Operational Notification: Changes in GCC Code Optimization Can Cause a Crash in BIND

Summary

Versions of the GNU Compiler Collection (GCC) greater than or equal to GCC 4.9.0 include changes to code optimization that have been reported to cause problems in BIND when default code optimization settings are used by the compiler.

Posting date:       4 June 2014

Program Impacted:      BIND 9

Versions affected:  9.8.0 - 9.8.7-W1, 9.9.0 - 9.9.5-W1, 9.10.0 - 9.10.0-P1. Windows binary distributions are NOT affected.

Description

ISC is issuing an operational notification to make BIND users aware of an unexpected problem caused by the interaction of BIND 9 and recent versions of GCC.

Beginning with GCC 4.9.0, code optimization in GCC now includes (by default) an optimization which is intended to eliminate unnecessary null pointer comparisons in compiled code. Unfortunately, this optimization removes checks which are necessary in BIND and the demonstrated effect is to cause unpredictable assertion failures during execution of named, resulting in termination of the server process.

Future versions of BIND will be modified so that the optimizer does not incorrectly remove necessary checks when building from source, and until those versions are available multiple immediate workarounds are available.

Solution

If your existing BIND binaries were compiled with a version of GCC prior to GCC 4.9.0, or were compiled with a different compiler, you do not need to do anything.

Until new versions of BIND are released which correct the problem automatically, if you need to build (or rebuild) BIND from source, you have a choice of several workarounds:

• Use a version of gcc with a version number less than 4.9.x
• Add the compiler flag "-fno-delete-null-pointer-checks" to your compilation options (e.g. "CFLAGS=-fno-delete-null-pointer-checks ./configure [configure options]")
• Use a compiler other than gcc. (ISC is unable to guarantee that no other compilers perform this optimization with BIND but we are not aware of any reported issues other than those that have been experienced using GCC 4.9.0)

Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/.

Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected.  (For current information on which versions are actively supported, please see https://www.isc.org/downloads/). 

ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: ISC Software Defect and Security Vulnerability Disclosure Policy.

This Knowledgebase article is the complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.