<div dir="auto"><div>Hi Dominik,</div><div dir="auto"><br></div><div dir="auto">SIGALRM is in fact what is used for expiring leases so this patch should affect the relevant code path:</div><div dir="auto"><br></div><div dir="auto">[PATCH] Update DNS records after pruning DHCP leases</div><div dir="auto"><br></div><div dir="auto">As far as I can tell this is also the only place where lease_prune() is not followed by lease_update_dns()</div><div dir="auto"><br></div><div dir="auto">I found the issue by analyzing a core dump from a rare occasion where it crashes even when use-stale-cache is not enabled. From the core dump it was evident that dns_dirty was 1</div><div dir="auto"><br></div><div dir="auto">Best regards,</div><div dir="auto">Erik<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">Den mån 13 maj 2024 21:29Dominik Derigs <<a href="mailto:dl6er@dl6er.de" rel="noreferrer noreferrer noreferrer" target="_blank">dl6er@dl6er.de</a>> skrev:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><div dir="auto">Resending because I received an error message from Gmail about issues with incoming mail before<br><br>Please let me know if my message reached you <br><br>Dominik</div><br><br><div style="font-size:10.0pt;font-family:"Tahoma","sans-serif";padding:3.0pt 0in 0in 0in">
<hr style="border:none;border-top:solid #e1e1e1 1.0pt">
<b>Von:</b> <div dir="auto">Dominik Derigs <<a href="mailto:dl6er@dl6er.de" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">dl6er@dl6er.de</a>></div><br>
<b>Gesendet:</b> 13. Mai 2024 21:12:23 MESZ<br>
<b>An:</b> <div dir="auto">Erik Karlsson <<a href="mailto:erik.r.karlsson@gmail.com" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">erik.r.karlsson@gmail.com</a>>, Simon Kelley <<a href="mailto:simon@thekelleys.org.uk" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">simon@thekelleys.org.uk</a>></div><br>
<b>CC:</b> <div dir="auto">dnsmasq-discuss <<a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">dnsmasq-discuss@lists.thekelleys.org.uk</a>></div><br>
<b>Betreff:</b> <div dir="auto">Re: [Dnsmasq-discuss] Use-after-free with DHCP + use-stale-cache</div><br>
</div>
<br>
<p>Hey Erik,</p>
<p>sorry for the late reply.. I wanted to err on the side of caution
this time. We have been testing with your patch applied on top of
latest master for almost four days now and - so far - no new
use-after-free events occurred. Before, it happened at least once
a day. Seems I have misinterpreted when SIGALRM is used so I
thought your patch wouldn't be effective in our case. Sorry for
this and thanks for challenging my earlier statement.<br>
</p>
<p>Best,<br>
Dominik<br>
</p>
<div>On 06.05.24 11:39, Erik Karlsson wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">Hi Dominik,
<div dir="auto"><br>
</div>
<div dir="auto">Are you sure the patch I sent does not solve
this? I think it should or are there more places where
a lease_update_dns(0) is missing? Alternatively, can there be
dangling pointers left even after lease_update_dns has been
run?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Best regards,</div>
<div dir="auto">Erik</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Den mån 6 maj 2024
07:14Dominik Derigs via Dnsmasq-discuss <<a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">dnsmasq-discuss@lists.thekelleys.org.uk</a>>
skrev:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Hey Simon,</p>
<p>we found a bug resulting in a use-after-free returning
garbage data and possibly crash when using DHCP + stale
cache data.</p>
<p>The bug is triggered when using DHCP and a lease expires.
It's name is then free'd in kill_name() + do_script_run().
When the PTR record is queried thereafter and
use-stale-cache is enabled, dnsmasq accesses this dangling
pointer and returns random data - often a string
containing a few control characters, once dnsmasq even
SEGFAULTed.</p>
<p>Related dnsmasq.log:</p>
<pre><code><span>May</span> <span>5</span> <span>19</span>:<span>00</span>:<span>00</span> dnsmasq[<span>4395</span>]: query[PTR] <span>141.2.168.192</span>.in-addr.arpa from <span>127.0.0.1</span>
<span>May</span> <span>5</span> <span>19</span>:<span>00</span>:<span>00</span> dnsmasq[<span>4395</span>]: DHCP <span>192.168.2.141</span> is **<name unprintable>**
<span>May</span> <span>5</span> <span>19</span>:<span>00</span>:<span>00</span> dnsmasq[<span>4395</span>]: forwarded <span>141.2.168.192</span>.in-addr.arpa to <span>1.0.0.1</span></code></pre>
<p>The final immediate "forwarded" line comes from dnsmasq
itself and confirms that this was triggered by
use-stale-cache.</p>
<p>Best,<br>
Dominik<br>
</p>
<p>P.S.: The patch recently sent by Erik Karlsson doesn't
fix this, it touches other code.<br>
</p>
</div>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote></div></div></div>