summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJussi Kukkonen <jussi.kukkonen@intel.com>2016-04-15 15:03:17 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-04-18 16:28:22 +0100
commit74ab080d3475cfbf4ad0f6e747601c71709f2e44 (patch)
treec33acd22aec37ec41be50f18e07c6584aaa7dc6e
parentd488d78db0b60433b54e0aec45624970309567b6 (diff)
downloadpoky-74ab080d3475cfbf4ad0f6e747601c71709f2e44.tar.gz
bind: CVE-2016-2088
Duplicate EDNS COOKIE options in a response could trigger an assertion failure: Fix with a backport. bind as built with the oe-core recipe is not at risk: Only servers which are built with DNS cookie support (--enable-sit) are vulnerable to denial of service. Fixes [YOCTO #9438] (From OE-Core rev: da38a9840b32e80464e2938395db5c9167729f7e) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch247
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.3-P3.bb1
2 files changed, 248 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
new file mode 100644
index 0000000000..1b84d46b78
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,247 @@
1CVE-2016-2088
2
3Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
4v9_10_3_patch branch.
5
6https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
7https://kb.isc.org/article/AA-01351
8
9CVE: CVE-2016-2088
10Upstream-Status: Backport
11Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
12
13
14Original commit message from Mark Andrews <marka@isc.org> below:
15
164322. [security] Duplicate EDNS COOKIE options in a response could
17 trigger an assertion failure. (CVE-2016-2088)
18 [RT #41809]
19
20(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
21(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
22---
23 CHANGES | 4 ++++
24 bin/dig/dighost.c | 9 +++++++++
25 bin/named/client.c | 33 +++++++++++++++++++++++----------
26 doc/arm/notes.xml | 7 +++++++
27 lib/dns/resolver.c | 14 +++++++++++++-
28 5 files changed, 56 insertions(+), 11 deletions(-)
29
30diff --git a/CHANGES b/CHANGES
31index c5b5d2b..d2e3360 100644
32--- a/CHANGES
33+++ b/CHANGES
34@@ -1,3 +1,7 @@
35+4322. [security] Duplicate EDNS COOKIE options in a response could
36+ trigger an assertion failure. (CVE-2016-2088)
37+ [RT #41809]
38+
39 4319. [security] Fix resolver assertion failure due to improper
40 DNAME handling when parsing fetch reply messages.
41 (CVE-2016-1286) [RT #41753]
42diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
43index ca82f8e..340904f 100644
44--- a/bin/dig/dighost.c
45+++ b/bin/dig/dighost.c
46@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
47 isc_buffer_t optbuf;
48 isc_uint16_t optcode, optlen;
49 dns_rdataset_t *opt = msg->opt;
50+ isc_boolean_t seen_cookie = ISC_FALSE;
51
52 result = dns_rdataset_first(opt);
53 if (result == ISC_R_SUCCESS) {
54@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
55 optlen = isc_buffer_getuint16(&optbuf);
56 switch (optcode) {
57 case DNS_OPT_COOKIE:
58+ /*
59+ * Only process the first cookie option.
60+ */
61+ if (seen_cookie) {
62+ isc_buffer_forward(&optbuf, optlen);
63+ break;
64+ }
65 process_sit(l, msg, &optbuf, optlen);
66+ seen_cookie = ISC_TRUE;
67 break;
68 default:
69 isc_buffer_forward(&optbuf, optlen);
70diff --git a/bin/named/client.c b/bin/named/client.c
71index 683305c..0d7331a 100644
72--- a/bin/named/client.c
73+++ b/bin/named/client.c
74@@ -120,7 +120,10 @@
75 */
76 #endif
77
78-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
79+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
80+
81+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
82+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
83
84 /*% nameserver client manager structure */
85 struct ns_clientmgr {
86@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
87 {
88 char nsid[BUFSIZ], *nsidp;
89 #ifdef ISC_PLATFORM_USESIT
90- unsigned char sit[SIT_SIZE];
91+ unsigned char sit[COOKIE_SIZE];
92 #endif
93 isc_result_t result;
94 dns_view_t *view;
95@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
96 flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
97
98 /* Set EDNS options if applicable */
99- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
100+ if (WANTNSID(client) &&
101 (ns_g_server->server_id != NULL ||
102 ns_g_server->server_usehostname)) {
103 if (ns_g_server->server_usehostname) {
104@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
105
106 INSIST(count < DNS_EDNSOPTIONS);
107 ednsopts[count].code = DNS_OPT_COOKIE;
108- ednsopts[count].length = SIT_SIZE;
109+ ednsopts[count].length = COOKIE_SIZE;
110 ednsopts[count].value = sit;
111 count++;
112 }
113@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
114
115 static void
116 process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
117- unsigned char dbuf[SIT_SIZE];
118+ unsigned char dbuf[COOKIE_SIZE];
119 unsigned char *old;
120 isc_stdtime_t now;
121 isc_uint32_t when;
122 isc_uint32_t nonce;
123 isc_buffer_t db;
124
125+ /*
126+ * If we have already seen a ECS option skip this ECS option.
127+ */
128+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
129+ isc_buffer_forward(buf, optlen);
130+ return;
131+ }
132 client->attributes |= NS_CLIENTATTR_WANTSIT;
133
134 isc_stats_increment(ns_g_server->nsstats,
135 dns_nsstatscounter_sitopt);
136
137- if (optlen != SIT_SIZE) {
138+ if (optlen != COOKIE_SIZE) {
139 /*
140 * Not our token.
141 */
142@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
143 isc_buffer_init(&db, dbuf, sizeof(dbuf));
144 compute_sit(client, when, nonce, &db);
145
146- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
147+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
148 isc_stats_increment(ns_g_server->nsstats,
149 dns_nsstatscounter_sitnomatch);
150 return;
151 }
152 isc_stats_increment(ns_g_server->nsstats,
153 dns_nsstatscounter_sitmatch);
154-
155 client->attributes |= NS_CLIENTATTR_HAVESIT;
156 }
157 #endif
158@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
159 optlen = isc_buffer_getuint16(&optbuf);
160 switch (optcode) {
161 case DNS_OPT_NSID:
162- isc_stats_increment(ns_g_server->nsstats,
163+ if (!WANTNSID(client))
164+ isc_stats_increment(
165+ ns_g_server->nsstats,
166 dns_nsstatscounter_nsidopt);
167 client->attributes |= NS_CLIENTATTR_WANTNSID;
168 isc_buffer_forward(&optbuf, optlen);
169@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
170 break;
171 #endif
172 case DNS_OPT_EXPIRE:
173- isc_stats_increment(ns_g_server->nsstats,
174+ if (!WANTEXPIRE(client))
175+ isc_stats_increment(
176+ ns_g_server->nsstats,
177 dns_nsstatscounter_expireopt);
178 client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
179 isc_buffer_forward(&optbuf, optlen);
180diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
181index ebf4f55..095eb5b 100644
182--- a/doc/arm/notes.xml
183+++ b/doc/arm/notes.xml
184@@ -51,6 +51,13 @@
185 <title>Security Fixes</title>
186 <itemizedlist>
187 <listitem>
188+ <para>
189+ Duplicate EDNS COOKIE options in a response could trigger
190+ an assertion failure. This flaw is disclosed in CVE-2016-2088.
191+ [RT #41809]
192+ </para>
193+ </listitem>
194+ <listitem>
195 <para>
196 Specific APL data could trigger an INSIST. This flaw
197 was discovered by Brian Mitchell and is disclosed in
198diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
199index a797e3f..ba1ae23 100644
200--- a/lib/dns/resolver.c
201+++ b/lib/dns/resolver.c
202@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
203 unsigned char *sit;
204 dns_adbaddrinfo_t *addrinfo;
205 unsigned char cookie[8];
206+ isc_boolean_t seen_cookie = ISC_FALSE;
207 #endif
208+ isc_boolean_t seen_nsid = ISC_FALSE;
209
210 result = dns_rdataset_first(opt);
211 if (result == ISC_R_SUCCESS) {
212@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
213 INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
214 switch (optcode) {
215 case DNS_OPT_NSID:
216- if (query->options & DNS_FETCHOPT_WANTNSID)
217+ if (!seen_nsid &&
218+ query->options & DNS_FETCHOPT_WANTNSID)
219 log_nsid(&optbuf, optlen, query,
220 ISC_LOG_DEBUG(3),
221 query->fctx->res->mctx);
222 isc_buffer_forward(&optbuf, optlen);
223+ seen_nsid = ISC_TRUE;
224 break;
225 #ifdef ISC_PLATFORM_USESIT
226 case DNS_OPT_COOKIE:
227+ /*
228+ * Only process the first cookie option.
229+ */
230+ if (seen_cookie) {
231+ isc_buffer_forward(&optbuf, optlen);
232+ break;
233+ }
234 sit = isc_buffer_current(&optbuf);
235 compute_cc(query, cookie, sizeof(cookie));
236 INSIST(query->fctx->rmessage->sitbad == 0 &&
237@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
238 isc_buffer_forward(&optbuf, optlen);
239 inc_stats(query->fctx->res,
240 dns_resstatscounter_sitin);
241+ seen_cookie = ISC_TRUE;
242 break;
243 #endif
244 default:
245--
2462.1.4
247
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 3ad14b235f..1e3a20f9a3 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
24 file://CVE-2016-1285.patch \ 24 file://CVE-2016-1285.patch \
25 file://CVE-2016-1286_1.patch \ 25 file://CVE-2016-1286_1.patch \
26 file://CVE-2016-1286_2.patch \ 26 file://CVE-2016-1286_2.patch \
27 file://CVE-2016-2088.patch \
27 " 28 "
28 29
29SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" 30SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"