Blame SOURCES/bind-9.16-CVE-2022-0396.patch

ec6a9e
From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001
ec6a9e
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
ec6a9e
Date: Tue, 8 Feb 2022 12:42:34 +0100
ec6a9e
Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
ec6a9e
ec6a9e
When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
ec6a9e
asynchronously to ensure correct order of multiple packets processing in
ec6a9e
the isc__nm_process_sock_buffer().  When not run asynchronously, it
ec6a9e
would cause:
ec6a9e
ec6a9e
  a) out-of-order processing of the return codes from processbuffer();
ec6a9e
ec6a9e
  b) stack growth because the next TCP DNS message read callback will
ec6a9e
     be called from within the current TCP DNS message read callback.
ec6a9e
ec6a9e
The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
ec6a9e
sockets which calls isc__nm_process_sock_buffer().  If the read callback
ec6a9e
(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
ec6a9e
attach to the nmhandle (f.e. because it wants to drop the processing or
ec6a9e
we send the response directly via uv_try_write()), the
ec6a9e
isc__nm_resume_processing() (via .closehandle_cb) would call
ec6a9e
isc__nm_process_sock_buffer() recursively.
ec6a9e
ec6a9e
The below shortened code path shows how the stack can grow:
ec6a9e
ec6a9e
 1: ns__client_request(handle, ...);
ec6a9e
 2: isc_nm_tcpdns_sequential(handle);
ec6a9e
 3: ns_query_start(client, handle);
ec6a9e
 4:   query_lookup(qctx);
ec6a9e
 5:     query_send(qctcx->client);
ec6a9e
 6:       isc__nmhandle_detach(&client->reqhandle);
ec6a9e
 7:         nmhandle_detach_cb(&handle);
ec6a9e
 8:           sock->closehandle_cb(sock); // isc__nm_resume_processing
ec6a9e
 9:             isc__nm_process_sock_buffer(sock);
ec6a9e
10:               processbuffer(sock); // isc__nm_tcpdns_processbuffer
ec6a9e
11:                 isc_nmhandle_attach(req->handle, &handle);
ec6a9e
12:                 isc__nm_readcb(sock, req, ISC_R_SUCCESS);
ec6a9e
13:                   isc__nm_async_readcb(NULL, ...);
ec6a9e
14:                     uvreq->cb.recv(...); // ns__client_request
ec6a9e
ec6a9e
Instead, if 'sock->closehandle_cb' is set, we need to run detach the
ec6a9e
handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
ec6a9e
the code flow above does not start this recursion. This ensures the
ec6a9e
correct order when processing multiple packets in the function
ec6a9e
'isc__nm_process_sock_buffer()' and prevents the stack growth.
ec6a9e
ec6a9e
When not run asynchronously, the out-of-order processing leaves the
ec6a9e
first TCP socket open until all requests on the stream have been
ec6a9e
processed.
ec6a9e
ec6a9e
If the pipelining is disabled on the TCP via `keep-response-order`
ec6a9e
configuration option, named would keep the first socket in lingering
ec6a9e
CLOSE_WAIT state when the client sends an incomplete packet and then
ec6a9e
closes the connection from the client side.
ec6a9e
ec6a9e
(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17)
ec6a9e
---
ec6a9e
 lib/isc/netmgr/netmgr.c | 6 +++++-
ec6a9e
 1 file changed, 5 insertions(+), 1 deletion(-)
ec6a9e
ec6a9e
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
ec6a9e
index 3283eb6e4f..0ed3182fb6 100644
ec6a9e
--- a/lib/isc/netmgr/netmgr.c
ec6a9e
+++ b/lib/isc/netmgr/netmgr.c
ec6a9e
@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
ec6a9e
 	handle = *handlep;
ec6a9e
 	*handlep = NULL;
ec6a9e
 
ec6a9e
+	/*
ec6a9e
+	 * If the closehandle_cb is set, it needs to run asynchronously to
ec6a9e
+	 * ensure correct ordering of the isc__nm_process_sock_buffer().
ec6a9e
+	 */
ec6a9e
 	sock = handle->sock;
ec6a9e
-	if (sock->tid == isc_nm_tid()) {
ec6a9e
+	if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
ec6a9e
 		nmhandle_detach_cb(&handle FLARG_PASS);
ec6a9e
 	} else {
ec6a9e
 		isc__netievent_detach_t *event =
ec6a9e
-- 
ec6a9e
2.34.1
ec6a9e