bind: Security fix CVE-2016-8864

CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. External References: https://nvd.nist.gov/vuln/detail/CVE-2016-8864 Patch from: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8 (From OE-Core rev: c06f3a5993c7d63d91840c2a4d5b621e946ef78f) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2017-04-13 13:48:12 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-04-29 11:17:23 +0100
commit: e9c8cbdf020296325b275b10e36e5227173339ee (patch)
tree: 67a1ea42e49ad8b71cff9ccf76128445c8c60c94 /meta/recipes-connectivity/bind/bind
parent: ad6bb68906e82c6861becfd1e4516b39de3a882f (diff)
download: poky-e9c8cbdf020296325b275b10e36e5227173339ee.tar.gz
1 files changed, 219 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
new file mode 100644
index 0000000000..b52d6800ff
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
@@ -0,0 +1,219 @@
+From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 21 Oct 2016 14:55:10 +1100
+Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
+ processing a response. (CVE-2016-8864) [RT #43465]
+(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
+Upstream-Status: Backport
+[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
+CVE: CVE-2016-8864
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ CHANGES            |  3 +++
+ lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 50 insertions(+), 22 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index 5c8c61a..41cfce5 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,6 @@
+4489.  [security]      It was possible to trigger assertions when processing
+                       a response. (CVE-2016-8864) [RT #43465]
+
+ 4467.   [security]      It was possible to trigger an assertion when
+                         rendering a message. (CVE-2016-2776) [RT #43139]
+ 
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index ba1ae23..13c8b44 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+        valarg->addrinfo = addrinfo;
+ 
+        if (!ISC_LIST_EMPTY(fctx->validators))
+-               INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+               valoptions |= DNS_VALIDATOR_DEFER;
+       else
+               valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+        result = dns_validator_create(fctx->res->view, name, type, rdataset,
+                                      sigrdataset, fctx->rmessage,
+@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                                           rdataset,
+                                                           sigrdataset,
+                                                           valoptions, task);
+-                                       /*
+-                                        * Defer any further validations.
+-                                        * This prevents multiple validators
+-                                        * from manipulating fctx->rmessage
+-                                        * simultaneously.
+-                                        */
+-                                       valoptions |= DNS_VALIDATOR_DEFER;
+                                }
+                        } else if (CHAINING(rdataset)) {
+                                if (rdataset->type == dns_rdatatype_cname)
+@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                       eresult == DNS_R_NCACHENXRRSET);
+                        }
+                        event->result = eresult;
+                       if (adbp != NULL && *adbp != NULL) {
+                               if (anodep != NULL && *anodep != NULL)
+                                       dns_db_detachnode(*adbp, anodep);
+                               dns_db_detach(adbp);
+                       }
+                        dns_db_attach(fctx->cache, adbp);
+                        dns_db_transfernode(fctx->cache, &node, anodep);
+                        clone_results(fctx);
+@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+                fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+                if (event != NULL) {
+                        event->result = eresult;
+                       if (adbp != NULL && *adbp != NULL) {
+                               if (anodep != NULL && *anodep != NULL)
+                                       dns_db_detachnode(*adbp, anodep);
+                               dns_db_detach(adbp);
+                       }
+                        dns_db_attach(fctx->cache, adbp);
+                        dns_db_transfernode(fctx->cache, &node, anodep);
+                        clone_results(fctx);
+@@ -6718,13 +6723,15 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+        isc_result_t result;
+        dns_message_t *message;
+-       dns_name_t *name, *dname, *qname, tname, *ns_name;
+       dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+       dns_name_t *cname = NULL;
+        dns_rdataset_t *rdataset, *ns_rdataset;
+        isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-       isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+       isc_boolean_t have_answer, found_cname, found_dname, found_type;
+       isc_boolean_t wanted_chaining;
+        unsigned int aflag;
+        dns_rdatatype_t type;
+-       dns_fixedname_t fdname, fqname;
+       dns_fixedname_t fdname, fqname, fqdname;
+        dns_view_t *view;
+ 
+        FCTXTRACE("answer_response");
+@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
+ 
+        done = ISC_FALSE;
+        found_cname = ISC_FALSE;
+       found_dname = ISC_FALSE;
+        found_type = ISC_FALSE;
+        chaining = ISC_FALSE;
+        have_answer = ISC_FALSE;
+@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
+                aa = ISC_TRUE;
+        else
+                aa = ISC_FALSE;
+-       qname = &fctx->name;
+       dqname = qname = &fctx->name;
+        type = fctx->type;
+        view = fctx->res->view;
+       dns_fixedname_init(&fqdname);
+        result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+        while (!done && result == ISC_R_SUCCESS) {
+-               dns_namereln_t namereln;
+               dns_namereln_t namereln, dnamereln;
+                int order;
+                unsigned int nlabels;
+ 
+@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
+                dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+                external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+                namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+               dnamereln = dns_name_fullcompare(dqname, name, &order,
+                                                &nlabels);
+                if (namereln == dns_namereln_equal) {
+                        wanted_chaining = ISC_FALSE;
+                        for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
+                                        }
+                                } else if (rdataset->type == dns_rdatatype_rrsig
+                                           && rdataset->covers ==
+-                                          dns_rdatatype_cname
+                                             dns_rdatatype_cname
+                                           && !found_type) {
+                                        /*
+                                         * We're looking for something else,
+@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
+                                                 * a CNAME or DNAME).
+                                                 */
+                                                INSIST(!external);
+-                                               if (aflag ==
+-                                                   DNS_RDATASETATTR_ANSWER) {
+                                               if ((rdataset->type !=
+                                                    dns_rdatatype_cname) ||
+                                                   !found_dname ||
+                                                   (aflag ==
+                                                    DNS_RDATASETATTR_ANSWER))
+                                               {
+                                                        have_answer = ISC_TRUE;
+                                                       if (rdataset->type ==
+                                                           dns_rdatatype_cname)
+                                                               cname = name;
+                                                        name->attributes |=
+-                                                               DNS_NAMEATTR_ANSWER;
+                                                           DNS_NAMEATTR_ANSWER;
+                                                }
+                                                rdataset->attributes |= aflag;
+                                                if (aa)
+@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
+                                        return (DNS_R_FORMERR);
+                                }
+ 
+-                               if (namereln != dns_namereln_subdomain) {
+                               if (dnamereln != dns_namereln_subdomain) {
+                                        char qbuf[DNS_NAME_FORMATSIZE];
+                                        char obuf[DNS_NAME_FORMATSIZE];
+ 
+-                                       dns_name_format(qname, qbuf,
+                                       dns_name_format(dqname, qbuf,
+                                                        sizeof(qbuf));
+                                        dns_name_format(name, obuf,
+                                                        sizeof(obuf));
+@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
+                                        want_chaining = ISC_TRUE;
+                                        POST(want_chaining);
+                                        aflag = DNS_RDATASETATTR_ANSWER;
+-                                       result = dname_target(rdataset, qname,
+                                       result = dname_target(rdataset, dqname,
+                                                              nlabels, &fdname);
+                                        if (result == ISC_R_NOSPACE) {
+                                                /*
+@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
+ 
+                                        dname = dns_fixedname_name(&fdname);
+                                        if (!is_answertarget_allowed(view,
+-                                                       qname, rdataset->type,
+-                                                       dname, &fctx->domain)) {
+                                                    dqname, rdataset->type,
+                                                    dname, &fctx->domain))
+                                       {
+                                                return (DNS_R_SERVFAIL);
+                                        }
+                                       dqname = dns_fixedname_name(&fqdname);
+                                       dns_name_copy(dname, dqname, NULL);
+                                } else {
+                                        /*
+                                         * We've found a signature that
+@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
+                                        INSIST(!external);
+                                        if (aflag == DNS_RDATASETATTR_ANSWER) {
+                                                have_answer = ISC_TRUE;
+                                               found_dname = ISC_TRUE;
+                                               if (cname != NULL)
+                                                       cname->attributes &=
+                                                          ~DNS_NAMEATTR_ANSWER;
+                                                name->attributes |=
+                                                        DNS_NAMEATTR_ANSWER;
+                                        }
+-- 
+2.7.4
author	Yi Zhao <yi.zhao@windriver.com>	2017-04-13 13:48:12 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-04-29 11:17:23 +0100
commit	e9c8cbdf020296325b275b10e36e5227173339ee (patch)
tree	67a1ea42e49ad8b71cff9ccf76128445c8c60c94 /meta/recipes-connectivity/bind/bind
parent	ad6bb68906e82c6861becfd1e4516b39de3a882f (diff)
download	poky-e9c8cbdf020296325b275b10e36e5227173339ee.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch new file mode 100644 index 0000000000..b52d6800ff --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
@@ -0,0 +1,219 @@
	1	From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
	2	From: Mark Andrews <marka@isc.org>
	3	Date: Fri, 21 Oct 2016 14:55:10 +1100
	4	Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
	5	processing a response. (CVE-2016-8864) [RT #43465]
	6
	7	(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
	8
	9	Upstream-Status: Backport
	10	[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
	11
	12	CVE: CVE-2016-8864
	13
	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	15	---
	16	CHANGES \| 3 +++
	17	lib/dns/resolver.c \| 69 +++++++++++++++++++++++++++++++++++++-----------------
	18	2 files changed, 50 insertions(+), 22 deletions(-)
	19
	20	diff --git a/CHANGES b/CHANGES
	21	index 5c8c61a..41cfce5 100644
	22	--- a/CHANGES
	23	+++ b/CHANGES
	24	@@ -1,3 +1,6 @@
	25	+4489. [security] It was possible to trigger assertions when processing
	26	+ a response. (CVE-2016-8864) [RT #43465]
	27	+
	28	4467. [security] It was possible to trigger an assertion when
	29	rendering a message. (CVE-2016-2776) [RT #43139]
	30
	31	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
	32	index ba1ae23..13c8b44 100644
	33	--- a/lib/dns/resolver.c
	34	+++ b/lib/dns/resolver.c
	35	@@ -612,7 +612,9 @@ valcreate(fetchctx_t fctx, dns_adbaddrinfo_t addrinfo, dns_name_t *name,
	36	valarg->addrinfo = addrinfo;
	37
	38	if (!ISC_LIST_EMPTY(fctx->validators))
	39	- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
	40	+ valoptions \|= DNS_VALIDATOR_DEFER;
	41	+ else
	42	+ valoptions &= ~DNS_VALIDATOR_DEFER;
	43
	44	result = dns_validator_create(fctx->res->view, name, type, rdataset,
	45	sigrdataset, fctx->rmessage,
	46	@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
	47	rdataset,
	48	sigrdataset,
	49	valoptions, task);
	50	- /*
	51	- * Defer any further validations.
	52	- * This prevents multiple validators
	53	- * from manipulating fctx->rmessage
	54	- * simultaneously.
	55	- */
	56	- valoptions \|= DNS_VALIDATOR_DEFER;
	57	}
	58	} else if (CHAINING(rdataset)) {
	59	if (rdataset->type == dns_rdatatype_cname)
	60	@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
	61	eresult == DNS_R_NCACHENXRRSET);
	62	}
	63	event->result = eresult;
	64	+ if (adbp != NULL && *adbp != NULL) {
	65	+ if (anodep != NULL && *anodep != NULL)
	66	+ dns_db_detachnode(*adbp, anodep);
	67	+ dns_db_detach(adbp);
	68	+ }
	69	dns_db_attach(fctx->cache, adbp);
	70	dns_db_transfernode(fctx->cache, &node, anodep);
	71	clone_results(fctx);
	72	@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t fctx, dns_adbaddrinfo_t addrinfo,
	73	fctx->attributes \|= FCTX_ATTR_HAVEANSWER;
	74	if (event != NULL) {
	75	event->result = eresult;
	76	+ if (adbp != NULL && *adbp != NULL) {
	77	+ if (anodep != NULL && *anodep != NULL)
	78	+ dns_db_detachnode(*adbp, anodep);
	79	+ dns_db_detach(adbp);
	80	+ }
	81	dns_db_attach(fctx->cache, adbp);
	82	dns_db_transfernode(fctx->cache, &node, anodep);
	83	clone_results(fctx);
	84	@@ -6718,13 +6723,15 @@ static isc_result_t
	85	answer_response(fetchctx_t *fctx) {
	86	isc_result_t result;
	87	dns_message_t *message;
	88	- dns_name_t name, dname, qname, tname, ns_name;
	89	+ dns_name_t name, dname = NULL, qname, dqname, tname, *ns_name;
	90	+ dns_name_t *cname = NULL;
	91	dns_rdataset_t rdataset, ns_rdataset;
	92	isc_boolean_t done, external, chaining, aa, found, want_chaining;
	93	- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
	94	+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
	95	+ isc_boolean_t wanted_chaining;
	96	unsigned int aflag;
	97	dns_rdatatype_t type;
	98	- dns_fixedname_t fdname, fqname;
	99	+ dns_fixedname_t fdname, fqname, fqdname;
	100	dns_view_t *view;
	101
	102	FCTXTRACE("answer_response");
	103	@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
	104
	105	done = ISC_FALSE;
	106	found_cname = ISC_FALSE;
	107	+ found_dname = ISC_FALSE;
	108	found_type = ISC_FALSE;
	109	chaining = ISC_FALSE;
	110	have_answer = ISC_FALSE;
	111	@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
	112	aa = ISC_TRUE;
	113	else
	114	aa = ISC_FALSE;
	115	- qname = &fctx->name;
	116	+ dqname = qname = &fctx->name;
	117	type = fctx->type;
	118	view = fctx->res->view;
	119	+ dns_fixedname_init(&fqdname);
	120	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
	121	while (!done && result == ISC_R_SUCCESS) {
	122	- dns_namereln_t namereln;
	123	+ dns_namereln_t namereln, dnamereln;
	124	int order;
	125	unsigned int nlabels;
	126
	127	@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
	128	dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
	129	external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
	130	namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
	131	+ dnamereln = dns_name_fullcompare(dqname, name, &order,
	132	+ &nlabels);
	133	if (namereln == dns_namereln_equal) {
	134	wanted_chaining = ISC_FALSE;
	135	for (rdataset = ISC_LIST_HEAD(name->list);
	136	@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
	137	}
	138	} else if (rdataset->type == dns_rdatatype_rrsig
	139	&& rdataset->covers ==
	140	- dns_rdatatype_cname
	141	+ dns_rdatatype_cname
	142	&& !found_type) {
	143	/*
	144	* We're looking for something else,
	145	@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
	146	* a CNAME or DNAME).
	147	*/
	148	INSIST(!external);
	149	- if (aflag ==
	150	- DNS_RDATASETATTR_ANSWER) {
	151	+ if ((rdataset->type !=
	152	+ dns_rdatatype_cname) \|\|
	153	+ !found_dname \|\|
	154	+ (aflag ==
	155	+ DNS_RDATASETATTR_ANSWER))
	156	+ {
	157	have_answer = ISC_TRUE;
	158	+ if (rdataset->type ==
	159	+ dns_rdatatype_cname)
	160	+ cname = name;
	161	name->attributes \|=
	162	- DNS_NAMEATTR_ANSWER;
	163	+ DNS_NAMEATTR_ANSWER;
	164	}
	165	rdataset->attributes \|= aflag;
	166	if (aa)
	167	@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
	168	return (DNS_R_FORMERR);
	169	}
	170
	171	- if (namereln != dns_namereln_subdomain) {
	172	+ if (dnamereln != dns_namereln_subdomain) {
	173	char qbuf[DNS_NAME_FORMATSIZE];
	174	char obuf[DNS_NAME_FORMATSIZE];
	175
	176	- dns_name_format(qname, qbuf,
	177	+ dns_name_format(dqname, qbuf,
	178	sizeof(qbuf));
	179	dns_name_format(name, obuf,
	180	sizeof(obuf));
	181	@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
	182	want_chaining = ISC_TRUE;
	183	POST(want_chaining);
	184	aflag = DNS_RDATASETATTR_ANSWER;
	185	- result = dname_target(rdataset, qname,
	186	+ result = dname_target(rdataset, dqname,
	187	nlabels, &fdname);
	188	if (result == ISC_R_NOSPACE) {
	189	/*
	190	@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
	191
	192	dname = dns_fixedname_name(&fdname);
	193	if (!is_answertarget_allowed(view,
	194	- qname, rdataset->type,
	195	- dname, &fctx->domain)) {
	196	+ dqname, rdataset->type,
	197	+ dname, &fctx->domain))
	198	+ {
	199	return (DNS_R_SERVFAIL);
	200	}
	201	+ dqname = dns_fixedname_name(&fqdname);
	202	+ dns_name_copy(dname, dqname, NULL);
	203	} else {
	204	/*
	205	* We've found a signature that
	206	@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
	207	INSIST(!external);
	208	if (aflag == DNS_RDATASETATTR_ANSWER) {
	209	have_answer = ISC_TRUE;
	210	+ found_dname = ISC_TRUE;
	211	+ if (cname != NULL)
	212	+ cname->attributes &=
	213	+ ~DNS_NAMEATTR_ANSWER;
	214	name->attributes \|=
	215	DNS_NAMEATTR_ANSWER;
	216	}
	217	--
	218	2.7.4
	219