[Opendnssec-user] Buffer overflow on ubuntu

Ximon Eighteen ximon at nlnetlabs.nl
Thu May 8 07:54:10 UTC 2025 

Hi Erik,

Both commit 02940f5 and commit 042eaf5 appear to compile correctly when applied to both 2.1.12 and 2.1.14. Note however that with commit 02940f5, if patching sources from a release tar ball, you will need to exclude the testing/ directory when applying the patch as the testing/ directory is not included in the release tar ball.

I have not tested this further than doing a configure, make and make install in a Docker Ubuntu 24.0.2 container based on the instructions for building and installing OpenDNSSEC described at https://opendnssec.readthedocs.io/en/latest/quickstart/.

We hope to make a release in the coming months though I cannot say exactly when that might be.

Ximon

> Op 8 mei 2025, om 08:52 heeft Erik P. Ostlyngen via Opendnssec-user <opendnssec-user at lists.opendnssec.org> het volgende geschreven:
> 
> Hi Ximon,
> 
> The fix that you mention seems to be the commit 02940f5 in the
> development branch. Would it be safe for us to apply this commit as a
> patch to the released version 2.1.12 of opendnssec (which we are
> using) or to version 2.1.14? The patch seems to apply well syntactically.
> 
> Also, I see that Willem Toorop has committed a related fix 042eaf5.
> Would it be safe to add this patch also to the above mentioned versions?
> 
> Regards,
> Erik Østlyngen
> Norid
> 
> 
> On 03.05.2025 20:55, Ximon Eighteen via Opendnssec-user wrote:
>> Hi Boris,
>> I also see that the issue you describe looks similar to or might
>> even be the same issue fixed by https://github.com/opendnssec/opendnssec/pull/866 <https://github.com/opendnssec/opendnssec/pull/866>.
>> That fix has not yet been included in a release of OpenDNSEC.
>> If I recall correctly this is also a case that setting _FORTIFY_SOURCE=0 during compilation will workaround.
>> Ximom
>>> Op 3 mei 2025 om 19:46 heeft Ximon Eighteen <ximon at nlnetlabs.nl <mailto:ximon at nlnetlabs.nl>>
>>> het volgende geschreven:
>>>  Hello Boris,
>>> One possible cause could be the stricter checks enforced on newer
>>> operating system versions.
>>> You could try disabling these stricter checks, e.g. by defining _FORTIFY_SOURCE=0 when compiling OpenDNSSEC from sources:
>>> ./configure CFLAGS="-D_FORTIFY_SOURCE=0"
>>> See https://opendnssec.readthedocs.io/en/latest/quickstart/ <https://opendnssec.readthedocs.io/en/latest/quickstart/>
>>> for more complete instructions on building from sources.
>>> Ximon
>>>> Op 3 mei 2025 om 16:02 heeft Boris Gulay via Opendnssec-user <opendnssec-user at lists.opendnssec.org <mailto:opendnssec-user at lists.opendnssec.org>> het volgende
>>>> geschreven:
>>>> 
>>>> Hello.
>>>> I'm try to run OpenDNSSEC from repo on Ubuntu 24.04. I'm
>>>> starting from scratch with single simple zone. No matter what
>>>> algorithm I'm using for keys I'm getting buffer overflow error
>>>> when daemon tries to generate KSK. I've past dump from logs
>>>> below.
>>>> Is it a known issue? How can I work around it?
>>>> Similar issue on launchpad: https://bugs.launchpad.net/ubuntu/+source/opendnssec/+bug/2089834
>>>> <https://bugs.launchpad.net/ubuntu/+source/opendnssec/+bug/2089834>
>>>> 
>>>> 
>>>> 
> May 02 23:50:45 main ods-enforcerd[2712313]: [zone_add_cmd] zone
>>>> chubarovo.ru added [policy: default] May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: INFO: The XML in /var/lib/opendnssec/enforcer/zones.xml.update is valid May 02
>>>> 23:50:45 main ods-enforcerd[2712313]: [zone_add_cmd] internal
>>>> zonelist updated successfully May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: 1 zone(s) found on policy "default" May
>>>> 02 23:50:45 main ods-enforcerd[2712313]: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy default May 02
>>>> 23:50:45 main ods-enforcerd[2712313]: 1 new KSK(s) (2048 bits)
>>>> need to be created. May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: *** buffer overflow detected ***:
>>>> terminated May 02 23:50:45 main ods-enforcerd[2712313]:
>>>> Aborted: May 02 23:50:45 main ods-enforcerd[2712313]:
>>>> unknown May 02 23:50:45 main ods-enforcerd[2712313]: Aborted May 02 23:50:45 main ods-enforcerd[2712313]:   pthread_kill May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   gsignal May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   abort May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   __snprintf_chk May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   hsm_generate_rsa_key May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   hsm_key_factory_generate May 02
>>>> 23:50:45 main ods-enforcerd[2712313]: hsm_key_factory_generate_policy May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: : May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump: May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump: May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump: May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump: May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_kill May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump: May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   __select May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   cmdhandler_start May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   gsignal May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   abort May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   __snprintf_chk May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   hsm_generate_rsa_key May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   hsm_key_factory_generate May 02
>>>> 23:50:45 main ods-enforcerd[2712313]: hsm_key_factory_generate_policy May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: : May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: : May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: : May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: : May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   pthread_cond_timedwait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   ods_thread_wait May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   schedule_pop_task May
>>>> 02 23:50:45 main ods-enforcerd[2712313]:   worker_start May 02
>>>> 23:50:45 main ods-enforcerd[2712313]:   unknown May 02 23:50:45
>>>> main ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: Threaddump May 02 23:50:45 main
>>>> ods-enforcerd[2712313]: : May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   __select May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   cmdhandler_start May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> ods-enforcerd[2712313]:   unknown May 02 23:50:45 main
>>>> systemd[1]: opendnssec-enforcer.service: Main process exited,
>>>> code=dumped, status=6/ABRT May 02 23:50:45 main systemd[1]:
>>>> opendnssec-enforcer.service: Failed with result 'core-dump'.
>>>> _______________________________________________ Opendnssec-user
>>>> mailing list Opendnssec-user at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>> _______________________________________________ Opendnssec-user
>>> mailing list Opendnssec-user at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> _______________________________________________ Opendnssec-user
>> mailing list Opendnssec-user at lists.opendnssec.org <mailto:Opendnssec-user at lists.opendnssec.org> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org <mailto:Opendnssec-user at lists.opendnssec.org>
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20250508/fa4defbf/attachment-0001.htm>

More information about the Opendnssec-user mailing list