From 1594280edcb51b5bc0eccde2a1aba829f9c60e87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 4 Oct 2022 19:44:09 +0200 Subject: [PATCH] Bound the amount of work performed for delegations 5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394] Resolves: CVE-2022-2795 --- bind-9.16-CVE-2022-2795.patch | 60 +++++++++++++++++++++++++++++++++++ bind.spec | 9 +++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 bind-9.16-CVE-2022-2795.patch diff --git a/bind-9.16-CVE-2022-2795.patch b/bind-9.16-CVE-2022-2795.patch new file mode 100644 index 0000000..b67c8e9 --- /dev/null +++ b/bind-9.16-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8..73a0ee9f77 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/bind.spec b/bind.spec index 4012ce3..492bb17 100644 --- a/bind.spec +++ b/bind.spec @@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -108,6 +108,9 @@ Patch174:bind-9.16-CVE-2021-25220-test.patch Patch175:bind-9.16-CVE-2022-3080.patch Patch176:bind-9.16-CVE-2022-38177.patch Patch177:bind-9.16-CVE-2022-38178.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6793 +# https://gitlab.isc.org/isc-projects/bind9/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8 +Patch178:bind-9.16-CVE-2022-2795.patch %{?systemd_ordering} Requires: coreutils @@ -414,6 +417,7 @@ in HTML and PDF format. %patch175 -p1 -b .CVE-2022-3080 %patch176 -p1 -b .CVE-2022-38177 %patch177 -p1 -b .CVE-2022-38178 +%patch178 -p1 -b .CVE-2022-2795 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1136,6 +1140,9 @@ fi; %endif %changelog +* Tue Oct 04 2022 Petr Menšík - 32:9.16.23-6 +- Bound the amount of work performed for delegations (CVE-2022-2795) + * Thu Sep 22 2022 Petr Menšík - 32:9.16.23-5 - Fix possible serve-stale related crash (CVE-2022-3080) - Fix memory leak in ECDSA verify processing (CVE-2022-38177)