Allow runtime customization of CVE-2024-1737 limits

Do not introduce new options into configuration file. But if limits are hit in unexpected way, allow tuning them by environment variables DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of maximum records of types. Both defaults to 100. These replaces max-records-per-type and max-types-per-name in later versions. But can be configured only by environment and can be configured only globally, not in each view or zone. Related: RHEL-49900
2024-07-29 17:02:15 +02:00 · 2024-07-29 17:02:15 +02:00 · 7d262e3039
commit 7d262e3039
parent 6a3f81b6a8
2 changed files with 137 additions and 0 deletions
--- a/bind-9.16-CVE-2024-1737-runtime-env.patch
+++ b/bind-9.16-CVE-2024-1737-runtime-env.patch
@ -0,0 +1,133 @@
+From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 29 Jul 2024 16:20:50 +0200
+Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
+
+Modify rbtdb to not set it only at runtime, but allow setting that also
+in runtime via environment variable. It is still possible to modify
+default during the build define. In addition to it allows runtime change
+also. Can be positive number to set limit, 0 disabled the check.
+
+Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
+records for a single name. This must be positive number, 0 is no accepted.
+
+These replaces max-records-per-type and max-types-per-name in later
+versions. But can be configured only by environment and can be
+configured only globally, not in each view or zone.
+---
+ lib/dns/rbtdb.c     | 21 +++++++++++++++++++--
+ lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index e840c06..25242b2 100644
+--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
+@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
+ #define DNS_RBTDB_MAX_RTYPES 100
+ #endif /* DNS_RBTDB_MAX_RTYPES */
+ 
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
+
+static void
+init_max_rtypes(void) {
+	/* Red Hat change, allow setting different max value by environment. */
+	const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
+	if (max) {
+		char *endp = NULL;
+		long l = strtol(max, &endp, 10);
+		if (max != endp && endp && !*endp && l >= 0)
+			dns_g_rbtdb_max_rtypes = l;
+	}
+}
+
+ static bool
+ overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ 	UNUSED(rbtdb);
+ 
+-	if (DNS_RBTDB_MAX_RTYPES == 0) {
+	if (dns_g_rbtdb_max_rtypes == 0) {
+ 		return (false);
+ 	}
+ 
+-	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+	return (ntypes >= dns_g_rbtdb_max_rtypes);
+ }
+ 
+ static bool
+@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
+ 					 NULL,
+ 					 adjusthashsize };
+ 
+static isc_once_t once_db = ISC_ONCE_INIT;
+
+ isc_result_t
+ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+ 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+ 
+ 	/* Keep the compiler happy. */
+ 	UNUSED(driverarg);
+	RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
+ 
+ 	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
+ 
+diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
+index dda9038..cef86af 100644
+--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
+@@ -15,6 +15,7 @@
+ #include <stdlib.h>
+ 
+ #include <isc/mem.h>
+#include <isc/once.h>
+ #include <isc/region.h>
+ #include <isc/string.h> /* Required for HP/UX (and others?) */
+ #include <isc/util.h>
+@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+ #define DNS_RDATASET_MAX_RECORDS 100
+ #endif /* DNS_RDATASET_MAX_RECORDS */
+ 
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_max_records(void) {
+	/* Red Hat change, allow setting different max value by environment. */
+	const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
+	if (max) {
+		char *endp = NULL;
+		long l = strtol(max, &endp, 10);
+		if (max != endp && endp && !*endp && l > 0)
+			dns_g_rdataset_max_records = l;
+	}
+}
+
+
+
+ isc_result_t
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen) {
+@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
+-	if (nitems > DNS_RDATASET_MAX_RECORDS) {
+	RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
+
+	if (nitems > dns_g_rdataset_max_records) {
+ 		return (DNS_R_TOOMANYRECORDS);
+ 	}
+ 
+@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+ #endif /* if DNS_RDATASET_FIXED */
+ 	INSIST(ocount > 0 && ncount > 0);
+ 
+-	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+	if (ocount + ncount > dns_g_rdataset_max_records) {
+ 		return (DNS_R_TOOMANYRECORDS);
+ 	}
+ 
+-- 
+2.45.2
+
--- a/bind.spec
+++ b/bind.spec
@ -163,6 +163,8 @@ Patch206: bind-9.16-CVE-2024-1975.patch
 Patch207: bind-9.16-CVE-2024-1737.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
 Patch208: bind-9.18-CVE-2024-4076.patch
+# RH downstream, allow changing by environment
+Patch209: bind-9.16-CVE-2024-1737-runtime-env.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -503,6 +505,7 @@ in HTML and PDF format.
 %patch206 -p1 -b .CVE-2024-1975
 %patch207 -p1 -b .CVE-2024-1737
 %patch208 -p1 -b .CVE-2024-4076
+%patch209 -p1 -b .CVE-2024-1737-env

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1235,6 +1238,7 @@ fi;
 - Resolve CVE-2024-1975
 - Resolve CVE-2024-1737
 - Resolve CVE-2024-4076
+- Add ability to change runtime limits for max types and records per name

 * Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
 - Increase size of hazard pointer array (RHEL-39131)