rpms
/
bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

5200. [security] tcp-clients settings could be exceeded in some cases, 

which could lead to exhaustion of file descriptors.
                        (CVE-2018-5743) [GL #615]
This commit is contained in:
Petr Menšík 2019-05-02 14:49:56 +02:00
parent 7232bc0a99
commit 4b42a5c162
7 changed files with 177 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -91,3 +91,4 @@ bind-9.7.2b1.tar.gz
/config-19.tar.bz2
/bind-9.11.5-P4.tar.gz
/bind-9.11.6.tar.gz
/bind-9.11.6-P1.tar.gz

132
bind-9.11-CVE-2018-5741-atomic.patch Normal file
View File

@ -0,0 +1,132 @@
From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 17 Apr 2019 15:22:27 +0200
Subject: [PATCH] Replace atomic operations in bin/named/client.c with
isc_refcount reference counting
---
bin/named/client.c | 18 +++++++-----------
bin/named/include/named/interfacemgr.h | 5 +++--
bin/named/interfacemgr.c | 7 +++++--
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/bin/named/client.c b/bin/named/client.c
index 845326abc0..29fecadca8 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
static void
mark_tcp_active(ns_client_t *client, bool active) {
if (active && !client->tcpactive) {
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
} else if (!active && client->tcpactive) {
- uint32_t old =
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
}
}
@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
if (client->mortal && TCP_CLIENT(client) &&
client->newstate != NS_CLIENTSTATE_FREED &&
!ns_g_clienttest &&
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
{
/* Nobody else is accepting */
client->mortal = false;
@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
INSIST(client->naccepts == 1);
client->naccepts--;
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
/*
* We must take ownership of the new socket before the exit
@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) {
* quota is tcp-clients plus the number of listening
* interfaces plus 1.)
*/
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
- (client->tcpactive ? 1 : 0));
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
+ (client->tcpactive ? 1U : 0U));
if (exit) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
(void)exit_check(client);
@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) {
* listening for connections itself to prevent the interface
* going dead.
*/
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
}
static void
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index 3535ef22a8..6e10f210fd 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -45,6 +45,7 @@
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/socket.h>
+#include <isc/refcount.h>
#include <dns/result.h>
@@ -75,11 +76,11 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int32_t ntcpaccepting; /*%< Number of clients
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
- int32_t ntcpactive; /*%< Number of clients
+ isc_refcount_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index d9f6df5802..135533be6b 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
+ isc_refcount_init(&ifp->ntcpactive, 0);
ifp->nudpdispatch = 0;
@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_destroy(&ifp->ntcpactive);
+ isc_refcount_destroy(&ifp->ntcpaccepting);
+
ifp->magic = 0;
isc_mem_put(mctx, ifp, sizeof(*ifp));
}
--
2.18.1

35
bind-9.11-rt46047.patch
View File

@ -1,4 +1,4 @@
From 2b7a633f29c2ae8fe801f2a98541013837ebaeaa Mon Sep 17 00:00:00 2001
From 55e649d82a1adc5209738fb8402624f03287ca87 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@ -39,14 +39,14 @@ Subject: [PATCH] completed and corrected the crypto-random change
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 4 +-
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
doc/arm/notes.xml | 26 +++++++++++
doc/arm/notes.xml | 31 +++++++++++++
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
22 files changed, 220 insertions(+), 107 deletions(-)
22 files changed, 225 insertions(+), 107 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 295e16f..0f79aa8 100644
@ -140,10 +140,10 @@ index 31a99e7..38c83ed 100644
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
index d425df2..7ab3dec 100644
index ce24670..0ce02a9 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1609,7 +1609,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
@@ -1754,7 +1754,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@ -241,7 +241,7 @@ index f5ed2b7..b2c1d05 100644
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 419927b..d721f47 100644
index d9f6df5..662eb6c 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -17,6 +17,7 @@
@ -436,7 +436,7 @@ index 2146f9b..ac2c311 100644
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index dd5365c..1a463b0 100644
index bb79723..888959c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@ -502,13 +502,15 @@ index dd5365c..1a463b0 100644
</listitem>
</varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index ad4b34c..2685b8e 100644
index ba9a7cf..c0256f1 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -229,6 +229,32 @@
is used from the shell scripts.
</para>
</listitem>
@@ -117,6 +117,37 @@
</itemizedlist>
</section>
+ <section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By default, BIND now uses the random number generation functions
@ -535,9 +537,12 @@ index ad4b34c..2685b8e 100644
+ entropy source. [RT #31459] [RT #46047]
+ </para>
+ </listitem>
</itemizedlist>
</section>
+ </itemizedlist>
+ </section>
+
<section xml:id="end_of_life"><info><title>End of Life</title></info>
<para>
BIND 9.11 (Extended Support Version) will be supported until at
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index b55ebe0..d2b43d3 100644
--- a/lib/dns/dst_api.c

16
bind-9.11.6-P1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlysrg0ACgkQF8xdsfAI
hAc4qQ/6A2odUTpjuaPQK/ziTD8UpJXyqFr5rZ+Qx3+wAA7XcFF6rviRwQ1dULu/
AmQVhAWeXHa15ruFVFJZoovnRoKYUZLOtvTrcfJkHG0MwBivEpJ/rcOLlOWhAHeG
N6q5teyOrG1kCXNcS8uGHqzm+QfMA3xCUqCpYHWOtZ60I9T3O+8Y6Xyzb+oc6+CY
w1pXeq0doJa9tFnZpVvhCPTol4LPL8KkTLoMmpRA5dRMrVYH3f45fdixABn3HSFx
Ea/CiMeGvIfZI0X119Txufw2Yi8/NMicf/iZBEmvvHUG49/tFX2Vmj4sxUkL4gY/
qqXEkD7oQsVEUj3X12ITyOqj6CtfiJcOgJIzTVas3vD4QR51nRSY+IGYuH7zQUSf
qVSCFKdLY2NlRwK6VSBVOxN5Ye31qwPEok6WgGgBy2+mWY+FvAm4Z4sIBeyX2QT/
A0+42GuFErMne7Ppd9Pb+cCKhaIDC4i3vM/lA8kvMvhz+peqKux6MbD9Ab79hSuV
HCZzAzFPsuaHxP1m6wRWYgeGUZWA89uTbwGa5iiAmiXXqhHswzxBCgfKXyUjuObn
pH+XTeZ59qTgQZT3bdyj0QrmCM0JfvFEt2OkuBIDvAnoVcb0smyLrizYaZLo+0of
6OLW76WW2GSjzvfT4RlDP5B3ns3PdjrCKaKji3aIUD7G/oYr7zA=
=TsjB
-----END PGP SIGNATURE-----

17
bind-9.11.6.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlx4dTcACgkQF8xdsfAI
hAc9QA/9FaZaH6OxWxjxdU2VdTzZzrxIn5VcTnrSLzeKapBgfH22dmmJZBPHqkCE
uch+d4eWH3CwcVjDs5auW7o69q0KnUDObpg1aGXVjRnBHKyH88Ziny4sd1kMXcZz
lk3HW3Cl+WQBxrA3l+QUQrW+IYIUM36ZpkMxbvgZOwGj8H8rzUjeszDqY86JH/QF
7RekyZwQ/Mb21sJTNntYufOn1KnKm4WZ52jihLVEaNLzQQLRxPIajSOVo+77LPpI
SJWo+iH4vz+5jEQUhDQ1eivDaKxRj/LcrVHQLB9JgCM+ZiRvxZRwqs6mANfDnpke
Ohzwf9Lh255bfq3xNQLYwwDbUpQ8JoEQ91Qw6F1MQ/32uhiBlUnWd2Yua22oSlOg
IcjXYW9i23Zyuuf1GLIENNaXNnVgxM44mmxQh0/Okf7Npake4kxKGEGtPkAdbWUk
NSghxHu8/0h5rwth7Rox4mWvp1vjRMjOGAjqMr5eVjXvFnFSazkY47fmliZCTDFm
O3Otqib4Z35hvXOZJvTIP/IOfjo4g3zNVcfxQHNCpyRSKqBs1smWPc3VbwlOr/nI
g/BxY595ylLIW7Ln46/3mkqZJPQO5F8AqQ+YPr+6ts908qQbA+P8nXRrZ/tcxFaM
N+LbjmvgzCtbReoKhS17PdTDqu8p61LIDdrtxZP02Fr4fcIRRQk=
=uY61
-----END PGP SIGNATURE-----

9
bind.spec
View File

@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
#%%global PATCHVER P4
%global PATCHVER P1
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.6
Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -141,6 +141,7 @@ Patch171:bind-9.11-tests-variants.patch
Patch172:bind-9.11-tests-pkcs11.patch
Patch173: bind-9.11-unit-dnstap-pkcs11.patch
Patch174: bind-9.11-unit-timer-nothread.patch
Patch175: bind-9.11-CVE-2018-5741-atomic.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@ -523,6 +524,7 @@ are used for building ISC DHCP.
%patch172 -p1 -b .test-pkcs11
%patch173 -p1 -b .unit-dnstap
%patch174 -p1 -b .unit-timer
%patch175 -p1 -b .CVE-2018-5741-atomic
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1517,6 +1519,9 @@ fi;
%changelog
* Thu May 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-3.P1
- Fix inefective limit of TCP clients (CVE-2018-5743)
* Thu Mar 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-2
- Fix dnstap and timer issues in unit test
- Enable DLZ modules

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (bind-9.11.6.tar.gz) = 17a76ad4aafddeb86e330c4ca9b5fecb8df9e1109df4ff8d7a31d1da406f2597050d569460529b710f213360642842fcb9bdaa4eb79be10fcb093872fe75fdfd
SHA512 (bind-9.11.6-P1.tar.gz) = 419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03
SHA512 (config-19.tar.bz2) = 36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c