Do not use header_prev in expire_lru_headers

dns__cacherbt_expireheader can unlink / free header_prev underneath it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader instead to get the next pointer to be processed. (cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab) (cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63) This is related to CVE-2023-2828 fix change and fixes small part of it. ; Related: CVE-2023-4408 Related: RHEL-25691
2024-02-26 20:12:36 +01:00 · 2024-02-26 20:12:36 +01:00 · 5bfe51e649
commit 5bfe51e649
parent 5573a679ad
2 changed files with 50 additions and 0 deletions
--- a/bind-9.11-CVE-2023-2828-fixup.patch
+++ b/bind-9.11-CVE-2023-2828-fixup.patch
@ -0,0 +1,46 @@
 From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 23 Feb 2024 10:12:47 +1100
 Subject: [PATCH] Do not use header_prev in expire_lru_headers
 dns__cacherbt_expireheader can unlink / free header_prev underneath
 it.  Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
 instead to get the next pointer to be processed.
 (cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
 (cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
 ---
 lib/dns/rbtdb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index cc40eaec60..ee59c1b18b 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 static size_t
 expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
 		   bool tree_locked) {
 -	rdatasetheader_t *header, *header_prev;
 +	rdatasetheader_t *header;
 	size_t purged = 0;
 	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
 -	     header != NULL && purged <= purgesize; header = header_prev)
 +	     header != NULL && purged <= purgesize;
 +	     header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
 	{
 -		header_prev = ISC_LIST_PREV(header, link);
 		/*
 		 * Unlink the entry at this point to avoid checking it
 		 * again even if it's currently used someone else and
 		 * cannot be purged at this moment.  This entry won't be
 		 * referenced any more (so unlinking is safe) since the
 -		 * TTL was reset to 0.
 +		 * TTL will be reset to 0.
 		 */
 		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
 		size_t header_size = rdataset_size(header);
 -- 
 2.43.2
--- a/bind.spec
+++ b/bind.spec
@ -183,6 +183,8 @@ Patch200: bind-9.16-update-b.root-servers.net.patch
 Patch201: bind-9.11-CVE-2023-4408.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8769
 Patch202: bind-9.11-CVE-2023-50387.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8778
 Patch203: bind-9.11-CVE-2023-2828-fixup.patch
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -595,6 +597,7 @@ are used for building ISC DHCP.
 %patch200 -p1 -b .b.root-servers.net
 %patch201 -p1 -b .CVE-2023-4408
 %patch202 -p1 -b .CVE-2023-50387+50868
 %patch203 -p1 -b .CVE-2023-2828-fixup
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1650,6 +1653,7 @@ rm -rf ${RPM_BUILD_ROOT}
 * Mon Feb 26 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-14
 - Speed up parsing of DNS messages with many different names (CVE-2023-4408)
 - Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387 CVE-2023-50868)
 - Do not use header_prev in expire_lru_headers
 * Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-13
 - Update addresses of b.root-servers.net (RHEL-18449)