Bound the amount of work performed for delegations
5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394] Resolves: CVE-2022-2795
This commit is contained in:
parent
7b05fe1bfb
commit
1594280edc
60
bind-9.16-CVE-2022-2795.patch
Normal file
60
bind-9.16-CVE-2022-2795.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||
|
||||
Limit the amount of database lookups that can be triggered in
|
||||
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||
query next) by setting a hard limit on the number of NS RRs processed
|
||||
for any delegation encountered. Without any limit in place, named can
|
||||
be forced to perform large amounts of database lookups per each query
|
||||
received, which severely impacts resolver performance.
|
||||
|
||||
The limit used (20) is an arbitrary value that is considered to be big
|
||||
enough for any sane DNS delegation.
|
||||
|
||||
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||
---
|
||||
lib/dns/resolver.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index d2cf14bbc8..73a0ee9f77 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -195,6 +195,12 @@
|
||||
*/
|
||||
#define NS_FAIL_LIMIT 4
|
||||
#define NS_RR_LIMIT 5
|
||||
+/*
|
||||
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||
+ * large delegations.
|
||||
+ */
|
||||
+#define NS_PROCESSING_LIMIT 20
|
||||
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
unsigned int no_addresses = 0;
|
||||
+ unsigned int ns_processed = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
@@ -3902,6 +3909,11 @@ normal_nses:
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
+
|
||||
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||
+ result = ISC_R_NOMORE;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.23
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -108,6 +108,9 @@ Patch174:bind-9.16-CVE-2021-25220-test.patch
|
||||
Patch175:bind-9.16-CVE-2022-3080.patch
|
||||
Patch176:bind-9.16-CVE-2022-38177.patch
|
||||
Patch177:bind-9.16-CVE-2022-38178.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6793
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
|
||||
Patch178:bind-9.16-CVE-2022-2795.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -414,6 +417,7 @@ in HTML and PDF format.
|
||||
%patch175 -p1 -b .CVE-2022-3080
|
||||
%patch176 -p1 -b .CVE-2022-38177
|
||||
%patch177 -p1 -b .CVE-2022-38178
|
||||
%patch178 -p1 -b .CVE-2022-2795
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1136,6 +1140,9 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Oct 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-6
|
||||
- Bound the amount of work performed for delegations (CVE-2022-2795)
|
||||
|
||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-5
|
||||
- Fix possible serve-stale related crash (CVE-2022-3080)
|
||||
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
|
||||
|
Loading…
Reference in New Issue
Block a user