Allow runtime customization of CVE-2024-1737 limits

Do not introduce new options into configuration file. But if limits are
hit in unexpected way, allow tuning them by environment variables
DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of
maximum records of types. Both defaults to 100.

These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.

Related: RHEL-49900
This commit is contained in:
Petr Menšík 2024-07-29 17:02:15 +02:00
parent 6a3f81b6a8
commit 7d262e3039
2 changed files with 137 additions and 0 deletions

View File

@ -0,0 +1,133 @@
From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 29 Jul 2024 16:20:50 +0200
Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
Modify rbtdb to not set it only at runtime, but allow setting that also
in runtime via environment variable. It is still possible to modify
default during the build define. In addition to it allows runtime change
also. Can be positive number to set limit, 0 disabled the check.
Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
records for a single name. This must be positive number, 0 is no accepted.
These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.
---
lib/dns/rbtdb.c | 21 +++++++++++++++++++--
lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
2 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index e840c06..25242b2 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
#define DNS_RBTDB_MAX_RTYPES 100
#endif /* DNS_RBTDB_MAX_RTYPES */
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
+
+static void
+init_max_rtypes(void) {
+ /* Red Hat change, allow setting different max value by environment. */
+ const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
+ if (max) {
+ char *endp = NULL;
+ long l = strtol(max, &endp, 10);
+ if (max != endp && endp && !*endp && l >= 0)
+ dns_g_rbtdb_max_rtypes = l;
+ }
+}
+
static bool
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
UNUSED(rbtdb);
- if (DNS_RBTDB_MAX_RTYPES == 0) {
+ if (dns_g_rbtdb_max_rtypes == 0) {
return (false);
}
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+ return (ntypes >= dns_g_rbtdb_max_rtypes);
}
static bool
@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
NULL,
adjusthashsize };
+static isc_once_t once_db = ISC_ONCE_INIT;
+
isc_result_t
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
/* Keep the compiler happy. */
UNUSED(driverarg);
+ RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index dda9038..cef86af 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,6 +15,7 @@
#include <stdlib.h>
#include <isc/mem.h>
+#include <isc/once.h>
#include <isc/region.h>
#include <isc/string.h> /* Required for HP/UX (and others?) */
#include <isc/util.h>
@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
#define DNS_RDATASET_MAX_RECORDS 100
#endif /* DNS_RDATASET_MAX_RECORDS */
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_max_records(void) {
+ /* Red Hat change, allow setting different max value by environment. */
+ const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
+ if (max) {
+ char *endp = NULL;
+ long l = strtol(max, &endp, 10);
+ if (max != endp && endp && !*endp && l > 0)
+ dns_g_rdataset_max_records = l;
+ }
+}
+
+
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen) {
@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
- if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
+
+ if (nitems > dns_g_rdataset_max_records) {
return (DNS_R_TOOMANYRECORDS);
}
@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif /* if DNS_RDATASET_FIXED */
INSIST(ocount > 0 && ncount > 0);
- if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ if (ocount + ncount > dns_g_rdataset_max_records) {
return (DNS_R_TOOMANYRECORDS);
}
--
2.45.2

View File

@ -163,6 +163,8 @@ Patch206: bind-9.16-CVE-2024-1975.patch
Patch207: bind-9.16-CVE-2024-1737.patch Patch207: bind-9.16-CVE-2024-1737.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce # https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
Patch208: bind-9.18-CVE-2024-4076.patch Patch208: bind-9.18-CVE-2024-4076.patch
# RH downstream, allow changing by environment
Patch209: bind-9.16-CVE-2024-1737-runtime-env.patch
%{?systemd_ordering} %{?systemd_ordering}
Requires: coreutils Requires: coreutils
@ -503,6 +505,7 @@ in HTML and PDF format.
%patch206 -p1 -b .CVE-2024-1975 %patch206 -p1 -b .CVE-2024-1975
%patch207 -p1 -b .CVE-2024-1737 %patch207 -p1 -b .CVE-2024-1737
%patch208 -p1 -b .CVE-2024-4076 %patch208 -p1 -b .CVE-2024-4076
%patch209 -p1 -b .CVE-2024-1737-env
%if %{with PKCS11} %if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11 %patch135 -p1 -b .config-pkcs11
@ -1235,6 +1238,7 @@ fi;
- Resolve CVE-2024-1975 - Resolve CVE-2024-1975
- Resolve CVE-2024-1737 - Resolve CVE-2024-1737
- Resolve CVE-2024-4076 - Resolve CVE-2024-4076
- Add ability to change runtime limits for max types and records per name
* Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21 * Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
- Increase size of hazard pointer array (RHEL-39131) - Increase size of hazard pointer array (RHEL-39131)