Skip to content

knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed."

Overview

Kresd aborted with following messages in my test(fuzzing) environment.

# rm -f *mdb ; /usr/local/sbin/kresd -c /usr/local/etc/knotolver/kresd.conf 
[system] interactive mode
> [ ta ] key: 59407 state: Valid
[ ta ] next refresh for . in 12 hours
kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed.
Aborted (core dumped)

debugger output.

# gdb /usr/local/sbin/kresd 
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-110.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/kresd...done.
(gdb) core-file core.25240 
[New LWP 25240]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf'.
Program terminated with signal 6, Aborted.
#0  0x00007fc078ef3277 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.26-9.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-28.el7_5.1.x86_64 libstdc++-4.8.5-28.el7_5.1.x86_64 libtasn1-4.10-1.el7.x86_64 libuv-1.19.2-1.el7.x86_64 luajit-2.0.4-3.el7.x86_64 nettle-2.7.1-8.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0  0x00007fc078ef3277 in raise () from /lib64/libc.so.6
#1  0x00007fc078ef4968 in abort () from /lib64/libc.so.6
#2  0x00007fc078eec096 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007fc078eec142 in __assert_fail () from /lib64/libc.so.6
#4  0x00007fc07a719f04 in pkt_wire_alloc (len=11, pkt=0x559f324636b8)
    at libknot/packet/pkt.c:84
#5  pkt_init (mm=0x559f324608a8, len=11, wire=0x0, pkt=0x559f324636b8)
    at libknot/packet/pkt.c:200
#6  pkt_new_mm (mm=0x559f324608a8, len=11, wire=0x0)
    at libknot/packet/pkt.c:252
#7  knot_pkt_new (wire=wire@entry=0x0, len=11, mm=mm@entry=0x559f324608a8)
    at libknot/packet/pkt.c:270
#8  0x00007fc07a96d817 in consume_yield (ctx=ctx@entry=0x7ffd9c03a850, 
    pkt=pkt@entry=0x559f2983d500) at lib/resolve.c:78
#9  0x00007fc07a96f3a7 in kr_resolve_consume (
    request=request@entry=0x559f32460770, src=src@entry=0x7ffd9c03aa10, 
    packet=packet@entry=0x559f2983d500) at lib/resolve.c:935
#10 0x0000559f27ac3455 in qr_task_step (task=0x559f32461a20, 
    packet_source=0x7ffd9c03aa10, packet=0x559f2983d500)
    at daemon/worker.c:1565
#11 0x0000559f27ac5406 in worker_submit (worker=worker@entry=0x7fc07ad0e010, 
    handle=handle@entry=0x559f29842830, query=<optimized out>, 
    addr=<optimized out>, addr@entry=0x7ffd9c03aa10) at daemon/worker.c:1897
---Type <return> to continue, or q <return> to quit---
#12 0x0000559f27abd92a in udp_recv (handle=0x559f29842830, 
    nread=<optimized out>, buf=<optimized out>, addr=0x7ffd9c03aa10, 
    flags=<optimized out>) at daemon/io.c:166
#13 0x00007fc07a08fec6 in uv__udp_io () from /lib64/libuv.so.1
#14 0x00007fc07a091bb8 in uv__io_poll () from /lib64/libuv.so.1
#15 0x00007fc07a082f28 in uv_run () from /lib64/libuv.so.1
#16 0x0000559f27abd4a9 in run_worker (args=0x7ffd9c03de20, 
    leader=<optimized out>, ipc_set=0x7ffd9c03dca0, engine=0x7ffd9c03dfd0, 
    loop=0x7fc07a29dd00) at daemon/main.c:422
#17 main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:755
(gdb)

Environments.

IP Addresses of each servers.

  • root DNS server: 192.168.33.100/24
  • malicious authoritative server: 192.168.33.101/24
  • victim full service resolver: 192.168.33.102/24

OS, Software of each servers.

root DNS server

  • OS: CentOS 7.5 x86_64 on VirtualBox VM
  • DNS: bind

Malicious authoritative server

  • OS: CentOS 7.5 x86_64 on VirtualBox VM

victim full service resolver

  • OS: CentOS 7.5 x86_64 on VirtualBox VM
  • DNS: knot-resolver 2.3.0, knot-dns(libknot) 2.6.7

Reproduce steps

root server

Install CentOS 7.5 from install ISO image.

Set IP address VM to 192.168.33.100/24.

Set firewalld.

# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload

Install Bind.

# yum install -y bind bind-utils

Upload and extract test-files.tar.gz

# cd /tmp
# tar xzf /path/to/test-files.tar.gz

Copy named.conf and root zone file.

# cp /tmp/test-files/root.named.conf  /etc/named.conf
# cp /tmp/test-files/root.zone.signed /var/named/root.zone.signed
# chmod 644 /var/named/root.zone.signed

Start named.

# systemctl start  named
# systemctl enable named

Malicious authoritative server

Install CentOS 7.5 from install ISO image.

Set IP address to 192.168.33.101/24.

Set firewalld

# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload

Install Build tools.

# yum install -y epel-release
# yum install -y gcc-c++ boost-devel wget perl yaml-cpp-devel bind-utils gtest-devel

# wget https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh
# sh cmake-3.10.0-Linux-x86_64.sh --skip-license --prefix=/usr/local

Install openssl 1.1.0 from source file.

# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
# tar xzf openssl-1.1.0g.tar.gz
# cd openssl-1.1.0g
# ./config shared
# make
# make install
# echo /usr/local/lib64 > /etc/ld.so.conf.d/local.conf
# ldconfig

Upload and extract dns-fuzz-server.tar.gz.

# tar xzf /path/to/dns-fuzz-server.tar.gz
# cd dns-fuzz-server
# cmake .
# make

Start DNS service foreground.

# ./bin/fuzz_server -z example.com -f data/example.com.zone.full -K data/example.com.ksk.yaml -Z data/example.com.zsk.yaml -n 4

victim full service resolver

Install CentOS 7.5 from install ISO image.

Set IP address to 192.168.33.102/24.

Set firewalld

# firewall-cmd --zone=public --add-service=dns --permanent
# firewall-cmd --reload

Install Build tools.

# yum install -y epel-release
# yum install -y gcc-c++ openssl-devel wget luajit-devel libuv-devel userspace-rcu-devel.x86_64 libedit-devel.x86_64 gcc-c++ gnutls-devel

Install knot-dns(libnot) 2.6.7 from source file.

$ wget https://secure.nic.cz/files/knot-dns/knot-2.6.7.tar.xz
$ tar xJf knot-2.6.7.tar.xz
$ cd knot-2.6.7
$ ./configure
$ make
$ su
# make install

Install knot-resolver 2.3.0 from source.

# wget https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
# tar xJf knot-resolver-2.3.0.tar.xz
# cd knot-resolver-2.3.0
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig make LDFLAGS="-Wl,-rpath=/usr/local/lib" PREFIX="/usr/local" CFLAGS="-DNDEBUG -g" install

Upload and extract test-files.tar.gz.

# cd /tmp
# tar xzf /path/to/test-files.tar.gz

Copy kresd.conf, trust anchor and hints file.

# cp /tmp/test-files/kresd.conf /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.hints /usr/local/etc/knot-resolver
# cp /tmp/test-files/root.keys  /usr/local/etc/knot-resolver

Start knot-resolver.

# mkdir -p /tmp/db
# cd /tmp/db
# rm -f * ; /usr/local/sbin/kresd -c /usr/local/etc/knot-resolver/kresd.conf

Login to malicios authoritative server, and send queries by fuzz_client.

# cd /path/to/dns-fuzz-server
# ./bin/fuzz_client -s 192.168.33.102 -b example.com -i 100

Please wait sevral hours or days. test-files.tar.gz

dns-fuzz-server.tar.gz

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information