]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4e7dadd)
Handle fatal and FIPS provider interactions
authorMark Andrews <marka@isc.org>
Fri, 27 Jan 2023 05:52:59 +0000 (16:52 +1100)
committerMark Andrews <marka@isc.org>
Mon, 3 Apr 2023 02:44:27 +0000 (12:44 +1000)
When fatal is called we may be holding memory allocated by OpenSSL.
This may result in the reference count for the FIPS provider not
going to zero and the shared library not being unloaded during
OPENSSL_cleanup.  When the shared library is ultimately unloaded,
when all remaining dynamically loaded libraries are freed, we have
already destroyed the memory context we where using to track memory
leaks / late frees resulting in INSIST being called.

Disable triggering the INSIST when fatal has being called.

bin/confgen/util.c patch | blob | blame | history
bin/delv/delv.c patch | blob | blame | history
bin/dig/dighost.c patch | blob | blame | history
bin/dnssec/dnssectool.c patch | blob | blame | history
bin/named/server.c patch | blob | blame | history
bin/nsupdate/nsupdate.c patch | blob | blame | history
bin/rndc/util.c patch | blob | blame | history
bin/tools/mdig.c patch | blob | blame | history
bin/tools/nsec3hash.c patch | blob | blame | history
lib/isc/include/isc/tls.h patch | blob | blame | history
lib/isc/tls.c patch | blob | blame | history

diff --git a/bin/confgen/util.c b/bin/confgen/util.c
index 2b0a8759b58dd405f62b512e48acae2a0584ba05..23b7f3fd57edb60e475c7513509464c15914bc9f 100644 (file)
--- a/bin/confgen/util.c
+++ b/bin/confgen/util.c
@@ -19,6 +19,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 
+#include <isc/tls.h>
+
 extern bool verbose;
 extern const char *progname;
 
@@ -43,5 +45,6 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        exit(1);
 }
diff --git a/bin/delv/delv.c b/bin/delv/delv.c
index 110d4210d7f3a405555b1195b82f717566d3a231..a354a60e65d00d8f0a70d20f444cf8be2f3834bc 100644 (file)
--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -263,6 +263,7 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        exit(1);
 }
 
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index cb846d32a95f8acd96f6935ac95aad592a285478..55168fa69910be7b31819993f37eae4b11b26fc1 100644 (file)
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -411,6 +411,7 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        digexit();
 }
 
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 502548444cbc95aa5ce205126168356c10bae1c3..62c74765591205ba11f4890d9b621b5faa247341 100644 (file)
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -32,6 +32,7 @@
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/time.h>
+#include <isc/tls.h>
 #include <isc/tm.h>
 #include <isc/util.h>
 
@@ -82,6 +83,7 @@ fatal(const char *format, ...) {
        if (fatalcallback != NULL) {
                (*fatalcallback)();
        }
+       isc__tls_setfatalmode();
        exit(1);
 }
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 4534cbf994aaaea2297d77c79d8b3e40b71b1606..47174867a7155c87caa2dae4841f86470edd85b4 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -10301,6 +10301,7 @@ fatal(const char *msg, isc_result_t result) {
                      NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL,
                      "exiting (due to fatal error)");
        named_os_shutdown();
+       isc__tls_setfatalmode();
        exit(1);
 }
 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 9c38a6ed68c227191ceb5498ac30c21b2613406d..a52dfe76e827ea6595aeb4e1de18f484a2cfa669 100644 (file)
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -278,6 +278,7 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        exit(1);
 }
 
diff --git a/bin/rndc/util.c b/bin/rndc/util.c
index 2b0a8759b58dd405f62b512e48acae2a0584ba05..23b7f3fd57edb60e475c7513509464c15914bc9f 100644 (file)
--- a/bin/rndc/util.c
+++ b/bin/rndc/util.c
@@ -19,6 +19,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 
+#include <isc/tls.h>
+
 extern bool verbose;
 extern const char *progname;
 
@@ -43,5 +45,6 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        exit(1);
 }
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
index 61071731292cebc5d8013254d66318dc8fd0459a..98e72ffb2eac1b9b008a95c374bd0578a56b71df 100644 (file)
--- a/bin/tools/mdig.c
+++ b/bin/tools/mdig.c
@@ -889,6 +889,7 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        exit(-2);
 }
 
diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c
index d18756dabb7c90688c00ac7cbfdc7784b23a0c25..aaa52d0bb042dcfb93e3cd5aab4be2d88c58a75b 100644 (file)
--- a/bin/tools/nsec3hash.c
+++ b/bin/tools/nsec3hash.c
@@ -24,6 +24,7 @@
 #include <isc/iterated_hash.h>
 #include <isc/result.h>
 #include <isc/string.h>
+#include <isc/tls.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
@@ -46,6 +47,7 @@ fatal(const char *format, ...) {
        vfprintf(stderr, format, args);
        va_end(args);
        fprintf(stderr, "\n");
+       isc__tls_setfatalmode();
        exit(1);
 }
 
diff --git a/lib/isc/include/isc/tls.h b/lib/isc/include/isc/tls.h
index 6da0361a1f40659018994a108576a7650af173fe..634ba65c4e95c0bf18f63d04fb485b9b4a539f2f 100644 (file)
--- a/lib/isc/include/isc/tls.h
+++ b/lib/isc/include/isc/tls.h
@@ -594,3 +594,6 @@ isc__tls_shutdown(void);
 
 void
 isc__tls_setdestroycheck(bool check);
+
+void
+isc__tls_setfatalmode(void);
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 569a041a8da826f7e4d3c55e1c3bfb255af6a979..0e53775490f84aeb27dd4981c296dd2cbd13401c 100644 (file)
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -77,6 +77,8 @@ isc__tls_set_thread_id(CRYPTO_THREADID *id) {
 }
 #endif
 
+static atomic_bool handle_fatal = false;
+
 #if !defined(LIBRESSL_VERSION_NUMBER)
 /*
  * This was crippled with LibreSSL, so just skip it:
@@ -109,7 +111,9 @@ isc__tls_free_ex(void *ptr, const char *file, int line) {
        if (ptr == NULL) {
                return;
        }
-       isc__mem_free(isc__tls_mctx, ptr, 0, file, (unsigned int)line);
+       if (!atomic_load(&handle_fatal) || isc__tls_mctx != NULL) {
+               isc__mem_free(isc__tls_mctx, ptr, 0, file, (unsigned int)line);
+       }
 }
 
 #else /* ISC_MEM_TRACKLINES */
@@ -135,7 +139,9 @@ isc__tls_free_ex(void *ptr, const char *file, int line) {
        if (ptr == NULL) {
                return;
        }
-       isc__mem_free(isc__tls_mctx, ptr, 0);
+       if (!atomic_load(&handle_fatal) || isc__tls_mctx != NULL) {
+               isc__mem_free(isc__tls_mctx, ptr, 0);
+       }
 }
 
 #endif /* ISC_MEM_TRACKLINES */
@@ -1744,3 +1750,8 @@ isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx) {
        RUNTIME_CHECK(
                SSL_CTX_set_session_id_context(ctx, session_id_ctx, len) == 1);
 }
+
+void
+isc__tls_setfatalmode(void) {
+       atomic_store(&handle_fatal, true);
+}
Mirror of https://gitlab.isc.org/isc-projects/bind9.git