summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-05-27 09:56:38 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-06-02 12:32:50 (GMT)
commitfb2a7918923d01f69dd2fe4f7c223eaecb14af3e (patch)
tree36c33aa84df943d10cfd219efa4643fd287c336b
parent657d14a41ff89d735e0f5e8e7e418c66943f0ff1 (diff)
downloadpoky-fb2a7918923d01f69dd2fe4f7c223eaecb14af3e.tar.gz
bind: fix CVE-2020-8616/7
fix CVE-2020-8616 and CVE-2020-8617 (From OE-Core rev: b280b3fe22a1fda62707bfa40ca78439ad201736) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch206
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch29
-rw-r--r--meta/recipes-connectivity/bind/bind_9.11.5-P4.bb2
3 files changed, 237 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
new file mode 100644
index 0000000..8f00231
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
@@ -0,0 +1,206 @@
1Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
2CVE: CVE-2020-8616
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4---
5diff --git a/lib/dns/adb.c b/lib/dns/adb.c
6index 058495f6a5..6b8a9537f0 100644
7--- a/lib/dns/adb.c
8+++ b/lib/dns/adb.c
9@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
10 */
11 #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
12 #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
13-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
14- != 0)
15-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
16- != 0)
17-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
18-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
19-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
20-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
21+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
22+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
23+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
24+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
25+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
26+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
27+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
28
29 /*
30 * These are currently used on simple unsigned ints, so they are
31@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
32 * Listen to negative cache hints, and don't start
33 * another query.
34 */
35- if (NCACHE_RESULT(result) || AUTH_NX(result))
36+ if (NCACHE_RESULT(result) || AUTH_NX(result)) {
37 goto fetch;
38+ }
39
40- if (!NAME_FETCH_V6(adbname))
41+ if (!NAME_FETCH_V6(adbname)) {
42 wanted_fetches |= DNS_ADBFIND_INET6;
43+ }
44 }
45
46 fetch:
47 if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
48 (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
49+ {
50 have_address = true;
51- else
52+ } else {
53 have_address = false;
54- if (wanted_fetches != 0 &&
55- ! (FIND_AVOIDFETCHES(find) && have_address)) {
56+ }
57+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
58+ !FIND_NOFETCH(find))
59+ {
60 /*
61 * We're missing at least one address family. Either the
62 * caller hasn't instructed us to avoid fetches, or we don't
63@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
64 * be acceptable so we have to launch fetches.
65 */
66
67- if (FIND_STARTATZONE(find))
68+ if (FIND_STARTATZONE(find)) {
69 start_at_zone = true;
70+ }
71
72 /*
73 * Start V4.
74diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
75index 63a13c4e41..edf6e54935 100644
76--- a/lib/dns/include/dns/adb.h
77+++ b/lib/dns/include/dns/adb.h
78@@ -207,6 +207,10 @@ struct dns_adbfind {
79 * lame for this query.
80 */
81 #define DNS_ADBFIND_OVERQUOTA 0x00000400
82+/*%
83+ * Don't perform a fetch even if there are no address records available.
84+ */
85+#define DNS_ADBFIND_NOFETCH 0x00000800
86
87 /*%
88 * The answers to queries come back as a list of these.
89diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
90index 7c44478a26..0a40859d08 100644
91--- a/lib/dns/resolver.c
92+++ b/lib/dns/resolver.c
93@@ -172,6 +172,14 @@
94 #define DEFAULT_MAX_QUERIES 75
95 #endif
96
97+/*
98+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
99+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
100+ * stop trying to fetch, in order to avoid wasting resources.
101+ */
102+#define NS_FAIL_LIMIT 4
103+#define NS_RR_LIMIT 5
104+
105 /* Number of hash buckets for zone counters */
106 #ifndef RES_DOMAIN_BUCKETS
107 #define RES_DOMAIN_BUCKETS 523
108@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
109 static void
110 findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
111 unsigned int options, unsigned int flags, isc_stdtime_t now,
112- bool *overquota, bool *need_alternate)
113-{
114+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
115 dns_adbaddrinfo_t *ai;
116 dns_adbfind_t *find;
117 dns_resolver_t *res;
118@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
119 find->result_v6 != DNS_R_NXDOMAIN) ||
120 (res->dispatches6 == NULL &&
121 find->result_v4 != DNS_R_NXDOMAIN)))
122+ {
123 *need_alternate = true;
124+ }
125+ if (no_addresses != NULL) {
126+ (*no_addresses)++;
127+ }
128 } else {
129 if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
130 if (overquota != NULL)
131@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
132 dns_rdata_ns_t ns;
133 bool need_alternate = false;
134 bool all_spilled = true;
135+ unsigned int no_addresses = 0;
136
137 FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
138
139@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
140 * Extract the name from the NS record.
141 */
142 result = dns_rdata_tostruct(&rdata, &ns, NULL);
143- if (result != ISC_R_SUCCESS)
144+ if (result != ISC_R_SUCCESS) {
145 continue;
146+ }
147
148- findname(fctx, &ns.name, 0, stdoptions, 0, now,
149- &overquota, &need_alternate);
150+ if (no_addresses > NS_FAIL_LIMIT &&
151+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
152+ {
153+ stdoptions |= DNS_ADBFIND_NOFETCH;
154+ }
155+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
156+ &need_alternate, &no_addresses);
157
158- if (!overquota)
159+ if (!overquota) {
160 all_spilled = false;
161+ }
162
163 dns_rdata_reset(&rdata);
164 dns_rdata_freestruct(&ns);
165 }
166- if (result != ISC_R_NOMORE)
167+ if (result != ISC_R_NOMORE) {
168 return (result);
169+ }
170
171 /*
172 * Do we need to use 6 to 4?
173@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
174 if (!a->isaddress) {
175 findname(fctx, &a->_u._n.name, a->_u._n.port,
176 stdoptions, FCTX_ADDRINFO_FORWARDER,
177- now, NULL, NULL);
178+ now, NULL, NULL, NULL);
179 continue;
180 }
181 if (isc_sockaddr_pf(&a->_u.addr) != family)
182@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
183 }
184 }
185
186- if (dns_name_countlabels(&fctx->domain) > 2) {
187- result = isc_counter_increment(fctx->qc);
188- if (result != ISC_R_SUCCESS) {
189- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
190- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
191- "exceeded max queries resolving '%s'",
192- fctx->info);
193- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
194- return;
195- }
196+ result = isc_counter_increment(fctx->qc);
197+ if (result != ISC_R_SUCCESS) {
198+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
199+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
200+ "exceeded max queries resolving '%s'",
201+ fctx->info);
202+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
203+ return;
204 }
205
206 bucketnum = fctx->bucketnum;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
new file mode 100644
index 0000000..d8769c4
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
@@ -0,0 +1,29 @@
1Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
2CVE: CVE-2020-8617
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4---
5diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
6index b597a18d49..6357a3a486 100644
7--- a/lib/dns/tsig.c
8+++ b/lib/dns/tsig.c
9@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
10 goto cleanup_context;
11 }
12 msg->verified_sig = 1;
13- } else if (tsig.error != dns_tsigerror_badsig &&
14- tsig.error != dns_tsigerror_badkey) {
15+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
16+ tsig.error != dns_tsigerror_badkey))
17+ {
18 tsig_log(msg->tsigkey, 2, "signature was empty");
19 return (DNS_R_TSIGVERIFYFAILURE);
20 }
21@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
22 }
23 }
24
25- if (tsig.error != dns_rcode_noerror) {
26+ if (response && tsig.error != dns_rcode_noerror) {
27 msg->tsigstatus = tsig.error;
28 if (tsig.error == dns_tsigerror_badtime)
29 ret = DNS_R_CLOCKSKEW;
diff --git a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
index b0bb64b..68316e2 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
@@ -28,6 +28,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
28 file://0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch \ 28 file://0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch \
29 file://0006-restore-allowance-for-tcp-clients-interfaces.patch \ 29 file://0006-restore-allowance-for-tcp-clients-interfaces.patch \
30 file://0007-Replace-atomic-operations-in-bin-named-client.c-with.patch \ 30 file://0007-Replace-atomic-operations-in-bin-named-client.c-with.patch \
31 file://CVE-2020-8616.patch \
32 file://CVE-2020-8617.patch \
31" 33"
32 34
33SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960" 35SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960"