Bound the amount of work performed for delegations

5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394] Resolves: CVE-2022-2795
2022-10-04 19:44:09 +02:00 · 2022-10-04 19:44:09 +02:00 · 1594280edc
commit 1594280edc
parent 7b05fe1bfb
2 changed files with 68 additions and 1 deletions
--- a/bind-9.16-CVE-2022-2795.patch
+++ b/bind-9.16-CVE-2022-2795.patch
@ -0,0 +1,60 @@
 From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
 Date: Thu, 8 Sep 2022 11:11:30 +0200
 Subject: [PATCH] Bound the amount of work performed for delegations
 Limit the amount of database lookups that can be triggered in
 fctx_getaddresses() (i.e. when determining the name server addresses to
 query next) by setting a hard limit on the number of NS RRs processed
 for any delegation encountered.  Without any limit in place, named can
 be forced to perform large amounts of database lookups per each query
 received, which severely impacts resolver performance.
 The limit used (20) is an arbitrary value that is considered to be big
 enough for any sane DNS delegation.
 (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
 ---
 lib/dns/resolver.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index d2cf14bbc8..73a0ee9f77 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -195,6 +195,12 @@
  */
 #define NS_FAIL_LIMIT 4
 #define NS_RR_LIMIT   5
 +/*
 + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
 + * any NS RRset encountered, to avoid excessive resource use while processing
 + * large delegations.
 + */
 +#define NS_PROCESSING_LIMIT 20
 /* Number of hash buckets for zone counters */
 #ifndef RES_DOMAIN_BUCKETS
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 	bool need_alternate = false;
 	bool all_spilled = true;
 	unsigned int no_addresses = 0;
 +	unsigned int ns_processed = 0;
 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3902,6 +3909,11 @@ normal_nses:
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
 +
 +		if (++ns_processed >= NS_PROCESSING_LIMIT) {
 +			result = ISC_R_NOMORE;
 +			break;
 +		}
 	}
 	if (result != ISC_R_NOMORE) {
 		return (result);
 -- 
 2.37.3
--- a/bind.spec
+++ b/bind.spec
@ -51,7 +51,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  5%{?dist}
+Release:  6%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -108,6 +108,9 @@ Patch174:bind-9.16-CVE-2021-25220-test.patch
 Patch175:bind-9.16-CVE-2022-3080.patch
 Patch176:bind-9.16-CVE-2022-38177.patch
 Patch177:bind-9.16-CVE-2022-38178.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6793
 # https://gitlab.isc.org/isc-projects/bind9/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
 Patch178:bind-9.16-CVE-2022-2795.patch
 %{?systemd_ordering}
 Requires:       coreutils
@ -414,6 +417,7 @@ in HTML and PDF format.
 %patch175 -p1 -b .CVE-2022-3080
 %patch176 -p1 -b .CVE-2022-38177
 %patch177 -p1 -b .CVE-2022-38178
 %patch178 -p1 -b .CVE-2022-2795
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1136,6 +1140,9 @@ fi;
 %endif
 %changelog
 * Tue Oct 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-6
 - Bound the amount of work performed for delegations (CVE-2022-2795)
 * Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-5
 - Fix possible serve-stale related crash (CVE-2022-3080)
 - Fix memory leak in ECDSA verify processing (CVE-2022-38177)