Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32946

named-pkcs11 fails to start after CVE-2023-50387 update

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.9.0
    • bind
    • Normal
    • sst_cs_infra_services
    • ssg_core_services
    • False
    • Hide

      None

      Show
      None
    • x86_64

      What were you trying to do that didn't work?

      After update of bind-pkcs11 the service named-pkcs11 is failing with error:
       ../../../lib/dns-pkcs11/name.c:1116: REQUIRE((target != ((void *)0) && (_builtin_expect(((target) != ((void *)0)), 1) && __builtin_expect((((const iscmagic_t *)(target))>magic == (0x42756621U)), 1))) || (target == ((void *)0) && (builtin_expect(((name>buffer) != ((void *)0)), 1) && __builtin_expect((((const isc_magic_t *)(name->buffer))->magic == (0x42756621U)), 1)))) failed, back trace
      exiting (due to assertion failure)

      Please provide the package NVR for which bug is seen:

      bind-pkcs11-32:9.11.36-11.el8_9.1

      How reproducible:

      On RHEL with IPA installed, FIPS enabled and sellinux enabled, after os update from 8_9.0 to 8_9.1. The service fail to start.

      Actual results

      Apr 16 13:57:39 server named-pkcs11[2501915]: starting BIND 9.11.36-RedHat-9.11.36-11.el8_9.1 (Extended Support Version) <id:68dbd5b>
      Apr 16 13:57:39 server named-pkcs11[2501915]: running on Linux x86_64 4.18.0-513.18.1.el8_9.x86_64 #1 SMP Thu Feb 1 03:51:05 EST 2024
      Apr 16 13:57:39 server named-pkcs11[2501915]: built with '-build=x86_64-redhat-linux-gnu' 'host=x86_64-redhat-linux-gnu' 'program-prefix=' '-disable-dependency-track>
      Apr 16 13:57:39 server named-pkcs11[2501915]: running as: named-pkcs11 -u named -c /etc/named.conf
      Apr 16 13:57:39 server named-pkcs11[2501915]: compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-20)
      Apr 16 13:57:39 server named-pkcs11[2501915]: compiled with libxml2 version: 2.9.7
      Apr 16 13:57:39 server named-pkcs11[2501915]: linked to libxml2 version: 20907
      Apr 16 13:57:39 server named-pkcs11[2501915]: compiled with libjson-c version: 0.13.1
      Apr 16 13:57:39 server named-pkcs11[2501915]: linked to libjson-c version: 0.13.1
      Apr 16 13:57:39 server named-pkcs11[2501915]: compiled with zlib version: 1.2.11
      Apr 16 13:57:39 server named-pkcs11[2501915]: linked to zlib version: 1.2.11
      Apr 16 13:57:39 server named-pkcs11[2501915]: threads support is enabled
      Apr 16 13:57:39 server named-pkcs11[2501915]: ----------------------------------------------------
      Apr 16 13:57:39 server named-pkcs11[2501915]: BIND 9 is maintained by Internet Systems Consortium,
      Apr 16 13:57:39 server named-pkcs11[2501915]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
      Apr 16 13:57:39 server named-pkcs11[2501915]: corporation.  Support and training for BIND 9 are
      Apr 16 13:57:39 server named-pkcs11[2501915]: available at https://www.isc.org/support
      Apr 16 13:57:39 server named-pkcs11[2501915]: ----------------------------------------------------
      Apr 16 13:57:39 server named-pkcs11[2501915]: adjusted limit on open files from 262144 to 1048576
      Apr 16 13:57:39 server named-pkcs11[2501915]: found 2 CPUs, using 2 worker threads
      Apr 16 13:57:39 server named-pkcs11[2501915]: using 1 UDP listener per interface
      Apr 16 13:57:39 server named-pkcs11[2501915]: using up to 21000 sockets
      Apr 16 13:57:39 server named-pkcs11[2501915]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO
      Apr 16 13:57:39 server named-pkcs11[2501915]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL
      Apr 16 13:57:39 server named-pkcs11[2501915]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false
      Apr 16 13:57:39 server named-pkcs11[2501915]: loading configuration from '/etc/named.conf'
      Apr 16 13:57:39 server named-pkcs11[2501915]: unable to open '/etc/bind.keys'; using built-in keys instead
      Apr 16 13:57:39 server named-pkcs11[2501915]: looking for GeoIP2 databases in '/usr/share/GeoIP'
      Apr 16 13:57:39 server named-pkcs11[2501915]: opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
      Apr 16 13:57:39 server named-pkcs11[2501915]: opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
      Apr 16 13:57:39 server named-pkcs11[2501915]: using default UDP/IPv4 port range: [32768, 60999]
      Apr 16 13:57:39 server named-pkcs11[2501915]: using default UDP/IPv6 port range: [32768, 60999]
      Apr 16 13:57:39 server named-pkcs11[2501915]: listening on IPv6 interfaces, port 53
      Apr 16 13:57:39 server named-pkcs11[2501915]: listening on IPv4 interface lo, 127.0.0.1#53
      Apr 16 13:57:39 server named-pkcs11[2501915]: generating session key for dynamic DNS
      Apr 16 13:57:39 server named-pkcs11[2501915]: sizing zone task pool based on 6 zones
      Apr 16 13:57:39 server named-pkcs11[2501915]: none:106: 'max-cache-size 90%' - setting to 3259MB (out of 3621MB)
      Apr 16 13:57:39 server named-pkcs11[2501915]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
      Apr 16 13:57:39 server named-pkcs11[2501915]: loading DynDB instance 'ipa' driver '/usr/lib64/bind/ldap.so'
      Apr 16 13:57:39 server named-pkcs11[2501915]: bind-dyndb-ldap version 11.6 compiled at 15:54:39 May 24 2023, compiler 8.5.0 20210514 (Red Hat 8.5.0-19)
      Apr 16 13:57:39 server named-pkcs11[2501915]: GSSAPI client step 1
      Apr 16 13:57:39 server named-pkcs11[2501915]: GSSAPI client step 1
      Apr 16 13:57:39 server named-pkcs11[2501915]: GSSAPI client step 1
      Apr 16 13:57:40 server named-pkcs11[2501915]: GSSAPI client step 2
      Apr 16 13:57:40 server named-pkcs11[2501915]: GSSAPI client step 1
      Apr 16 13:57:40 server named-pkcs11[2501915]: GSSAPI client step 1
      Apr 16 13:57:40 server named-pkcs11[2501915]: GSSAPI client step 1
      Apr 16 13:57:40 server named-pkcs11[2501915]: GSSAPI client step 2
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 10.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 16.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 17.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 18.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 19.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 20.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 21.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 22.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 23.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 24.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 25.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 26.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 27.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 28.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 29.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 30.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 31.172.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 168.192.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 64.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 65.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 66.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 67.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 68.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 69.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 70.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 71.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 72.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 73.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 74.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 75.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 76.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 77.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 78.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 79.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 80.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 81.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 82.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 83.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 84.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 85.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 86.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 87.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 88.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 89.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 90.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 91.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 92.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 93.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 94.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 95.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 96.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 97.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 98.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 99.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 100.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 101.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 102.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 103.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 104.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 105.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 106.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 107.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 108.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 109.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 110.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 111.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 112.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 113.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 114.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 115.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 116.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 117.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 118.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 119.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 120.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 121.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 122.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 123.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 124.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 125.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 126.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 127.100.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 127.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 254.169.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: D.F.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 8.E.F.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 9.E.F.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: A.E.F.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: B.E.F.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: EMPTY.AS112.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: automatic empty zone: HOME.ARPA
      Apr 16 13:57:40 server named-pkcs11[2501915]: none:106: 'max-cache-size 90%' - setting to 3259MB (out of 3621MB)
      Apr 16 13:57:40 server named-pkcs11[2501915]: configuring command channel from '/etc/rndc.key'
      Apr 16 13:57:40 server named-pkcs11[2501915]: command channel listening on 127.0.0.1#953
      Apr 16 13:57:40 server named-pkcs11[2501915]: configuring command channel from '/etc/rndc.key'
      Apr 16 13:57:40 server named-pkcs11[2501915]: command channel listening on ::1#953
      Apr 16 13:57:40 server named-pkcs11[2501915]: managed-keys-zone: loaded serial 11111
      Apr 16 13:57:40 server named-pkcs11[2501915]: zone 0.in-addr.arpa/IN: loaded serial 0
      Apr 16 13:57:40 server named-pkcs11[2501915]: zone localhost.localdomain/IN: loaded serial 0
      Apr 16 13:57:40 server named-pkcs11[2501915]: zone localhost/IN: loaded serial 0
      Apr 16 13:57:40 server named-pkcs11[2501915]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
      Apr 16 13:57:40 server named-pkcs11[2501915]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
      Apr 16 13:57:40 server named-pkcs11[2501915]: all zones loaded
      Apr 16 13:57:40 server named-pkcs11[2501915]: running
      Apr 16 13:57:40 server named-pkcs11[2501915]: ../../../lib/dns-pkcs11/name.c:1116: REQUIRE((target != ((void *)0) && (__builtin_expect(((target) != ((void *)0)), 1) && __b>
      Apr 16 13:57:40 server named-pkcs11[2501915]: #0 0x56192ec11d14 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #1 0x7f4b6850afe0 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #2 0x7f4b6881d7b2 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #3 0x7f4b5e27e156 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #4 0x7f4b5e27e5e1 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #5 0x7f4b5e27fe60 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #6 0x7f4b5e280214 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #7 0x7f4b5e2893e0 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #8 0x7f4b68532904 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #9 0x7f4b6853358f in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #10 0x7f4b659201ca in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: #11 0x7f4b65224e73 in ??
      Apr 16 13:57:40 server named-pkcs11[2501915]: exiting (due to assertion failure)
      Apr 16 13:57:40 server systemd[1]: named-pkcs11.service: New main PID 2501915 does not belong to service, and PID file is not owned by root. Refusing.
      Apr 16 13:57:40 server systemd[1]: named-pkcs11.service: New main PID 2501915 does not belong to service, and PID file is not owned by root. Refusing.
      Apr 16 13:59:10 server systemd[1]: named-pkcs11.service: start operation timed out. Terminating.
      Apr 16 13:59:10 server systemd[1]: named-pkcs11.service: Failed with result 'timeout'.
      Apr 16 13:59:10 server systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.

            pemensik@redhat.com Petr Mensik
            amalonso2 Ángel Martínez Alonso
            Petr Mensik Petr Mensik
            rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: