[Dnsmasq-discuss] DNSSEC validation causes SIGSEGV by strcpy from 0x0

Simon Kelley simon at thekelleys.org.uk
Tue Mar 25 22:59:53 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/03/14 22:46, Alex Xu wrote:
> I am using the Firefox DNSSEC Validator addon, so perhaps that
> queries in a peculiar fashion.
> 
> Dnsmasq is installed locally, only handles DNS, and has servers 
> configured through resolvconf. Servers are 8.8.4.4 and 74.82.42.42.
> Note that the former is DNSSEC-compliant, whereas the latter passes
> through DNSSEC records but does not support DNSSEC itself.

At least from here, 74.82.42.42 does not include DNSSEC records in
answers, and is therefore not suitable for use with dnsmasq in DNSSEC
validation mode.

That certainly explains the observations, the answer is coming back
unsigned, and dnsmasq (with --dnssec-check-unsigned) is searching in
vain for DS records indicating that's OK. The bug is that it doesn't
stop when it gets back to the root.

I'll push some fixes for this tomorrow.

Cheers,

Simon.



> 
> On 25/03/14 06:34 PM, Simon Kelley wrote:
>> Thanks for that. The immediate fix is obvious, but I'm not sure
>> why it's executing that code for that query. Could you share a
>> little more of your configuration? What upstream server are you
>> using?
>> 
>> Thinking about this made me look at the analogous code in for
>> TCP, which may take a little while to sort out :(
>> 
>> Cheers,
>> 
>> Simon.
>> 
>> On 25/03/14 21:54, Alex Xu wrote:
>>> *some* requests cause dnsmasq to segfault in DNSSEC code in
>>> both 2.69rc1 and git master:
>> 
>>> Program received signal SIGSEGV, Segmentation fault. 
>>> 0x00000034a92934e7 in __strcpy_sse2_unaligned () from 
>>> /lib64/libc.so.6 (gdb) bt #0  0x00000034a92934e7 in 
>>> __strcpy_sse2_unaligned () from /lib64/libc.so.6 #1 
>>> 0x000000000041864f in strcpy (__src=0x0, __dest=0x44b210 "org")
>>> at /usr/include/bits/string3.h:104 #2  send_check_sign 
>>> (now=1395783172, header=<optimized out>, plen=<optimized out>, 
>>> name=<optimized out>, keyname=0x44b210 "org") at forward.c:1331
>>> #3 0x00000000004183df in reply_query (fd=<optimized out>, 
>>> family=<optimized out>, now=now at entry=1395783172) at
>>> forward.c:823 #4  0x000000000041b38c in check_dns_listeners 
>>> (set=set at entry=0x7fffffffe370, now=now at entry=1395783172) at 
>>> dnsmasq.c:1431 #5  0x000000000041caac in main (argc=<optimized 
>>> out>, argv=<optimized out>) at dnsmasq.c:951
>> 
>>> The chances of this being exploitable are low as it is a NULL 
>>> dereference, but it is still a possible DoS attack.
>> 
>>> Also reproduced with -O0:
>> 
>>> (gdb) bt #0  0x00000034a92934e7 in __strcpy_sse2_unaligned ()
>>> from /lib64/libc.so.6 #1  0x000000000041e1ae in
>>> send_check_sign (now=1395783599, header=0x45b200, plen=71,
>>> name=0x45a010 "www.dnssec-failed.org", keyname=0x45c210 "org")
>>> at forward.c:1331 #2  0x000000000041cf20 in reply_query (fd=11,
>>> family=2, now=1395783599) at forward.c:823 #3
>>> 0x0000000000425da0 in check_dns_listeners (set=0x7fffffffe240,
>>> now=1395783599) at dnsmasq.c:1431 #4  0x0000000000424c9a in
>>> main (argc=2, argv=0x7fffffffe688) at dnsmasq.c:951 (gdb)
>>> select-frame 1 (gdb) print name_start $1 = 0x0
>> 
>> 
>> 
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>>
>>
>>
>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> 
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMyCmkACgkQKPyGmiibgrdN9wCeJk2mALEXQ8IRt2H70M+EoRvn
YSIAoIYgWdVdEZQu4sbE1E3P6Mx4isU3
=zRj/
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list