Bound the amount of work performed for delegations
5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394] Resolves: CVE-2022-2795
This commit is contained in:
parent
7b05fe1bfb
commit
1594280edc
60
bind-9.16-CVE-2022-2795.patch
Normal file
60
bind-9.16-CVE-2022-2795.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||||
|
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||||
|
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||||
|
|
||||||
|
Limit the amount of database lookups that can be triggered in
|
||||||
|
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||||
|
query next) by setting a hard limit on the number of NS RRs processed
|
||||||
|
for any delegation encountered. Without any limit in place, named can
|
||||||
|
be forced to perform large amounts of database lookups per each query
|
||||||
|
received, which severely impacts resolver performance.
|
||||||
|
|
||||||
|
The limit used (20) is an arbitrary value that is considered to be big
|
||||||
|
enough for any sane DNS delegation.
|
||||||
|
|
||||||
|
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||||
|
---
|
||||||
|
lib/dns/resolver.c | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index d2cf14bbc8..73a0ee9f77 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -195,6 +195,12 @@
|
||||||
|
*/
|
||||||
|
#define NS_FAIL_LIMIT 4
|
||||||
|
#define NS_RR_LIMIT 5
|
||||||
|
+/*
|
||||||
|
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||||
|
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||||
|
+ * large delegations.
|
||||||
|
+ */
|
||||||
|
+#define NS_PROCESSING_LIMIT 20
|
||||||
|
|
||||||
|
/* Number of hash buckets for zone counters */
|
||||||
|
#ifndef RES_DOMAIN_BUCKETS
|
||||||
|
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||||
|
bool need_alternate = false;
|
||||||
|
bool all_spilled = true;
|
||||||
|
unsigned int no_addresses = 0;
|
||||||
|
+ unsigned int ns_processed = 0;
|
||||||
|
|
||||||
|
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||||
|
|
||||||
|
@@ -3902,6 +3909,11 @@ normal_nses:
|
||||||
|
|
||||||
|
dns_rdata_reset(&rdata);
|
||||||
|
dns_rdata_freestruct(&ns);
|
||||||
|
+
|
||||||
|
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||||
|
+ result = ISC_R_NOMORE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (result != ISC_R_NOMORE) {
|
||||||
|
return (result);
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.16.23
|
Version: 9.16.23
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: https://www.isc.org/downloads/bind/
|
Url: https://www.isc.org/downloads/bind/
|
||||||
#
|
#
|
||||||
@ -108,6 +108,9 @@ Patch174:bind-9.16-CVE-2021-25220-test.patch
|
|||||||
Patch175:bind-9.16-CVE-2022-3080.patch
|
Patch175:bind-9.16-CVE-2022-3080.patch
|
||||||
Patch176:bind-9.16-CVE-2022-38177.patch
|
Patch176:bind-9.16-CVE-2022-38177.patch
|
||||||
Patch177:bind-9.16-CVE-2022-38178.patch
|
Patch177:bind-9.16-CVE-2022-38178.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6793
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
|
||||||
|
Patch178:bind-9.16-CVE-2022-2795.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -414,6 +417,7 @@ in HTML and PDF format.
|
|||||||
%patch175 -p1 -b .CVE-2022-3080
|
%patch175 -p1 -b .CVE-2022-3080
|
||||||
%patch176 -p1 -b .CVE-2022-38177
|
%patch176 -p1 -b .CVE-2022-38177
|
||||||
%patch177 -p1 -b .CVE-2022-38178
|
%patch177 -p1 -b .CVE-2022-38178
|
||||||
|
%patch178 -p1 -b .CVE-2022-2795
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1136,6 +1140,9 @@ fi;
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-6
|
||||||
|
- Bound the amount of work performed for delegations (CVE-2022-2795)
|
||||||
|
|
||||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-5
|
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-5
|
||||||
- Fix possible serve-stale related crash (CVE-2022-3080)
|
- Fix possible serve-stale related crash (CVE-2022-3080)
|
||||||
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
|
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
|
||||||
|
Loading…
Reference in New Issue
Block a user