Potential heap-use-after-free in systemd-resolved

[mrc0mmand]

systemd version the issue has been seen with

latest master

Used distribution

Arch Linux

I noticed that several of the recent CentOS CI runs reported ABRTs in systemd-resolved. One of them happened in the sanitizer run, which yielded a possibly helpful trace:

systemd-resolved[112830]: ==112830==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000248f8 at pc 0x564d06c61a51 bp 0x7ffe3b0ec4b0 sp 0x7ffe3b0ec4a8
systemd-resolved[112830]:                             gVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+
systemd-resolved[112830]: READ of size 4 at 0x6040000248f8 thread T0
systemd-resolved[112830]:                             sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXx
systemd-resolved[112830]:                             uOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555
systemd-resolved[112830]:                             KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
systemd-resolved[112830]:         -- Flags: SEP ZONE_KEY
systemd-resolved[112830]:         -- Key tag: 20326: validated
systemd-resolved[112830]:     #0 0x564d06c61a50 in dns_answer_item_compare_func /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:26:13
systemd-resolved[112830]:     #1 0x7ff165e42af3 in base_bucket_scan /systemd-meson-build/../build/src/basic/hashmap.c:1209:29
systemd-resolved[112830]:     #2 0x7ff165e43f83 in _hashmap_get /systemd-meson-build/../build/src/basic/hashmap.c:1341:15
systemd-resolved[112830]:     #3 0x564d06c54ad8 in set_get /systemd-meson-build/../build/src/basic/set.h:38:16
systemd-resolved[112830]:     #4 0x564d06c5445a in dns_answer_add /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:143:17
systemd-resolved[112830]:     #5 0x564d06c5eb3f in dns_answer_copy_by_key /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:602:21
systemd-resolved[112830]:     #6 0x564d06c5f547 in dns_answer_move_by_key /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:617:13
systemd-resolved[112830]:     #7 0x564d06b8a318 in dnssec_validate_records /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:2847:29
systemd-resolved[112830]:     #8 0x564d06b84e28 in dns_transaction_validate_dnssec /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:3098:21
systemd-resolved[112830]:     #9 0x564d06b7e234 in dns_transaction_process_dnssec /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:793:13
systemd-resolved[112830]:     #10 0x564d06b75e10 in dns_transaction_process_reply /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:1159:9
systemd-resolved[112830]:     #11 0x564d06b8f39c in dns_transaction_on_stream_packet /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:495:9
systemd-resolved[112830]:     #12 0x564d06b8edca in on_stream_packet /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:545:24
systemd-resolved[112830]:     #13 0x564d06b5a663 in on_stream_io /systemd-meson-build/../build/src/resolve/resolved-dns-stream.c:419:45
systemd-resolved[112830]:     #14 0x7ff1660bb257 in source_dispatch /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:3498:21
systemd-resolved[112830]:     #15 0x7ff1660ba230 in sd_event_dispatch /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:3950:21
systemd-resolved[112830]:     #16 0x7ff1660bce7c in sd_event_run /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:4011:21
systemd-resolved[112830]:     #17 0x7ff1660bd94e in sd_event_loop /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:4032:21
systemd-resolved[112830]:     #18 0x564d06bfd6e2 in run /systemd-meson-build/../build/src/resolve/resolved.c:92:13
systemd-resolved[112830]:     #19 0x564d06bfd06a in main /systemd-meson-build/../build/src/resolve/resolved.c:99:1
systemd-resolved[112830]:     #20 0x7ff165099151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
systemd-resolved[112830]:     #21 0x564d06af5c1d in _start (/systemd-meson-build/systemd-resolved+0x12cc1d)
systemd-resolved[112830]: 0x6040000248f8 is located 40 bytes inside of 48-byte region [0x6040000248d0,0x604000024900)
systemd-resolved[112830]: freed by thread T0 here:
systemd-resolved[112830]:     #0 0x7ff16672b392 in realloc (/usr/lib/clang/11.0.0/lib/linux/libclang_rt.asan-x86_64.so+0xf2392)
systemd-resolved[112830]:     #1 0x564d06c60766 in dns_answer_reserve /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:683:21
systemd-resolved[112830]:     #2 0x564d06c5522c in dns_answer_reserve_or_clone /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:710:13
systemd-resolved[112830]:     #3 0x564d06c5eb05 in dns_answer_copy_by_key /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:598:21
systemd-resolved[112830]:     #4 0x564d06c5f547 in dns_answer_move_by_key /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:617:13
systemd-resolved[112830]:     #5 0x564d06b8a318 in dnssec_validate_records /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:2847:29
systemd-resolved[112830]:     #6 0x564d06b84e28 in dns_transaction_validate_dnssec /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:3098:21
systemd-resolved[112830]:     #7 0x564d06b7e234 in dns_transaction_process_dnssec /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:793:13
systemd-resolved[112830]:     #8 0x564d06b75e10 in dns_transaction_process_reply /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:1159:9
systemd-resolved[112830]:     #9 0x564d06b8f39c in dns_transaction_on_stream_packet /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:495:9
systemd-resolved[112830]:     #10 0x564d06b8edca in on_stream_packet /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:545:24
systemd-resolved[112830]:     #11 0x564d06b5a663 in on_stream_io /systemd-meson-build/../build/src/resolve/resolved-dns-stream.c:419:45
systemd-resolved[112830]:     #12 0x7ff1660bb257 in source_dispatch /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:3498:21
systemd-resolved[112830]:     #13 0x7ff1660ba230 in sd_event_dispatch /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:3950:21
systemd-resolved[112830]:     #14 0x7ff1660bce7c in sd_event_run /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:4011:21
systemd-resolved[112830]:     #15 0x7ff1660bd94e in sd_event_loop /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:4032:21
systemd-resolved[112830]:     #16 0x564d06bfd6e2 in run /systemd-meson-build/../build/src/resolve/resolved.c:92:13
systemd-resolved[112830]:     #17 0x564d06bfd06a in main /systemd-meson-build/../build/src/resolve/resolved.c:99:1
systemd-resolved[112830]:     #18 0x7ff165099151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
systemd-resolved[112830]: previously allocated by thread T0 here:
systemd-resolved[112830]:     #0 0x7ff16672b1c1 in calloc (/usr/lib/clang/11.0.0/lib/linux/libclang_rt.asan-x86_64.so+0xf21c1)
systemd-resolved[112830]:     #1 0x564d06c53c8a in dns_answer_new /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:51:13
systemd-resolved[112830]:     #2 0x564d06c60653 in dns_answer_reserve /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:689:21
systemd-resolved[112830]:     #3 0x564d06c5522c in dns_answer_reserve_or_clone /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:710:13
systemd-resolved[112830]:     #4 0x564d06c5eb05 in dns_answer_copy_by_key /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:598:21
systemd-resolved[112830]:     #5 0x564d06c5f547 in dns_answer_move_by_key /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:617:13
systemd-resolved[112830]:     #6 0x564d06b8a318 in dnssec_validate_records /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:2847:29
systemd-resolved[112830]:     #7 0x564d06b84e28 in dns_transaction_validate_dnssec /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:3098:21
systemd-resolved[112830]:     #8 0x564d06b7e234 in dns_transaction_process_dnssec /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:793:13
systemd-resolved[112830]:     #9 0x564d06b75e10 in dns_transaction_process_reply /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:1159:9
systemd-resolved[112830]:     #10 0x564d06b8f39c in dns_transaction_on_stream_packet /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:495:9
systemd-resolved[112830]:     #11 0x564d06b8edca in on_stream_packet /systemd-meson-build/../build/src/resolve/resolved-dns-transaction.c:545:24
systemd-resolved[112830]:     #12 0x564d06b5a663 in on_stream_io /systemd-meson-build/../build/src/resolve/resolved-dns-stream.c:419:45
systemd-resolved[112830]:     #13 0x7ff1660bb257 in source_dispatch /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:3498:21
systemd-resolved[112830]:     #14 0x7ff1660ba230 in sd_event_dispatch /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:3950:21
systemd-resolved[112830]:     #15 0x7ff1660bce7c in sd_event_run /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:4011:21
systemd-resolved[112830]:     #16 0x7ff1660bd94e in sd_event_loop /systemd-meson-build/../build/src/libsystemd/sd-event/sd-event.c:4032:21
systemd-resolved[112830]:     #17 0x564d06bfd6e2 in run /systemd-meson-build/../build/src/resolve/resolved.c:92:13
systemd-resolved[112830]:     #18 0x564d06bfd06a in main /systemd-meson-build/../build/src/resolve/resolved.c:99:1
systemd-resolved[112830]:     #19 0x7ff165099151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
systemd-resolved[112830]: SUMMARY: AddressSanitizer: heap-use-after-free /systemd-meson-build/../build/src/resolve/resolved-dns-answer.c:26:13 in dns_answer_item_compare_func

/cc @yuwata @keszybz

[yuwata]

@mrc0mmand Fix is waiting in #18135.