BUG report, BIND crash when dlz postgresql driver receives error from database server.

Dennis Jenkins dennis.jenkins.75 at gmail.com
Thu Jul 24 15:51:00 UTC 2014 

I attempted to submit this bug report via the online form, but that failed
("Failed to send your message. Please try later or contact the
administrator by another method.")



Bind, configured with "dlz postgresql", successfully connects to the
database, but crashes (or corrupts the heap, randomly) on the very first
query submitted, if the "find zone" query receives a "permission denied"
error from Postgresql.

The problem goes away when I correct the permissions on the table.  :)

However, BIND should not crash or corrupt its heap on a database query
error.  I have not reviewed the DLZ postgresql driver code, but I suspect
that the error handler needs some tender loving care. :)  Stack trace
included (see below):


CREATE TABLE dns_records
(
  zone text,
  host text,
  ttl integer,
  type text,
  mx_priority integer,
  data text,
  resp_person text,
  serial integer,
  refresh integer,
  retry integer,
  minimum integer,
  expire integer
)
WITH (
  OIDS=FALSE
);
ALTER TABLE dns_records
  OWNER TO pgsql;

(no additional grants, and BIND is configured to connect as the user/role
"dns", which does NOT have "select" permission on the table (yet)).

Relevant bind config:

# http://bind-dlz.sourceforge.net/postgresql_example.html
# http://bind-dlz.sourceforge.net/postgresql_driver.html
dlz "postgres zone" {
   database "postgres 2
   {host=REDACTED port=5432 dbname=dns user=dns}
   {select zone from dns_records where zone = '$zone$'}
   {select ttl, type, mx_priority, case when lower(type)='txt' then '\"' ||
data
        || '\"' else data end from dns_records where zone = '$zone$' and
host = '$record$'
        and not (type = 'SOA' or type = 'NS')}
   {select ttl, type, mx_priority, data, resp_person, serial, refresh,
retry, expire,
        minimum from dns_records where zone = '$zone$' and (type = 'SOA' or
type='NS')}
   {select ttl, type, host, mx_priority, data, resp_person, serial,
refresh, retry, expire,
        minimum from dns_records where zone = '$zone$'}
   {select zone from xfr_table where zone = '$zone$' and client =
'$client$'}";
};


Below is a stack trace, followed by other relevant config bits.
(ran "/usr/sbin/named -u named -g -d5" inside "gdb", then send a request
for "A aisd-7.test.local" via "dig"):

24-Jul-2014 10:18:38.262 client 127.0.0.1#50111: UDP request
24-Jul-2014 10:18:38.262 client 127.0.0.1#50111: using view '_default'
24-Jul-2014 10:18:38.262 client 127.0.0.1#50111: request is not signed
24-Jul-2014 10:18:38.262 client 127.0.0.1#50111: recursion available
24-Jul-2014 10:18:38.262 client 127.0.0.1#50111: query
24-Jul-2014 10:18:38.262
Query String: select zone from dns_records where zone = 'aisd-7.test.local'

*** Error in `/usr/sbin/named': double free or corruption (!prev):
0x08168828 ***

Program received signal SIGABRT, Aborted.
0xb7fdd424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fdd424 in __kernel_vsyscall ()
#1  0xb7a3298f in raise () from /lib/libc.so.6
#2  0xb7a341a3 in abort () from /lib/libc.so.6
#3  0xb7a74115 in __libc_message () from /lib/libc.so.6
#4  0xb7a7a732 in malloc_printerr () from /lib/libc.so.6
#5  0xb7a7b490 in _int_free () from /lib/libc.so.6
#6  0xb7d40546 in PQclear () from /usr/lib/libpq.so.5
#7  0x080b3686 in postgres_findzone ()
#8  0xb7f06e82 in dns_sdlzfindzone () from /usr/lib/libdns.so.100
#9  0xb7e3d546 in dns_dlzfindzone () from /usr/lib/libdns.so.100
#10 0x0807cdb4 in query_getdb ()
#11 0x08082bc6 in query_find ()
#12 0x0808e701 in ns_query_start ()
#13 0x0806e91d in client_request ()
#14 0xb7d8f0d0 in isc__taskmgr_dispatch () from /usr/lib/libisc.so.95
#15 0xb7d93224 in evloop () from /usr/lib/libisc.so.95
#16 0xb7d939ea in isc__app_ctxrun () from /usr/lib/libisc.so.95
#17 0xb7d93e6d in isc__app_run () from /usr/lib/libisc.so.95
#18 0x08067c8d in main ()
(gdb) quit

mad-dns-3 net-dns # named -V
BIND 9.9.5 (Extended Support Version) <id:f9b8a50e> built by make with
'--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib'
'--libdir=/usr/lib' '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--with-libtool' '--enable-full-report' '--disable-threads' '--with-dlopen'
'--with-dlz-filesystem' '--with-dlz-stub' '--with-dlz-postgres'
'--without-dlz-mysql' '--with-dlz-bdb' '--without-dlz-ldap'
'--without-dlz-odbc' '--with-openssl=/usr' '--with-ecdsa' '--without-idn'
'--disable-ipv6' '--without-libxml2' '--disable-newstats'
'--without-gssapi' '--disable-rpz-nsip' '--disable-rpz-nsdname'
'--disable-linux-caps' '--without-gost' '--disable-filter-aaaa'
'--disable-fixed-rrset' '--disable-rrl' '--without-python'
'--without-readline' '--with-randomdev=/dev/random'
'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CFLAGS=-O2
-march=i686 -pipe -I/usr/include/db4.8' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
compiled by GCC 4.7.3
using OpenSSL version: OpenSSL 1.0.1h 5 Jun 2014


mad-dns-3 ~ # dig @127.0.0.1 A aisd-7.test.local

; <<>> DiG 9.9.5 <<>> @127.0.0.1 A aisd-7.test.local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


ASCII dump of TCP capture between BIND server and POSTGRESQL server:
(Yes, the database is not properly configured yet, but BIND should not
crash just because postgresql returns an error message instead of a query
result):

........user.dns.database.dns..R........S....application_name..S....client_encoding.UTF8.S....DateStyle.ISO,
MDY.S....integer_datetimes.on.S....IntervalStyle.postgres.S....is_superuser.off.S....server_encoding.UTF8.S....server_version.9.3.4.S....session_authorization.dns.S...#standard_conforming_strings.on.S....TimeZone.US/Central.K........`d.IZ....IQ...Bselect
zone from dns_records where zone =
'aisd-7.test.local'.E..._SERROR.C42501.Mpermission denied for relation
dns_records.Faclchk.c.L3371.Raclcheck_error..Z....IQ...Bselect zone from
dns_records where zone = 'aisd-7.test.local'.E..._SERROR.C42501.Mpermission
denied for relation
dns_records.Faclchk.c.L3371.Raclcheck_error..Z....IQ...Bselect zone from
dns_records where zone = 'aisd-7.test.local'.E..._SERROR.C42501.Mpermission
denied for relation dns_records.Faclchk.c.L3371.Raclcheck_error..Z....I

Cleaned up ASCII dump of the postgresql conversation:

Query:
  select zone from dns_records where zone = 'aisd-7.test.local'

Response:
  ERROR.C42501. permission denied for relation dns_records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140724/8407e719/attachment.html>

More information about the bind-users mailing list