diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-05-27 17:56:38 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-06-02 13:32:50 +0100 |
commit | fb2a7918923d01f69dd2fe4f7c223eaecb14af3e (patch) | |
tree | 36c33aa84df943d10cfd219efa4643fd287c336b /meta/recipes-connectivity | |
parent | 657d14a41ff89d735e0f5e8e7e418c66943f0ff1 (diff) | |
download | poky-fb2a7918923d01f69dd2fe4f7c223eaecb14af3e.tar.gz |
bind: fix CVE-2020-8616/7
fix CVE-2020-8616 and CVE-2020-8617
(From OE-Core rev: b280b3fe22a1fda62707bfa40ca78439ad201736)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch | 206 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch | 29 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.11.5-P4.bb | 2 |
3 files changed, 237 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch new file mode 100644 index 0000000000..8f00231919 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch | |||
@@ -0,0 +1,206 @@ | |||
1 | Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch] | ||
2 | CVE: CVE-2020-8616 | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | --- | ||
5 | diff --git a/lib/dns/adb.c b/lib/dns/adb.c | ||
6 | index 058495f6a5..6b8a9537f0 100644 | ||
7 | --- a/lib/dns/adb.c | ||
8 | +++ b/lib/dns/adb.c | ||
9 | @@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) | ||
10 | */ | ||
11 | #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) | ||
12 | #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) | ||
13 | -#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ | ||
14 | - != 0) | ||
15 | -#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ | ||
16 | - != 0) | ||
17 | -#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) | ||
18 | -#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) | ||
19 | -#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) | ||
20 | -#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) | ||
21 | +#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) | ||
22 | +#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) | ||
23 | +#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) | ||
24 | +#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) | ||
25 | +#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) | ||
26 | +#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) | ||
27 | +#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) | ||
28 | |||
29 | /* | ||
30 | * These are currently used on simple unsigned ints, so they are | ||
31 | @@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
32 | * Listen to negative cache hints, and don't start | ||
33 | * another query. | ||
34 | */ | ||
35 | - if (NCACHE_RESULT(result) || AUTH_NX(result)) | ||
36 | + if (NCACHE_RESULT(result) || AUTH_NX(result)) { | ||
37 | goto fetch; | ||
38 | + } | ||
39 | |||
40 | - if (!NAME_FETCH_V6(adbname)) | ||
41 | + if (!NAME_FETCH_V6(adbname)) { | ||
42 | wanted_fetches |= DNS_ADBFIND_INET6; | ||
43 | + } | ||
44 | } | ||
45 | |||
46 | fetch: | ||
47 | if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || | ||
48 | (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) | ||
49 | + { | ||
50 | have_address = true; | ||
51 | - else | ||
52 | + } else { | ||
53 | have_address = false; | ||
54 | - if (wanted_fetches != 0 && | ||
55 | - ! (FIND_AVOIDFETCHES(find) && have_address)) { | ||
56 | + } | ||
57 | + if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && | ||
58 | + !FIND_NOFETCH(find)) | ||
59 | + { | ||
60 | /* | ||
61 | * We're missing at least one address family. Either the | ||
62 | * caller hasn't instructed us to avoid fetches, or we don't | ||
63 | @@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
64 | * be acceptable so we have to launch fetches. | ||
65 | */ | ||
66 | |||
67 | - if (FIND_STARTATZONE(find)) | ||
68 | + if (FIND_STARTATZONE(find)) { | ||
69 | start_at_zone = true; | ||
70 | + } | ||
71 | |||
72 | /* | ||
73 | * Start V4. | ||
74 | diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h | ||
75 | index 63a13c4e41..edf6e54935 100644 | ||
76 | --- a/lib/dns/include/dns/adb.h | ||
77 | +++ b/lib/dns/include/dns/adb.h | ||
78 | @@ -207,6 +207,10 @@ struct dns_adbfind { | ||
79 | * lame for this query. | ||
80 | */ | ||
81 | #define DNS_ADBFIND_OVERQUOTA 0x00000400 | ||
82 | +/*% | ||
83 | + * Don't perform a fetch even if there are no address records available. | ||
84 | + */ | ||
85 | +#define DNS_ADBFIND_NOFETCH 0x00000800 | ||
86 | |||
87 | /*% | ||
88 | * The answers to queries come back as a list of these. | ||
89 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
90 | index 7c44478a26..0a40859d08 100644 | ||
91 | --- a/lib/dns/resolver.c | ||
92 | +++ b/lib/dns/resolver.c | ||
93 | @@ -172,6 +172,14 @@ | ||
94 | #define DEFAULT_MAX_QUERIES 75 | ||
95 | #endif | ||
96 | |||
97 | +/* | ||
98 | + * After NS_FAIL_LIMIT attempts to fetch a name server address, | ||
99 | + * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, | ||
100 | + * stop trying to fetch, in order to avoid wasting resources. | ||
101 | + */ | ||
102 | +#define NS_FAIL_LIMIT 4 | ||
103 | +#define NS_RR_LIMIT 5 | ||
104 | + | ||
105 | /* Number of hash buckets for zone counters */ | ||
106 | #ifndef RES_DOMAIN_BUCKETS | ||
107 | #define RES_DOMAIN_BUCKETS 523 | ||
108 | @@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { | ||
109 | static void | ||
110 | findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, | ||
111 | unsigned int options, unsigned int flags, isc_stdtime_t now, | ||
112 | - bool *overquota, bool *need_alternate) | ||
113 | -{ | ||
114 | + bool *overquota, bool *need_alternate, unsigned int *no_addresses) { | ||
115 | dns_adbaddrinfo_t *ai; | ||
116 | dns_adbfind_t *find; | ||
117 | dns_resolver_t *res; | ||
118 | @@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, | ||
119 | find->result_v6 != DNS_R_NXDOMAIN) || | ||
120 | (res->dispatches6 == NULL && | ||
121 | find->result_v4 != DNS_R_NXDOMAIN))) | ||
122 | + { | ||
123 | *need_alternate = true; | ||
124 | + } | ||
125 | + if (no_addresses != NULL) { | ||
126 | + (*no_addresses)++; | ||
127 | + } | ||
128 | } else { | ||
129 | if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { | ||
130 | if (overquota != NULL) | ||
131 | @@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
132 | dns_rdata_ns_t ns; | ||
133 | bool need_alternate = false; | ||
134 | bool all_spilled = true; | ||
135 | + unsigned int no_addresses = 0; | ||
136 | |||
137 | FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); | ||
138 | |||
139 | @@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
140 | * Extract the name from the NS record. | ||
141 | */ | ||
142 | result = dns_rdata_tostruct(&rdata, &ns, NULL); | ||
143 | - if (result != ISC_R_SUCCESS) | ||
144 | + if (result != ISC_R_SUCCESS) { | ||
145 | continue; | ||
146 | + } | ||
147 | |||
148 | - findname(fctx, &ns.name, 0, stdoptions, 0, now, | ||
149 | - &overquota, &need_alternate); | ||
150 | + if (no_addresses > NS_FAIL_LIMIT && | ||
151 | + dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) | ||
152 | + { | ||
153 | + stdoptions |= DNS_ADBFIND_NOFETCH; | ||
154 | + } | ||
155 | + findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, | ||
156 | + &need_alternate, &no_addresses); | ||
157 | |||
158 | - if (!overquota) | ||
159 | + if (!overquota) { | ||
160 | all_spilled = false; | ||
161 | + } | ||
162 | |||
163 | dns_rdata_reset(&rdata); | ||
164 | dns_rdata_freestruct(&ns); | ||
165 | } | ||
166 | - if (result != ISC_R_NOMORE) | ||
167 | + if (result != ISC_R_NOMORE) { | ||
168 | return (result); | ||
169 | + } | ||
170 | |||
171 | /* | ||
172 | * Do we need to use 6 to 4? | ||
173 | @@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
174 | if (!a->isaddress) { | ||
175 | findname(fctx, &a->_u._n.name, a->_u._n.port, | ||
176 | stdoptions, FCTX_ADDRINFO_FORWARDER, | ||
177 | - now, NULL, NULL); | ||
178 | + now, NULL, NULL, NULL); | ||
179 | continue; | ||
180 | } | ||
181 | if (isc_sockaddr_pf(&a->_u.addr) != family) | ||
182 | @@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { | ||
183 | } | ||
184 | } | ||
185 | |||
186 | - if (dns_name_countlabels(&fctx->domain) > 2) { | ||
187 | - result = isc_counter_increment(fctx->qc); | ||
188 | - if (result != ISC_R_SUCCESS) { | ||
189 | - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, | ||
190 | - DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), | ||
191 | - "exceeded max queries resolving '%s'", | ||
192 | - fctx->info); | ||
193 | - fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); | ||
194 | - return; | ||
195 | - } | ||
196 | + result = isc_counter_increment(fctx->qc); | ||
197 | + if (result != ISC_R_SUCCESS) { | ||
198 | + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, | ||
199 | + DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), | ||
200 | + "exceeded max queries resolving '%s'", | ||
201 | + fctx->info); | ||
202 | + fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); | ||
203 | + return; | ||
204 | } | ||
205 | |||
206 | bucketnum = fctx->bucketnum; | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch new file mode 100644 index 0000000000..d8769c45cc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch] | ||
2 | CVE: CVE-2020-8617 | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | --- | ||
5 | diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c | ||
6 | index b597a18d49..6357a3a486 100644 | ||
7 | --- a/lib/dns/tsig.c | ||
8 | +++ b/lib/dns/tsig.c | ||
9 | @@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, | ||
10 | goto cleanup_context; | ||
11 | } | ||
12 | msg->verified_sig = 1; | ||
13 | - } else if (tsig.error != dns_tsigerror_badsig && | ||
14 | - tsig.error != dns_tsigerror_badkey) { | ||
15 | + } else if (!response || (tsig.error != dns_tsigerror_badsig && | ||
16 | + tsig.error != dns_tsigerror_badkey)) | ||
17 | + { | ||
18 | tsig_log(msg->tsigkey, 2, "signature was empty"); | ||
19 | return (DNS_R_TSIGVERIFYFAILURE); | ||
20 | } | ||
21 | @@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, | ||
22 | } | ||
23 | } | ||
24 | |||
25 | - if (tsig.error != dns_rcode_noerror) { | ||
26 | + if (response && tsig.error != dns_rcode_noerror) { | ||
27 | msg->tsigstatus = tsig.error; | ||
28 | if (tsig.error == dns_tsigerror_badtime) | ||
29 | ret = DNS_R_CLOCKSKEW; | ||
diff --git a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb index b0bb64b7c7..68316e26ee 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb | |||
@@ -28,6 +28,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
28 | file://0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch \ | 28 | file://0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch \ |
29 | file://0006-restore-allowance-for-tcp-clients-interfaces.patch \ | 29 | file://0006-restore-allowance-for-tcp-clients-interfaces.patch \ |
30 | file://0007-Replace-atomic-operations-in-bin-named-client.c-with.patch \ | 30 | file://0007-Replace-atomic-operations-in-bin-named-client.c-with.patch \ |
31 | file://CVE-2020-8616.patch \ | ||
32 | file://CVE-2020-8617.patch \ | ||
31 | " | 33 | " |
32 | 34 | ||
33 | SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960" | 35 | SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960" |