being exploitable are low as it is a NULL 
>> dereference, but it is still a possible DoS attack.
> 
>> Also reproduced with -O0:
> 
>> (gdb) bt #0  0x00000034a92934e7 in __strcpy_sse2_unaligned () from
>> /lib64/libc.so.6 #1  0x000000000041e1ae in send_check_sign
>> (now=1395783599, header=0x45b200, plen=71, name=0x45a010
>> "www.dnssec-failed.org", keyname=0x45c210 "org") at forward.c:1331 
>> #2  0x000000000041cf20 in reply_query (fd=11, family=2,
>> now=1395783599) at forward.c:823 #3  0x0000000000425da0 in
>> check_dns_listeners (set=0x7fffffffe240, now=1395783599) at
>> dnsmasq.c:1431 #4  0x0000000000424c9a in main (argc=2,
>> argv=0x7fffffffe688) at dnsmasq.c:951 (gdb) select-frame 1 (gdb)
>> print name_start $1 = 0x0
> 
> 
> 
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140325/d3461a75/attachment.sig>

More information about the Dnsmasq-discuss mailing list