Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#69532 - [unbound] [glibc] Segmentation fault during startup with glibc 2.33

Attached to Project: Community Packages
Opened by Jonas Witschel (diabonas) - Thursday, 04 February 2021, 09:45 GMT
Last edited by Allan McRae (Allan) - Saturday, 06 February 2021, 08:35 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Allan McRae (Allan)
David Runge (dvzrv)
Bruno Pagani (ArchangeGabriel)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

When trying to start unbound using the systemd service with the testing repositories enabled, unbound fails with a segfault:

$ systemctl status unbound.service
[...]
Feb 04 10:35:52 diabonas systemd[1]: Starting Validating, recursive, and caching DNS resolver...
Feb 04 10:35:52 diabonas systemd[1]: unbound.service: Main process exited, code=dumped, status=11/SEGV
Feb 04 10:35:52 diabonas systemd[1]: unbound.service: Failed with result 'core-dump'.
Feb 04 10:35:52 diabonas systemd[1]: Failed to start Validating, recursive, and caching DNS resolver.

The coredump indicates a failure in glibc's initgroups:

$ coredumpctl info unbound
[...]
Stack trace of thread 2767:
#0 0x00007f48ea70fc45 internal_getgrouplist (libc.so.6 + 0xc8c45)
#1 0x00007f48ea70ffdf initgroups (libc.so.6 + 0xc8fdf)
#2 0x00005555feebf7fd n/a (unbound + 0xc7fd)
#3 0x00007f48ea66eb25 __libc_start_main (libc.so.6 + 0x27b25)
#4 0x00005555feec028e n/a (unbound + 0xd28e)

Temporarily downgrading glibc to the previous version 2.32-5 and restarting the unbound service fixes the issue.

Additional info:
* unbound 1.13.0-1
* glibc 2.33-1 (currently in [testing])

Steps to reproduce:
1. Enable the [testing] repositories, upgrade your system to obtain glibc 2.33-1.
2. Install and (re)start unbound: pacman -S unbound && systemctl start unbound.service
3. Observe the "Job for unbound.service failed because a fatal signal was delivered causing the control process to dump core." error during systemd service startup.
4. Run "systemctl status unbound.service" and "coredumpctl info unbound" to obtain the debug information provided above.
This task depends upon

Closed by  Allan McRae (Allan)
Saturday, 06 February 2021, 08:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  glibc-2.33-3
Comment by Jonas Witschel (diabonas) - Thursday, 04 February 2021, 09:55 GMT
The issue is not limited to the systemd service (so the hardening applied there does not appear to be the cause of the issue), starting unbound manually using "sudo /usr/bin/unbound -d -vvv" fails with the same segfault.
Comment by David Runge (dvzrv) - Thursday, 04 February 2021, 10:16 GMT
@diabonas: Thanks for creating the ticket!

I have created an upstream ticket[1], so that they are also aware of any possible implications.

[1] https://github.com/NLnetLabs/unbound/issues/418
Comment by Jonas Witschel (diabonas) - Thursday, 04 February 2021, 11:22 GMT
Upon closer inspection, this is probably more of a glibc than an Unbound issue, see [1]. As a workaround for Arch Linux until this is fixed,
you can disable the chroot security mechanism which Unbound uses and which causes problems with glibc 2.33 by specifying

chroot: ""

in /etc/unbound/unbound.conf

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=27343
Comment by Allan McRae (Allan) - Saturday, 06 February 2021, 00:40 GMT
glibc-2.33-3 uploaded with the fix. Please confirm it works.
Comment by Jonas Witschel (diabonas) - Saturday, 06 February 2021, 08:33 GMT
Thank you for applying the patch, I confirm that unbound starts and runs fine with glibc 2.33-3 (without disabling the chroot).

Loading...