Skip to content

There is a heap-use-after-free in resolved in dns_transaction_make_packet_mdns #23894

Closed
#23875
Closed
There is a heap-use-after-free in resolved in dns_transaction_make_packet_mdns#23894
#23875
Labels
bug 🐛Programming errors, that need preferential fixingresolve
Milestone
v252
@evverx

Description

@evverx
evverx
opened on Jul 4, 2022

systemd version the issue has been seen with

a96e670

It was discovered in #23875 (comment):

=================================================================
==7884==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000011e28 at pc 0x0000004bb485 bp 0x7fff103b08f0 sp 0x7fff103b08e8
READ of size 8 at 0x612000011e28 thread T0
    #0 0x4bb484 in dns_transaction_make_packet_mdns ../src/resolve/resolved-dns-transaction.c:1798
    #1 0x4bbfa7 in dns_transaction_make_packet ../src/resolve/resolved-dns-transaction.c:1892
    #2 0x4bdcab in dns_transaction_go ../src/resolve/resolved-dns-transaction.c:2000
    #3 0x4abda0 in dns_transaction_retry ../src/resolve/resolved-dns-transaction.c:521
    #4 0x4b8289 in on_transaction_timeout ../src/resolve/resolved-dns-transaction.c:1548
    #5 0x7f685d3b4318 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:3610
    #6 0x7f685d3bc9fa in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4186
    #7 0x7f685d3bdb5e in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4247
    #8 0x7f685d3bdedf in sd_event_loop ../src/libsystemd/sd-event/sd-event.c:4268
    #9 0x553421 in run ../src/resolve/resolved.c:92
    #10 0x5536bb in main ../src/resolve/resolved.c:99
    #11 0x7f685ae4043f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
    #12 0x7f685ae404ef in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x404ef)
    #13 0x40c0a4 in _start (/usr/lib/systemd/systemd-resolved+0x40c0a4)
0x612000011e28 is located 232 bytes inside of 280-byte region [0x612000011d40,0x612000011e58)
freed by thread T0 here:
    #0 0x7f685e2ae627 in free (/lib64/libasan.so.6+0xae627)
    #1 0x4a40e9 in dns_transaction_free ../src/resolve/resolved-dns-transaction.c:161
    #2 0x4a4647 in dns_transaction_gc ../src/resolve/resolved-dns-transaction.c:180
    #3 0x43a94f in dns_query_candidate_stop ../src/resolve/resolved-dns-query.c:56
    #4 0x43eb0b in dns_query_stop ../src/resolve/resolved-dns-query.c:354
    #5 0x4438b9 in dns_query_complete ../src/resolve/resolved-dns-query.c:588
    #6 0x448beb in dns_query_accept ../src/resolve/resolved-dns-query.c:925
    #7 0x44905b in dns_query_ready ../src/resolve/resolved-dns-query.c:978
    #8 0x43e7fa in dns_query_candidate_notify ../src/resolve/resolved-dns-query.c:340
    #9 0x4a9b27 in dns_transaction_complete ../src/resolve/resolved-dns-transaction.c:436
    #10 0x4b8e47 in dns_transaction_prepare ../src/resolve/resolved-dns-transaction.c:1635
    #11 0x4baf32 in dns_transaction_make_packet_mdns ../src/resolve/resolved-dns-transaction.c:1825
    #12 0x4bbfa7 in dns_transaction_make_packet ../src/resolve/resolved-dns-transaction.c:1892
    #13 0x4bdcab in dns_transaction_go ../src/resolve/resolved-dns-transaction.c:2000
    #14 0x4abda0 in dns_transaction_retry ../src/resolve/resolved-dns-transaction.c:521
    #15 0x4b8289 in on_transaction_timeout ../src/resolve/resolved-dns-transaction.c:1548
    #16 0x7f685d3b4318 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:3610
    #17 0x7f685d3bc9fa in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4186
    #18 0x7f685d3bdb5e in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4247
    #19 0x7f685d3bdedf in sd_event_loop ../src/libsystemd/sd-event/sd-event.c:4268
    #20 0x553421 in run ../src/resolve/resolved.c:92
    #21 0x5536bb in main ../src/resolve/resolved.c:99
    #22 0x7f685ae4043f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
previously allocated by thread T0 here:
    #0 0x7f685e2ae91f in __interceptor_malloc (/lib64/libasan.so.6+0xae91f)
    #1 0x49ebe5 in malloc_multiply ../src/basic/alloc-util.h:104
    #2 0x4a557d in dns_transaction_new ../src/resolve/resolved-dns-transaction.c:271
    #3 0x43c6fa in dns_query_candidate_add_transaction ../src/resolve/resolved-dns-query.c:137
    #4 0x43e2ac in dns_query_candidate_setup_transactions ../src/resolve/resolved-dns-query.c:286
    #5 0x443d29 in dns_query_add_candidate ../src/resolve/resolved-dns-query.c:624
    #6 0x445a60 in dns_query_go ../src/resolve/resolved-dns-query.c:759
    #7 0x41c7cf in bus_method_resolve_service ../src/resolve/resolved-bus.c:1377
    #8 0x7f685d18b370 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406
    #9 0x7f685d194b70 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1310
    #10 0x7f685d196232 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1430
    #11 0x7f685d1f54bd in process_message ../src/libsystemd/sd-bus/sd-bus.c:2962
    #12 0x7f685d1f59d4 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3004
    #13 0x7f685d1f8835 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3224
    #14 0x7f685d1f89cf in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3251
    #15 0x7f685d1fc0d0 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3602
    #16 0x7f685d3b4145 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:3602
    #17 0x7f685d3bc9fa in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4186
    #18 0x7f685d3bdb5e in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4247
    #19 0x7f685d3bdedf in sd_event_loop ../src/libsystemd/sd-event/sd-event.c:4268
    #20 0x553421 in run ../src/resolve/resolved.c:92
    #21 0x5536bb in main ../src/resolve/resolved.c:99
    #22 0x7f685ae4043f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/resolve/resolved-dns-transaction.c:1798 in dns_transaction_make_packet_mdns
Shadow bytes around the buggy address:
  0x0c247fffa370: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffa380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffa390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c247fffa3a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffa3b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fffa3c0: fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa
  0x0c247fffa3d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffa3e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffa3f0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c247fffa400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffa410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7884==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐛Programming errors, that need preferential fixingresolve

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions