[Bug 2012943] Re: systemd-resolved crashes due to use-after-free bug

Launchpad Bug Tracker 2012943 at bugs.launchpad.net
Wed Jun 14 13:53:35 UTC 2023 

This bug was fixed in the package systemd - 245.4-4ubuntu3.22

---------------
systemd (245.4-4ubuntu3.22) focal; urgency=medium

  * resolve: fix potential memleak and use-after-free (LP: #2012943)
    File: debian/patches/lp2012943-resolve-fix-potential-memleak-and-use-after-free.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ed2729587663dbab3583d06492b715df2896874e

 -- Nick Rosbrook <nick.rosbrook at canonical.com>  Mon, 27 Mar 2023
13:54:06 -0400

** Changed in: systemd (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2012943

Title:
  systemd-resolved crashes due to use-after-free bug

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Focal:
  Fix Released

Bug description:
  [ Impact ]

  The continuous systemd-resolved crashes delay/hang the device startup.
  And this leads to unresponsive devices in the system. Specifically, the crash looks like:

  Dec 16 12:51:21 TREND-24-AF-7A systemd[1]: Started Time & Date Service.
  Dec 16 12:51:24 TREND-24-AF-7A systemd[1]: systemd-resolved.service: Main process exited, code=killed, status=11/SEGV
  [...]
  Dec 16 12:53:47 TREND-24-AF-7A systemd-resolved[2591]: Assertion 'DNS_TRANSACTION_IS_LIVE(q->state)' failed at src/resolve/resolved-dns-query.c:520, function dns_query_complete(). Aborting.
  Dec 16 12:53:47 TREND-24-AF-7A systemd[1]: systemd-resolved.service: Main process exited, code=killed, status=6/ABRT

  [ Test Plan ]

  The exact steps to reproduce this issue are still not known.
  But we see this crash only in Static IP Addressing mode enabled, where systemd-resolved is enabled for LLMNR service.
  But we were not able to see this crash in DHCP mode.

  Steps to reproduce:
  1) Powercycle the device.
  2) Soft-reboot.

  It was also pointed out by Brian Murray that this error in the Ubuntu
  error tracker is likely the same bug:
  https://errors.ubuntu.com/problem/3cb08ae5efaa4d8c6ce992f7cebd2751ae3f168f.
  Therefore, we would expect to stop seeing this error in the tracker as
  a result of this patch.

  [ Where problems could occur ]

  The patch[1] simply disables the timer event source for a DNS query
  when the struct representing that query is free'd. I cannot see any
  realistic regression potential, because if the timer event fired on
  the DNS query after it has been free'd, then that would be this bug.
  I.e. no working code should be relying on the timer event source still
  being around after the query is free'd.

  [1]
  https://github.com/systemd/systemd/commit/73bfd7be042cc63e7649242b377ad494bf74ea4b

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2012943/+subscriptions

More information about the foundations-bugs mailing list