Downstream specific changes related to KeyTrap

Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.

In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.

Resolves: RHEL-25386
; Resolves: CVE-2023-50387
This commit is contained in:
Petr Menšík 2024-02-21 12:05:39 +01:00
parent 650ecb34a1
commit 02426200e2
2 changed files with 70 additions and 0 deletions

View File

@ -0,0 +1,66 @@
From 103b09187466b2afbff7e204d166d21e2fbb057c Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 21 Feb 2024 11:54:27 +0100
Subject: [PATCH] Downstream specific changes related to KeyTrap
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.
In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.
---
lib/isc/hp.c | 3 +++
lib/isc/managers.c | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/isc/hp.c b/lib/isc/hp.c
index 92d160b..5f9bbf7 100644
--- a/lib/isc/hp.c
+++ b/lib/isc/hp.c
@@ -138,6 +138,7 @@ isc_hp_destroy(isc_hp_t *hp) {
void
isc_hp_clear(isc_hp_t *hp) {
+ INSIST(tid() < isc__hp_max_threads);
for (int i = 0; i < hp->max_hps; i++) {
atomic_store_release(&hp->hp[tid()][i], 0);
}
@@ -152,6 +153,7 @@ uintptr_t
isc_hp_protect(isc_hp_t *hp, int ihp, atomic_uintptr_t *atom) {
uintptr_t n = 0;
uintptr_t ret;
+ INSIST(tid() < isc__hp_max_threads);
while ((ret = atomic_load(atom)) != n) {
atomic_store(&hp->hp[tid()][ihp], ret);
n = ret;
@@ -173,6 +175,7 @@ isc_hp_protect_release(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr) {
void
isc_hp_retire(isc_hp_t *hp, uintptr_t ptr) {
+ INSIST(tid() < isc__hp_max_threads);
hp->rl[tid()]->list[hp->rl[tid()]->size++] = ptr;
INSIST(hp->rl[tid()]->size < isc__hp_max_retired);
diff --git a/lib/isc/managers.c b/lib/isc/managers.c
index c39a650..3bdca99 100644
--- a/lib/isc/managers.c
+++ b/lib/isc/managers.c
@@ -25,9 +25,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
/*
* We have ncpus network threads, ncpus old network threads - make
- * it 4x just to be on the safe side.
+ * it 4x just to be on the safe side. One additional for slow netmgr
+ * thread.
*/
- isc_hp_init(4 * workers);
+ isc_hp_init(5 * workers);
REQUIRE(netmgrp != NULL && *netmgrp == NULL);
isc__netmgr_create(mctx, workers, &netmgr);
--
2.43.2

View File

@ -148,6 +148,8 @@ Patch200: bind-9.16-CVE-2023-4408-test2.patch
Patch201: bind-9.16-system-test-cds.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
Patch202: bind-9.16-isc-mempool-attach.patch
# Downstream only change, complements patch 198
Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
%{?systemd_ordering}
Requires: coreutils
@ -479,6 +481,7 @@ in HTML and PDF format.
%patch200 -p1
%patch201 -p1 -b .test-variant-def
%patch202 -p1 -b .mempool-attach
%patch203 -p1 -b .isc_hp-CVE-2023-50387
%if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11
@ -1209,6 +1212,7 @@ fi;
%changelog
* Mon Feb 19 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-17
- Import tests for large DNS messages fix
- Add downstream change complementing CVE-2023-50387
* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)