[Dnsmasq-discuss] Segfault when no uplink dns server is available

Mon Mar 6 16:11:46 UTC 2023

Thanks for the comprehensive analysis.

You don't mention what version of dnsmasq you were testing.

I think that this was fixed in release 2.88, the commit is:

https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2fc904111d9b6ec45fc1e4ec9f1f8b43c1e67b9b

If you were testing 2.88 or 2.89 then we'll need to look again.

Cheers,

Simon.

On 01/03/2023 15:58, Daniel Danzberger wrote:
> Hi,
> 
> the segfault occurs when a custom 'server=/domain.test/#' entry is defined in the config,
> but no upstream dns server is available yet.
> 
> The full valgrind crash log and config to reproduce the issue are below:
> 
> root at lappi:[dnsmasq]:# valgrind --track-origins=yes ./src/dnsmasq --conf-file=/tmp/dnsmasq.conf -k
> ==683879== Memcheck, a memory error detector
> ==683879== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
> ==683879== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
> ==683879== Command: ./src/dnsmasq --conf-file=/tmp/dnsmasq.conf -k
> ==683879==
> ==683879== Warning: invalid file descriptor 1024 in syscall close()
> ==683879== Warning: invalid file descriptor 1025 in syscall close()
> ==683879== Warning: invalid file descriptor 1026 in syscall close()
> ==683879== Warning: invalid file descriptor 1027 in syscall close()
> ==683879==    Use --log-fd=<number> to select an alternative log fd.
> ==683879== Warning: invalid file descriptor 1028 in syscall close()
> ==683879== Warning: invalid file descriptor 1029 in syscall close()
> ==683879== Warning: invalid file descriptor 1030 in syscall close()
> ==683879== Invalid read of size 4
> ==683879==    at 0x129BED: forward_query (forward.c:353)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  Address 0x4a60560 is 16 bytes before a block of size 11 alloc'd
> ==683879==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==683879==    by 0x11AD60: safe_malloc (util.c:302)
> ==683879==    by 0x11C3CC: opt_malloc (option.c:633)
> ==683879==    by 0x11C3CC: opt_string_alloc (option.c:645)
> ==683879==    by 0x11F03B: one_opt (option.c:2346)
> ==683879==    by 0x125578: read_file (option.c:5381)
> ==683879==    by 0x125A0B: one_file (option.c:5487)
> ==683879==    by 0x126608: read_opts (option.c:5854)
> ==683879==    by 0x10FA0C: main (dnsmasq.c:104)
> ==683879==
> ==683879== Invalid write of size 4
> ==683879==    at 0x129BF7: forward_query (forward.c:353)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  Address 0x4a60560 is 16 bytes before a block of size 11 alloc'd
> ==683879==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==683879==    by 0x11AD60: safe_malloc (util.c:302)
> ==683879==    by 0x11C3CC: opt_malloc (option.c:633)
> ==683879==    by 0x11C3CC: opt_string_alloc (option.c:645)
> ==683879==    by 0x11F03B: one_opt (option.c:2346)
> ==683879==    by 0x125578: read_file (option.c:5381)
> ==683879==    by 0x125A0B: one_file (option.c:5487)
> ==683879==    by 0x126608: read_opts (option.c:5854)
> ==683879==    by 0x10FA0C: main (dnsmasq.c:104)
> ==683879==
> ==683879== Invalid read of size 8
> ==683879==    at 0x129C07: forward_query (forward.c:354)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  Address 0x4a60558 is 24 bytes before a block of size 11 alloc'd
> ==683879==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==683879==    by 0x11AD60: safe_malloc (util.c:302)
> ==683879==    by 0x11C3CC: opt_malloc (option.c:633)
> ==683879==    by 0x11C3CC: opt_string_alloc (option.c:645)
> ==683879==    by 0x11F03B: one_opt (option.c:2346)
> ==683879==    by 0x125578: read_file (option.c:5381)
> ==683879==    by 0x125A0B: one_file (option.c:5487)
> ==683879==    by 0x126608: read_opts (option.c:5854)
> ==683879==    by 0x10FA0C: main (dnsmasq.c:104)
> ==683879==
> ==683879== Invalid write of size 4
> ==683879==    at 0x129502: forward_query (forward.c:358)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  Address 0x4a60560 is 16 bytes before a block of size 11 alloc'd
> ==683879==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==683879==    by 0x11AD60: safe_malloc (util.c:302)
> ==683879==    by 0x11C3CC: opt_malloc (option.c:633)
> ==683879==    by 0x11C3CC: opt_string_alloc (option.c:645)
> ==683879==    by 0x11F03B: one_opt (option.c:2346)
> ==683879==    by 0x125578: read_file (option.c:5381)
> ==683879==    by 0x125A0B: one_file (option.c:5487)
> ==683879==    by 0x126608: read_opts (option.c:5854)
> ==683879==    by 0x10FA0C: main (dnsmasq.c:104)
> ==683879==
> ==683879== Invalid write of size 8
> ==683879==    at 0x12950C: forward_query (forward.c:357)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  Address 0x4a60558 is 24 bytes before a block of size 11 alloc'd
> ==683879==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==683879==    by 0x11AD60: safe_malloc (util.c:302)
> ==683879==    by 0x11C3CC: opt_malloc (option.c:633)
> ==683879==    by 0x11C3CC: opt_string_alloc (option.c:645)
> ==683879==    by 0x11F03B: one_opt (option.c:2346)
> ==683879==    by 0x125578: read_file (option.c:5381)
> ==683879==    by 0x125A0B: one_file (option.c:5487)
> ==683879==    by 0x126608: read_opts (option.c:5854)
> ==683879==    by 0x10FA0C: main (dnsmasq.c:104)
> ==683879==
> ==683879== Invalid read of size 4
> ==683879==    at 0x1289B5: allocate_rfd (forward.c:2563)
> ==683879==    by 0x1291BE: forward_query (forward.c:498)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  Address 0x3 is not stack'd, malloc'd or (recently) free'd
> ==683879==
> ==683879==
> ==683879== Process terminating with default action of signal 11 (SIGSEGV)
> ==683879==  Access not within mapped region at address 0x3
> ==683879==    at 0x1289B5: allocate_rfd (forward.c:2563)
> ==683879==    by 0x1291BE: forward_query (forward.c:498)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
> ==683879==    by 0x110B38: main (dnsmasq.c:1264)
> ==683879==  If you believe this happened as a result of a stack
> ==683879==  overflow in your program's main thread (unlikely but
> ==683879==  possible), you can try to increase the size of the
> ==683879==  main thread stack using the --main-stacksize= flag.
> ==683879==  The main thread stack size used in this run was 8388608.
> ==683879==
> ==683879== HEAP SUMMARY:
> ==683879==     in use at exit: 42,261 bytes in 187 blocks
> ==683879==   total heap usage: 243 allocs, 56 frees, 138,085 bytes allocated
> ==683879==
> ==683879== LEAK SUMMARY:
> ==683879==    definitely lost: 0 bytes in 0 blocks
> ==683879==    indirectly lost: 0 bytes in 0 blocks
> ==683879==      possibly lost: 36 bytes in 1 blocks
> ==683879==    still reachable: 42,225 bytes in 186 blocks
> ==683879==         suppressed: 0 bytes in 0 blocks
> ==683879== Rerun with --leak-check=full to see details of leaked memory
> ==683879==
> ==683879== For lists of detected and suppressed errors, rerun with: -s
> ==683879== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
> ==683879== could not unlink /tmp/vgdb-pipe-from-vgdb-to-683879-by-daniel-on-???
> ==683879== could not unlink /tmp/vgdb-pipe-to-vgdb-from-683879-by-daniel-on-???
> ==683879== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-683879-by-daniel-on-???
> Segmentation fault
> 
> 
> /tmp/dnsmasq.conf:
> --
> domain-needed
> localise-queries
> read-ethers
> expand-hosts
> bind-dynamic
> local-service
> edns-packet-max=1232
> domain=lan
> local=/lan/
> server=/sub.domain.test/#
> server=/domain.test/8.8.8.8
> addn-hosts=/tmp/hosts
> resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
> stop-dns-rebind
> rebind-localhost-ok
> conf-dir=/tmp/dnsmasq.d
> bogus-priv
> --
> 
> To trigger the issue, pass a simple dns request to the running dnsmasq instance.
> I.e. with: # dig sub.domain.test @localhost
> 
> 
> The first invalid memory access happens, when the 'struct server' of the matching domain is accessed here:
> --
> ==683879== Invalid read of size 4
> ==683879==    at 0x129BED: forward_query (forward.c:353)
> ==683879==    by 0x12A756: receive_query (forward.c:1869)
> ==683879==    by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>        if (!option_bool(OPT_ORDER))
> 	{https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2fc904111d9b6ec45fc1e4ec9f1f8b43c1e67b9b
> 	  if (master->forwardcount++ > FORWARD_TEST ||
> 	      difftime(now, master->forwardtime) > FORWARD_TIME ||
> 	      master->last_server == -1)
> 	    {
> 	      master->forwardtime = now;
> 	      master->forwardcount = 0;
> 	      forward->forwardall = 1;
> 	    }
> 	  else
> 	    start = master->last_server;
> 	}
> --
> 
> The server struct has been allocated here with only 'size' bytes and not the full length of the server struct.
> Which causes the member access beyond 'size' to read/write into unwanted memory.
> src/domain-match.c:565
> --
>        if (flags & SERV_6ADDR)
> 	size = sizeof(struct serv_addr6);
>        else if (flags & SERV_4ADDR)
> 	size = sizeof(struct serv_addr4);
>        else
> 	size = sizeof(struct serv_local);
> 
>        if (!(serv = whine_malloc(size)))
> 	{
> 	  free(alloc_domain);
> 	  return 0;
> 	}
> --
> 