Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

coredump with enable-subnet #663

Closed
fly542 opened this issue Apr 15, 2022 · 4 comments
Closed

coredump with enable-subnet #663

fly542 opened this issue Apr 15, 2022 · 4 comments

Comments

@fly542
Copy link

fly542 commented Apr 15, 2022

Describe the bug
we use our data do pressure test, unbound must coredump which complied with --enable-subnet from version of 1.15.0

To reproduce
the coredump was caused by commit 773d1f29111b40445ec4bedf416c1f7b64c0605b, when remove per_upstream_opt_list = qstate->edns_opts_back_out; from services/outside_network.c will not coredump anymore.

Expected behavior
A clear and concise description of what you expected to happen.

System:

  • Unbound version: 1.15.0
  • OS: centos7.2
  • unbound -V output:
    Version 1.15.0

Configure line: --prefix=/soft/unbound/ --with-conf-file=/soft/unbound/etc/unbound.conf --disable-rpath --enable-subnet
Linked libs: mini-event internal (it uses select), OpenSSL 1.0.1e-fips 11 Feb 2013
Linked modules: dns64 subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.

Additional information
coredump stack

(gdb) bt
#0  0x00002b35bd241de6 in __memcmp_sse4_1 () from /lib64/libc.so.6
#1  0x000000000049834f in edns_opt_compare (q=0x2b35da1897b8, p=0x2b35da1897b8) at util/data/msgreply.c:1207
#2  edns_opt_list_compare (p=0x2b35da1897b8, q=0x2b35da1897b8) at util/data/msgreply.c:1215
#3  0x000000000046a15c in serviced_cmp (key1=0x2b35da190ed0, key2=0x2b35da190ed0) at services/outside_network.c:144
#4  0x000000000048c48a in rbtree_find_less_equal (rbtree=<optimized out>, key=<optimized out>, result=<optimized out>) at util/rbtree.c:527
#5  0x000000000048c85e in rbtree_search (rbtree=rbtree@entry=0x2b35d81315c0, key=<optimized out>) at util/rbtree.c:285
#6  0x000000000048c8e0 in rbtree_delete (rbtree=0x2b35d81315c0, key=<optimized out>) at util/rbtree.c:333
#7  0x0000000000433635 in outnet_serviced_query_stop (sq=<optimized out>, cb_arg=<optimized out>, sq=<optimized out>)
    at services/outside_network.c:3480
#8  0x0000000000433667 in outbound_list_clear (list=list@entry=0x2b35da1a1af8) at services/outbound_list.c:60
#9  0x00000000004336aa in iter_clear (qstate=qstate@entry=0x2b35da1a1600, id=id@entry=2) at iterator/iterator.c:3999
#10 0x000000000048f2a5 in mesh_state_cleanup (mstate=0x2b35da1a15b0) at services/mesh.c:908
#11 mesh_state_delete (qstate=<optimized out>, qstate=<optimized out>) at services/mesh.c:950
#12 0x000000000049086d in mesh_make_new_space (mesh=0x2b35d83f9dd0, qbuf=0x2b35d8002cd0) at services/mesh.c:357
#13 0x0000000000445fa2 in mesh_new_client (qid=49977, rep=0x2b35bfb019f0, edns=0x2b35bfb01580, qflags=256, cinfo=0x0, qinfo=0x2b35bfb01560, 
    mesh=0x2b35d83f9dd0) at services/mesh.c:478
#14 worker_handle_request (c=c@entry=0x2b35d81180a0, arg=0x207b2e0, error=error@entry=0, repinfo=repinfo@entry=0x2b35bfb019f0)
    at daemon/worker.c:1528
#15 0x0000000000475051 in comm_point_udp_ancil_callback (fd=13, event=event@entry=2, arg=<optimized out>) at util/netevent.c:724
#16 0x00000000004ad5d7 in handle_select.41039 (base=0x2b35d8000930, wait=<optimized out>) at util/mini_event.c:220
#17 0x000000000046c141 in minievent_base_dispatch (base=0x2b35d8000930) at util/mini_event.c:242
#18 ub_event_base_dispatch (base=0x2b35d8000930) at util/ub_event.c:280
#19 comm_base_dispatch (b=<optimized out>) at util/netevent.c:256
#20 0x000000000045602e in worker_work (worker=0x207b2e0) at daemon/worker.c:1921
#21 thread_start.6895 (arg=0x207b2e0) at daemon/daemon.c:541
#22 0x00002b35bcec3dd5 in start_thread () from /lib64/libpthread.so.0

@Philip-NLnetLabs
Copy link
Member

Hi,

I'm trying to reproduce your crash. So far, I didn't succeed. I don't know if it makes a difference, but the most recent version of CentOS is 7.9.2009 so I tried that.

Since 1.15.0, there have been a few commits regarding subnet handling. Could you please test the current git head (1289c53)?

If that also fails, them maybe you can help me reproduce the problem?

Philip

@fly542
Copy link
Author

fly542 commented Apr 29, 2022

Hi,

I'm trying to reproduce your crash. So far, I didn't succeed. I don't know if it makes a difference, but the most recent version of CentOS is 7.9.2009 so I tried that.

Since 1.15.0, there have been a few commits regarding subnet handling. Could you please test the current git head (1289c53)?

If that also fails, them maybe you can help me reproduce the problem?

Philip

use branch of 1289c53c1ad698e51a7adf0271d63af992d78a33 is alse cause coredump, the stack is fllow:

#0  0x00002af8bbe04de6 in __memcmp_sse4_1 () from /lib64/libc.so.6
#1  0x00000000004cee3b in edns_opt_compare (p=0x2af8edd0e0a8, q=0x2af8edd0e0a8) at util/data/msgreply.c:1207
#2  0x00000000004cee69 in edns_opt_list_compare (p=0x2af8edd0e0a8, q=0x2af8edd0e0a8) at util/data/msgreply.c:1215
#3  0x0000000000422e03 in serviced_cmp (key1=0x2af8edd157a0, key2=0x2af8edd157a0) at services/outside_network.c:144
#4  0x0000000000486ca6 in rbtree_find_less_equal (rbtree=0x2af8ec1315c0, key=0x2af8edd157a0, result=0x2af8bf0c94f8) at util/rbtree.c:527
#5  0x00000000004864a6 in rbtree_search (rbtree=0x2af8ec1315c0, key=0x2af8edd157a0) at util/rbtree.c:285
#6  0x00000000004865e3 in rbtree_delete (rbtree=0x2af8ec1315c0, key=0x2af8edd157a0) at util/rbtree.c:333
#7  0x00000000004180e4 in outnet_serviced_query_stop (sq=0x2af8edd157a0, cb_arg=0x2af8eddbb218) at services/outside_network.c:3483
#8  0x00000000004a4d34 in outbound_list_clear (list=0x2af8eddbaeb8) at services/outbound_list.c:60
#9  0x00000000004bc78c in iter_clear (qstate=0x2af8eddba9a0, id=2) at iterator/iterator.c:4001
#10 0x00000000004b085d in mesh_state_cleanup (mstate=0x2af8eddba950) at services/mesh.c:913
#11 0x00000000004b0aa5 in mesh_state_delete (qstate=0x2af8eddba9a0) at services/mesh.c:955
#12 0x00000000004af09a in mesh_make_new_space (mesh=0x2af8ec3f9dd0, qbuf=0x2af8ec002cd0) at services/mesh.c:357
#13 0x00000000004af5e6 in mesh_new_client (mesh=0x2af8ec3f9dd0, qinfo=0x2af8bf0c9910, cinfo=0x0, qflags=256, edns=0x2af8bf0c98e0, 
    rep=0x2af8bf0c9b40, qid=14329, rpz_passthru=0) at services/mesh.c:479
#14 0x00000000004e5b82 in worker_handle_request (c=0x2af8ec1180a0, arg=0xc12c40, error=0, repinfo=0x2af8bf0c9b40) at daemon/worker.c:1544
#15 0x0000000000429a9c in comm_point_udp_ancil_callback (fd=25, event=2, arg=0x2af8ec1180a0) at util/netevent.c:724
#16 0x00000000004818f6 in handle_select (base=0x2af8ec000930, wait=0x2af8bf0c9d60) at util/mini_event.c:220
#17 0x0000000000481989 in minievent_base_dispatch (base=0x2af8ec000930) at util/mini_event.c:242
#18 0x0000000000419030 in ub_event_base_dispatch (base=0x2af8ec000930) at util/ub_event.c:280
#19 0x0000000000428d65 in comm_base_dispatch (b=0x2af8ec0008c0) at util/netevent.c:256
#20 0x00000000004e6c4b in worker_work (worker=0xc12c40) at daemon/worker.c:1947
#21 0x00000000004f7718 in thread_start (arg=0xc12c40) at daemon/daemon.c:541
#22 0x00002af8bba86dd5 in start_thread () from /lib64/libpthread.so.0
#23 0x00002af8bbd9902d in clone () from /lib64/libc.so.6

@Philip-NLnetLabs
Copy link
Member

Hi,

Pity that it still fails. Do you have anything to help me reproduce the problem?

Philip

@fly542
Copy link
Author

fly542 commented May 5, 2022

Hi,

Pity that it still fails. Do you have anything to help me reproduce the problem?

Philip

Send a mail to me, fly542@gmail.com,I'll send you the test tool and test data file.

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jun 23, 2022
* nlnet/master:
  Fix use after free issue with edns options (NLnetLabs#663)
  Change log entry for lines with blanks issue
  - Remove unused LDNS function check for GOST Engine unloading.
  - Note in the unbound.conf text that NOTIFY is allowed from the url:   addresses for auth and rpz zones.
  Changelog entry for NLnetLabs#688 - Merge PR NLnetLabs#688: Rpz url notify issue.
  - Add testcase for allowing NOTIFY on URL addresses.
  Test loading a zone with blank lines over https
  Avoid network traffic during test, a bit of cleanup
  Fix issue with lines that only consist of blanks with optional comment
  Test loading a cached zone that has lines consisting of blanks
  Add url 'master' to allow notify list
  allow-notify doesn't work for url on rpz zones (NLnetLabs#679)
@fly542 fly542 closed this as completed Aug 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants