Do not use header_prev in expire_lru_headers

dns__cacherbt_expireheader can unlink / free header_prev underneath it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader instead to get the next pointer to be processed. (cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab) (cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63) This is related to CVE-2023-2828 fix change and fixes small part of it. ; Related: CVE-2023-4408 Related: RHEL-25691
2024-02-26 20:12:36 +01:00 · 2024-02-26 20:12:36 +01:00 · 5bfe51e649
commit 5bfe51e649
parent 5573a679ad
2 changed files with 50 additions and 0 deletions
--- a/bind-9.11-CVE-2023-2828-fixup.patch
+++ b/bind-9.11-CVE-2023-2828-fixup.patch
@ -0,0 +1,46 @@
+From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 23 Feb 2024 10:12:47 +1100
+Subject: [PATCH] Do not use header_prev in expire_lru_headers
+
+dns__cacherbt_expireheader can unlink / free header_prev underneath
+it.  Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
+instead to get the next pointer to be processed.
+
+(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
+(cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
+---
+ lib/dns/rbtdb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index cc40eaec60..ee59c1b18b 100644
+--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
+@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ static size_t
+ expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
+ 		   bool tree_locked) {
+-	rdatasetheader_t *header, *header_prev;
+	rdatasetheader_t *header;
+ 	size_t purged = 0;
+ 
+ 	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+-	     header != NULL && purged <= purgesize; header = header_prev)
+	     header != NULL && purged <= purgesize;
+	     header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
+ 	{
+-		header_prev = ISC_LIST_PREV(header, link);
+ 		/*
+ 		 * Unlink the entry at this point to avoid checking it
+ 		 * again even if it's currently used someone else and
+ 		 * cannot be purged at this moment.  This entry won't be
+ 		 * referenced any more (so unlinking is safe) since the
+-		 * TTL was reset to 0.
+		 * TTL will be reset to 0.
+ 		 */
+ 		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
+ 		size_t header_size = rdataset_size(header);
+-- 
+2.43.2
+
--- a/bind.spec
+++ b/bind.spec
@ -183,6 +183,8 @@ Patch200: bind-9.16-update-b.root-servers.net.patch
 Patch201: bind-9.11-CVE-2023-4408.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8769
 Patch202: bind-9.11-CVE-2023-50387.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8778
+Patch203: bind-9.11-CVE-2023-2828-fixup.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -595,6 +597,7 @@ are used for building ISC DHCP.
 %patch200 -p1 -b .b.root-servers.net
 %patch201 -p1 -b .CVE-2023-4408
 %patch202 -p1 -b .CVE-2023-50387+50868
+%patch203 -p1 -b .CVE-2023-2828-fixup

 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1650,6 +1653,7 @@ rm -rf ${RPM_BUILD_ROOT}
 * Mon Feb 26 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-14
 - Speed up parsing of DNS messages with many different names (CVE-2023-4408)
 - Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387 CVE-2023-50868)
+- Do not use header_prev in expire_lru_headers

 * Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-13
 - Update addresses of b.root-servers.net (RHEL-18449)