Downstream specific changes related to KeyTrap
Fix for CVE-2023-50387 introduced new additional thread. But because isc_hp functions were removed from later bind 9.16 release, their changes did not contain increase of hazard pointers max thread limit. To prevent obscure memory corruption increase thread max size. In addition place at least few INSISTs to check this is catched before random memory overwrites begins. It would be quite difficult to track without any check. Resolves: RHEL-25392 ; Resolves: CVE-2023-50387
This commit is contained in:
parent
2c9b8bdea4
commit
fdd3436a6d
66
bind-9.16-isc_hp-CVE-2023-50387.patch
Normal file
66
bind-9.16-isc_hp-CVE-2023-50387.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
From 103b09187466b2afbff7e204d166d21e2fbb057c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Wed, 21 Feb 2024 11:54:27 +0100
|
||||||
|
Subject: [PATCH] Downstream specific changes related to KeyTrap
|
||||||
|
|
||||||
|
Fix for CVE-2023-50387 introduced new additional thread. But because
|
||||||
|
isc_hp functions were removed from later bind 9.16 release, their
|
||||||
|
changes did not contain increase of hazard pointers max thread limit.
|
||||||
|
To prevent obscure memory corruption increase thread max size.
|
||||||
|
|
||||||
|
In addition place at least few INSISTs to check this is catched before
|
||||||
|
random memory overwrites begins. It would be quite difficult to track
|
||||||
|
without any check.
|
||||||
|
---
|
||||||
|
lib/isc/hp.c | 3 +++
|
||||||
|
lib/isc/managers.c | 5 +++--
|
||||||
|
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/isc/hp.c b/lib/isc/hp.c
|
||||||
|
index 92d160b..5f9bbf7 100644
|
||||||
|
--- a/lib/isc/hp.c
|
||||||
|
+++ b/lib/isc/hp.c
|
||||||
|
@@ -138,6 +138,7 @@ isc_hp_destroy(isc_hp_t *hp) {
|
||||||
|
|
||||||
|
void
|
||||||
|
isc_hp_clear(isc_hp_t *hp) {
|
||||||
|
+ INSIST(tid() < isc__hp_max_threads);
|
||||||
|
for (int i = 0; i < hp->max_hps; i++) {
|
||||||
|
atomic_store_release(&hp->hp[tid()][i], 0);
|
||||||
|
}
|
||||||
|
@@ -152,6 +153,7 @@ uintptr_t
|
||||||
|
isc_hp_protect(isc_hp_t *hp, int ihp, atomic_uintptr_t *atom) {
|
||||||
|
uintptr_t n = 0;
|
||||||
|
uintptr_t ret;
|
||||||
|
+ INSIST(tid() < isc__hp_max_threads);
|
||||||
|
while ((ret = atomic_load(atom)) != n) {
|
||||||
|
atomic_store(&hp->hp[tid()][ihp], ret);
|
||||||
|
n = ret;
|
||||||
|
@@ -173,6 +175,7 @@ isc_hp_protect_release(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr) {
|
||||||
|
|
||||||
|
void
|
||||||
|
isc_hp_retire(isc_hp_t *hp, uintptr_t ptr) {
|
||||||
|
+ INSIST(tid() < isc__hp_max_threads);
|
||||||
|
hp->rl[tid()]->list[hp->rl[tid()]->size++] = ptr;
|
||||||
|
INSIST(hp->rl[tid()]->size < isc__hp_max_retired);
|
||||||
|
|
||||||
|
diff --git a/lib/isc/managers.c b/lib/isc/managers.c
|
||||||
|
index c39a650..3bdca99 100644
|
||||||
|
--- a/lib/isc/managers.c
|
||||||
|
+++ b/lib/isc/managers.c
|
||||||
|
@@ -25,9 +25,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* We have ncpus network threads, ncpus old network threads - make
|
||||||
|
- * it 4x just to be on the safe side.
|
||||||
|
+ * it 4x just to be on the safe side. One additional for slow netmgr
|
||||||
|
+ * thread.
|
||||||
|
*/
|
||||||
|
- isc_hp_init(4 * workers);
|
||||||
|
+ isc_hp_init(5 * workers);
|
||||||
|
|
||||||
|
REQUIRE(netmgrp != NULL && *netmgrp == NULL);
|
||||||
|
isc__netmgr_create(mctx, workers, &netmgr);
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
@ -142,6 +142,8 @@ Patch200: bind-9.16-CVE-2023-4408-test2.patch
|
|||||||
Patch201: bind-9.16-system-test-cds.patch
|
Patch201: bind-9.16-system-test-cds.patch
|
||||||
# https://gitlab.isc.org/isc-projects/bind9/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
|
# https://gitlab.isc.org/isc-projects/bind9/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
|
||||||
Patch202: bind-9.16-isc-mempool-attach.patch
|
Patch202: bind-9.16-isc-mempool-attach.patch
|
||||||
|
# Downstream only change, complements patch 198
|
||||||
|
Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -465,6 +467,7 @@ in HTML and PDF format.
|
|||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%patch201 -p1 -b .test-variant-def
|
%patch201 -p1 -b .test-variant-def
|
||||||
%patch202 -p1 -b .mempool-attach
|
%patch202 -p1 -b .mempool-attach
|
||||||
|
%patch203 -p1 -b .isc_hp-CVE-2023-50387
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1199,6 +1202,7 @@ fi;
|
|||||||
- Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387
|
- Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387
|
||||||
CVE-2023-50868)
|
CVE-2023-50868)
|
||||||
- Import tests for large DNS messages fix
|
- Import tests for large DNS messages fix
|
||||||
|
- Add downstream change complementing CVE-2023-50387
|
||||||
|
|
||||||
* Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
|
* Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
|
||||||
- Limit the amount of recursion possible in control channel (CVE-2023-3341)
|
- Limit the amount of recursion possible in control channel (CVE-2023-3341)
|
||||||
|
Loading…
Reference in New Issue
Block a user