BIND crashes with failed assertion INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain))

It seems that this has already been reported upstream in https://gitlab.isc.org/isc-projects/bind9/-/issues/1997 and was fixed in 9.16.6.

A CVE number was assigned as well, CVE-2020-8621 https://kb.isc.org/docs/cve-2020-8621.

Please pull the fix into Focal's BIND.

9.16.1-0ubuntu2.3 has the patch for 2020-8621:
bind9 (1:9.16.1-0ubuntu2.3) focal-security; urgency=medium

  * SECURITY UPDATE: A specially crafted large TCP payload can trigger an
    assertion failure
    - debian/patches/CVE-2020-8620.patch: add extra checks to
      lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/netmgr.c,
      lib/isc/netmgr/tcp.c, lib/isc/netmgr/udp.c.
    - CVE-2020-8620
  * SECURITY UPDATE: Attempting QNAME minimization after forwarding can
    lead to an assertion failure
    - debian/patches/CVE-2020-8621.patch: disable QNAME minimization in
      lib/dns/resolver.c.
    - CVE-2020-8621
...

Maybe this is https://gitlab.isc.org/isc-projects/bind9/-/commit/0a22024c270a38a54f0d51621a046b726df158c0 ? Fixed in debian too:

bind9 (1:9.16.6-3) unstable; urgency=medium

  [ Ondřej Surý ]
  * Add upstream patches to fix some rare conditions (Closes: #969448)

  [ Bernhard Schmidt ]
  * Set Restart=on-failure in systemd unit

 -- Bernhard Schmidt <email address hidden> Tue, 15 Sep 2020 00:26:14 +0200

The debian patches: https://salsa.debian.org/dns-team/bind9/-/commit/f375acc4ff8702d736e5170e8fcbdce6b0da7e40

I agree, the Debian bug #969448 looks very similar to the crashes I experienced. Is there a timeline for the Debian patches to be merged into Ubuntu's BIND?

They were already, but for groovy (the ubuntu version currently in development). This is a case for backporting them to focal. Since I have no clear way to reproduce this crash, would you be willing to test packages from a ppa to confirm the fix?

Sure, I can test the packages from the PPA. However, I also don't have a way to reproduce the crash. I could only leave the PPA version running for some time (e.g., two weeks) and see whether it crashes or not...

I looked at the changes Andreas pointed to, but I'm unsure they are really the same right now.

- 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch
  applied as-is, but is about diagnostics and not fixing a crash as reported here

- 0004-Fix-off-by-one-error-when-calculating-new-hashtable-.patch
  does not apply as-is
  Tracking this I found this would also need (at least) the backport of:
  https://github.com/isc-projects/bind9/commit/e24bc324b455d9cad7b51acd3d5c7b4e40c66187
  https://github.com/isc-projects/bind9/commit/1e043a011b9fe3f62f9f5c7a9b74b44adc03ca44

But that in turn let me realize that the bug that "78543ad" was only introduced by "e24bc324".
So we won't backport "e24bc324" (which is a massive rework of the hash handling) just to fix it.

@Andreas - what do you think might this - despite the similarity - be a different issue after all. Maybe a different off-by-one/crash but in a similar place to look so similar?
If so do we have a crash dump of that fail that Marian reported to take a look?

Isn't the 0003-Print-diagnostics.... patch removing the crash by *replacing* it with a diagnostics output? The crash was caused by the INSIST() macro, which calls abort().

Hmm, ok your context experience made you look deep enough :-)
Thanks Andrea!

I'll give just 0003 a try then and provide it as PPA tomorrow.

Once the build is complete the PPA [1] would hold a package worth to test for you.
Please let me know if that works for you and - after some time has passed - if it is more stable in regard to the bug that you hit before.

[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4283

Hi Christian,

thanks for the PPA! I installed the new version and I'm now running 1:9.16.1-0ubuntu2.4~ppa1. I'll report back if BIND crashes again or if the "..is not subdomain of..." message from the patch is logged.

Hi Christian,

I'm now seeing the warning message from the patch in my log and BIND has _not_ crashed:

Oct 06 21:30:52 <hostname> named[14587]: timed out resolving 'e4478.a.akamaiedge.net/A/IN': 2606:4700:4700::1111#53
Oct 06 21:30:53 <hostname> named[14587]: timed out resolving 'e6858.dsce9.akamaiedge.net/A/IN': 1.1.1.1#53
Oct 06 21:30:53 <hostname> named[14587]: timed out resolving 'e4478.a.akamaiedge.net/A/IN': 1.1.1.1#53
Oct 06 21:30:54 <hostname> named[14587]: resolver.c:5107: unexpected error:
Oct 06 21:30:54 <hostname> named[14587]: '_.facebook.com/A' is not subdomain of 'c10r.facebook.com'

So this looks good now :) Can you release the patch in the regular BIND package for Focal? Thanks!

Hi Marian,
Thanks for the testing - yes I think I can now prepare an SRU for Focal.
You'll then (once in focal-proposed) be asked to test it again, but until then this is on me.

MP: https://code.launchpad.net/~paelzer/ubuntu/+source/bind9/+git/bind9/+merge/392144

SRU Template added to the description and uploaded to Focal-unapproved.

Hello Marian, or anyone else affected,

Accepted bind9 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Thanks, I installed bind9 1:9.16.1-0ubuntu2.4 from proposed and I'll report back in two or three weeks with the results.

Thank you Marian, looking forward to hear back from you then.

Hi,

I can confirm that bind9 1:9.16.1-0ubuntu2.4 from proposed fixes the problem. I have the following messages in my log, and BIND did _not_ crash:

Oct 24 13:16:01 <hostname> named[1057]: timed out resolving 'www-cdn.icloud.com.akadns.net/AAAA/IN': 2606:4700:4700::1111#53
Oct 24 13:16:01 <hostname> named[1057]: timed out resolving 'd2xproa6koigec.cloudfront.net/AAAA/IN': 2606:4700:4700::1111#53
Oct 24 13:16:03 <hostname> named[1057]: resolver.c:5107: unexpected error:
Oct 24 13:16:03 <hostname> named[1057]: '_.akamaiedge.net/A' is not subdomain of 'dsce9.akamaiedge.net'
Oct 24 13:16:03 <hostname> named[1057]: resolver.c:5107: unexpected error:
Oct 24 13:16:03 <hostname> named[1057]: '_.cloudfront.net/A' is not subdomain of 'd2xproa6koigec.cloudfront.net'

This bug was fixed in the package bind9 - 1:9.16.1-0ubuntu2.4

---------------
bind9 (1:9.16.1-0ubuntu2.4) focal; urgency=medium

  * Fix rare condition that can break bind9 with a crash (LP: #1896740)
    - 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch

 -- Christian Ehrhardt <email address hidden> Mon, 28 Sep 2020 12:30:22 +0200

The verification of the Stable Release Update for bind9 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.