[Bug 2012943] Re: systemd-resolved crashes due to use-after-free bug
Nick Rosbrook
2012943 at bugs.launchpad.net
Mon May 22 20:34:12 UTC 2023
** Description changed:
[ Impact ]
The continuous systemd-resolved crashes delay/hang the device startup.
And this leads to unresponsive devices in the system. Specifically, the crash looks like:
Dec 16 12:51:21 TREND-24-AF-7A systemd[1]: Started Time & Date Service.
Dec 16 12:51:24 TREND-24-AF-7A systemd[1]: systemd-resolved.service: Main process exited, code=killed, status=11/SEGV
[...]
Dec 16 12:53:47 TREND-24-AF-7A systemd-resolved[2591]: Assertion 'DNS_TRANSACTION_IS_LIVE(q->state)' failed at src/resolve/resolved-dns-query.c:520, function dns_query_complete(). Aborting.
Dec 16 12:53:47 TREND-24-AF-7A systemd[1]: systemd-resolved.service: Main process exited, code=killed, status=6/ABRT
[ Test Plan ]
The exact steps to reproduce this issue are still not known.
But we see this crash only in Static IP Addressing mode enabled, where systemd-resolved is enabled for LLMNR service.
But we were not able to see this crash in DHCP mode.
Steps to reproduce:
1) Powercycle the device.
2) Soft-reboot.
+ It was also pointed out by Brian Murray that this error in the Ubuntu
+ error tracker is likely the same bug:
+ https://errors.ubuntu.com/problem/3cb08ae5efaa4d8c6ce992f7cebd2751ae3f168f.
+ Therefore, we would expect to stop seeing this error in the tracker as a
+ result of this patch.
+
[ Where problems could occur ]
The patch[1] simply disables the timer event source for a DNS query when
the struct representing that query is free'd. I cannot see any realistic
regression potential, because if the timer event fired on the DNS query
after it has been free'd, then that would be this bug. I.e. no working
code should be relying on the timer event source still being around
after the query is free'd.
[1]
https://github.com/systemd/systemd/commit/73bfd7be042cc63e7649242b377ad494bf74ea4b
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2012943
Title:
systemd-resolved crashes due to use-after-free bug
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Focal:
Fix Committed
Bug description:
[ Impact ]
The continuous systemd-resolved crashes delay/hang the device startup.
And this leads to unresponsive devices in the system. Specifically, the crash looks like:
Dec 16 12:51:21 TREND-24-AF-7A systemd[1]: Started Time & Date Service.
Dec 16 12:51:24 TREND-24-AF-7A systemd[1]: systemd-resolved.service: Main process exited, code=killed, status=11/SEGV
[...]
Dec 16 12:53:47 TREND-24-AF-7A systemd-resolved[2591]: Assertion 'DNS_TRANSACTION_IS_LIVE(q->state)' failed at src/resolve/resolved-dns-query.c:520, function dns_query_complete(). Aborting.
Dec 16 12:53:47 TREND-24-AF-7A systemd[1]: systemd-resolved.service: Main process exited, code=killed, status=6/ABRT
[ Test Plan ]
The exact steps to reproduce this issue are still not known.
But we see this crash only in Static IP Addressing mode enabled, where systemd-resolved is enabled for LLMNR service.
But we were not able to see this crash in DHCP mode.
Steps to reproduce:
1) Powercycle the device.
2) Soft-reboot.
It was also pointed out by Brian Murray that this error in the Ubuntu
error tracker is likely the same bug:
https://errors.ubuntu.com/problem/3cb08ae5efaa4d8c6ce992f7cebd2751ae3f168f.
Therefore, we would expect to stop seeing this error in the tracker as
a result of this patch.
[ Where problems could occur ]
The patch[1] simply disables the timer event source for a DNS query
when the struct representing that query is free'd. I cannot see any
realistic regression potential, because if the timer event fired on
the DNS query after it has been free'd, then that would be this bug.
I.e. no working code should be relying on the timer event source still
being around after the query is free'd.
[1]
https://github.com/systemd/systemd/commit/73bfd7be042cc63e7649242b377ad494bf74ea4b
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2012943/+subscriptions
More information about the foundations-bugs
mailing list