rpms / bind9.16

Clone
Source Code
GIT

Blame SOURCES/bind-9.16-CVE-2021-25220.patch

c8 c8-beta c8s
  1.   ec6a9e98a4c977959df70a6cd7bf46365f5d3e5f
  2.   SOURCES
  3.   bind-9.16-CVE-2021-25220.patch
Blob History Raw
ec6a9e 
From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001
ec6a9e 
From: Mark Andrews <marka@isc.org>
ec6a9e 
Date: Wed, 19 Jan 2022 17:38:18 +1100
ec6a9e 
Subject: [PATCH] Add additional name checks when using a forwarder
ec6a9e
ec6a9e 
When using a forwarder, check that the owner name of response
ec6a9e 
records are within the bailiwick of the forwarded name space.
ec6a9e
ec6a9e 
(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b)
ec6a9e
ec6a9e 
Check that the forward declaration is unchanged and not overridden
ec6a9e
ec6a9e 
If we are using a fowarder, in addition to checking that names to
ec6a9e 
be cached are subdomains of the forwarded namespace, we must also
ec6a9e 
check that there are no subsidiary forwarded namespaces which would
ec6a9e 
take precedence. To be safe, we don't cache any responses if the
ec6a9e 
forwarding configuration has changed since the query was sent.
ec6a9e
ec6a9e 
(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3)
ec6a9e
ec6a9e 
Check cached names for possible "forward only" clause
ec6a9e
ec6a9e 
When caching additional and glue data *not* from a forwarder, we must
ec6a9e 
check that there is no "forward only" clause covering the owner name
ec6a9e 
that would take precedence.  Such names would normally be allowed by
ec6a9e 
baliwick rules, but a "forward only" zone introduces a new baliwick
ec6a9e 
scope.
ec6a9e
ec6a9e 
(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78)
ec6a9e
ec6a9e 
Look for zones deeper than the current domain or forward name
ec6a9e
ec6a9e 
When caching glue, we need to ensure that there is no closer
ec6a9e 
source of truth for the name. If the owner name for the glue
ec6a9e 
record would be answered by a locally configured zone, do not
ec6a9e 
cache.
ec6a9e
ec6a9e 
(cherry picked from commit 71b24210542730355149130770deea3e58d8527a)
ec6a9e 
---
ec6a9e 
 lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++--
ec6a9e 
 1 file changed, 123 insertions(+), 5 deletions(-)
ec6a9e
ec6a9e 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
ec6a9e 
index a7bc661bb7..7603a07b7b 100644
ec6a9e 
--- a/lib/dns/resolver.c
ec6a9e 
+++ b/lib/dns/resolver.c
ec6a9e 
@@ -63,6 +63,8 @@
ec6a9e 
 #include <dns/stats.h>
ec6a9e 
 #include <dns/tsig.h>
ec6a9e 
 #include <dns/validator.h>
ec6a9e 
+#include <dns/zone.h>
ec6a9e 
+
ec6a9e 
 #ifdef WANT_QUERYTRACE
ec6a9e 
 #define RTRACE(m)                                                             \
ec6a9e 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
ec6a9e 
@@ -337,6 +339,8 @@ struct fetchctx {
ec6a9e 
 	dns_fetch_t *qminfetch;
ec6a9e 
 	dns_rdataset_t qminrrset;
ec6a9e 
 	dns_name_t qmindcname;
ec6a9e 
+	dns_fixedname_t fwdfname;
ec6a9e 
+	dns_name_t *fwdname;
ec6a9e
ec6a9e 
 	/*%
ec6a9e 
 	 * The number of events we're waiting for.
ec6a9e 
@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
ec6a9e 
 		if (result == ISC_R_SUCCESS) {
ec6a9e 
 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
ec6a9e 
 			fctx->fwdpolicy = forwarders->fwdpolicy;
ec6a9e 
+			dns_name_copynf(domain, fctx->fwdname);
ec6a9e 
 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
ec6a9e 
 			    isstrictsubdomain(domain, &fctx->domain))
ec6a9e 
 			{
ec6a9e 
@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
ec6a9e 
 	fctx->restarts = 0;
ec6a9e 
 	fctx->querysent = 0;
ec6a9e 
 	fctx->referrals = 0;
ec6a9e 
+
ec6a9e 
+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
ec6a9e 
+
ec6a9e 
 	TIME_NOW(&fctx->start);
ec6a9e 
 	fctx->timeouts = 0;
ec6a9e 
 	fctx->lamecount = 0;
ec6a9e 
@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
ec6a9e 
 					   fname, &forwarders);
ec6a9e 
 		if (result == ISC_R_SUCCESS) {
ec6a9e 
 			fctx->fwdpolicy = forwarders->fwdpolicy;
ec6a9e 
+			dns_name_copynf(fname, fctx->fwdname);
ec6a9e 
 		}
ec6a9e
ec6a9e 
 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
ec6a9e 
@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
ec6a9e 
 	}
ec6a9e 
 }
ec6a9e
ec6a9e 
+/*
ec6a9e 
+ * Returns true if 'name' is external to the namespace for which
ec6a9e 
+ * the server being queried can answer, either because it's not a
ec6a9e 
+ * subdomain or because it's below a forward declaration or a
ec6a9e 
+ * locally served zone.
ec6a9e 
+ */
ec6a9e 
+static inline bool
ec6a9e 
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
ec6a9e 
+	isc_result_t result;
ec6a9e 
+	dns_forwarders_t *forwarders = NULL;
ec6a9e 
+	dns_fixedname_t fixed, zfixed;
ec6a9e 
+	dns_name_t *fname = dns_fixedname_initname(&fixed);
ec6a9e 
+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
ec6a9e 
+	dns_name_t *apex = NULL;
ec6a9e 
+	dns_name_t suffix;
ec6a9e 
+	dns_zone_t *zone = NULL;
ec6a9e 
+	unsigned int labels;
ec6a9e 
+	dns_namereln_t rel;
ec6a9e 
+
ec6a9e 
+	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
ec6a9e 
+
ec6a9e 
+	/*
ec6a9e 
+	 * The name is outside the queried namespace.
ec6a9e 
+	 */
ec6a9e 
+	rel = dns_name_fullcompare(name, apex, &(int){ 0 },
ec6a9e 
+				   &(unsigned int){ 0U });
ec6a9e 
+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
ec6a9e 
+		return (true);
ec6a9e 
+	}
ec6a9e 
+
ec6a9e 
+	/*
ec6a9e 
+	 * If the record lives in the parent zone, adjust the name so we
ec6a9e 
+	 * look for the correct zone or forward clause.
ec6a9e 
+	 */
ec6a9e 
+	labels = dns_name_countlabels(name);
ec6a9e 
+	if (dns_rdatatype_atparent(type) && labels > 1U) {
ec6a9e 
+		dns_name_init(&suffix, NULL);
ec6a9e 
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
ec6a9e 
+		name = &suffix;
ec6a9e 
+	} else if (rel == dns_namereln_equal) {
ec6a9e 
+		/* If 'name' is 'apex', no further checking is needed. */
ec6a9e 
+		return (false);
ec6a9e 
+	}
ec6a9e 
+
ec6a9e 
+	/*
ec6a9e 
+	 * If there is a locally served zone between 'apex' and 'name'
ec6a9e 
+	 * then don't cache.
ec6a9e 
+	 */
ec6a9e 
+	LOCK(&fctx->res->view->lock);
ec6a9e 
+	if (fctx->res->view->zonetable != NULL) {
ec6a9e 
+		unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
ec6a9e 
+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
ec6a9e 
+				     zfname, &zone);
ec6a9e 
+		if (zone != NULL) {
ec6a9e 
+			dns_zone_detach(&zone);
ec6a9e 
+		}
ec6a9e 
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
ec6a9e 
+			if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
ec6a9e 
+						 &(unsigned int){ 0U }) ==
ec6a9e 
+			    dns_namereln_subdomain)
ec6a9e 
+			{
ec6a9e 
+				UNLOCK(&fctx->res->view->lock);
ec6a9e 
+				return (true);
ec6a9e 
+			}
ec6a9e 
+		}
ec6a9e 
+	}
ec6a9e 
+	UNLOCK(&fctx->res->view->lock);
ec6a9e 
+
ec6a9e 
+	/*
ec6a9e 
+	 * Look for a forward declaration below 'name'.
ec6a9e 
+	 */
ec6a9e 
+	result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
ec6a9e 
+				   &forwarders);
ec6a9e 
+
ec6a9e 
+	if (ISFORWARDER(fctx->addrinfo)) {
ec6a9e 
+		/*
ec6a9e 
+		 * See if the forwarder declaration is better.
ec6a9e 
+		 */
ec6a9e 
+		if (result == ISC_R_SUCCESS) {
ec6a9e 
+			return (!dns_name_equal(fname, fctx->fwdname));
ec6a9e 
+		}
ec6a9e 
+
ec6a9e 
+		/*
ec6a9e 
+		 * If the lookup failed, the configuration must have
ec6a9e 
+		 * changed: play it safe and don't cache.
ec6a9e 
+		 */
ec6a9e 
+		return (true);
ec6a9e 
+	} else if (result == ISC_R_SUCCESS &&
ec6a9e 
+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
ec6a9e 
+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
ec6a9e 
+	{
ec6a9e 
+		/*
ec6a9e 
+		 * If 'name' is covered by a 'forward only' clause then we
ec6a9e 
+		 * can't cache this repsonse.
ec6a9e 
+		 */
ec6a9e 
+		return (true);
ec6a9e 
+	}
ec6a9e 
+
ec6a9e 
+	return (false);
ec6a9e 
+}
ec6a9e 
+
ec6a9e 
 static isc_result_t
ec6a9e 
 check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
ec6a9e 
 	      dns_section_t section) {
ec6a9e 
@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
ec6a9e 
 	result = dns_message_findname(rctx->query->rmessage, section, addname,
ec6a9e 
 				      dns_rdatatype_any, 0, &name, NULL);
ec6a9e 
 	if (result == ISC_R_SUCCESS) {
ec6a9e 
-		external = !dns_name_issubdomain(name, &fctx->domain);
ec6a9e 
+		external = name_external(name, type, fctx);
ec6a9e 
 		if (type == dns_rdatatype_a) {
ec6a9e 
 			for (rdataset = ISC_LIST_HEAD(name->list);
ec6a9e 
 			     rdataset != NULL;
ec6a9e 
@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) {
ec6a9e 
 			break;
ec6a9e
ec6a9e 
 		case dns_namereln_subdomain:
ec6a9e 
+			/*
ec6a9e 
+			 * Don't accept DNAME from parent namespace.
ec6a9e 
+			 */
ec6a9e 
+			if (name_external(name, dns_rdatatype_dname, fctx)) {
ec6a9e 
+				continue;
ec6a9e 
+			}
ec6a9e 
+
ec6a9e 
 			/*
ec6a9e 
 			 * In-scope DNAME records must have at least
ec6a9e 
 			 * as many labels as the domain being queried.
ec6a9e 
@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) {
ec6a9e 
 				       DNS_SECTION_AUTHORITY);
ec6a9e 
 	while (!done && result == ISC_R_SUCCESS) {
ec6a9e 
 		dns_name_t *name = NULL;
ec6a9e 
-		bool external;
ec6a9e
ec6a9e 
 		dns_message_currentname(rctx->query->rmessage,
ec6a9e 
 					DNS_SECTION_AUTHORITY, &name);
ec6a9e 
-		external = !dns_name_issubdomain(name, &fctx->domain);
ec6a9e
ec6a9e 
-		if (!external) {
ec6a9e 
+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
ec6a9e 
 			dns_rdataset_t *rdataset = NULL;
ec6a9e
ec6a9e 
 			/*
ec6a9e 
@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
ec6a9e 
 		}
ec6a9e
ec6a9e 
 		if (!dns_name_issubdomain(name, &fctx->domain)) {
ec6a9e 
-			/* Invalid name found; preserve it for logging later */
ec6a9e 
+			/*
ec6a9e 
+			 * Invalid name found; preserve it for logging
ec6a9e 
+			 * later.
ec6a9e 
+			 */
ec6a9e 
 			rctx->found_name = name;
ec6a9e 
 			rctx->found_type = ISC_LIST_HEAD(name->list)->type;
ec6a9e 
 			continue;
ec6a9e 
--
ec6a9e 
2.34.1
ec6a9e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation