bind: fix CVE-2021-25219

Backport patches to fix CVE-2021-25219. (From OE-Core rev: 918660a2d4bc89a763a5934765ff6a1647709fcc) (From OE-Core rev: 6dda02aa752c618f2adb0b1372e93b48a0a09a17) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 729693f0c250aec7dfdb91a9bb4dd5420c7efbee) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <mingli.yu@windriver.com> 2021-11-17 17:18:25 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-12-17 10:02:39 +0000
commit: 12b0635ae0cb295320e7ccb0a9cc07f83459df8c (patch)
tree: aa191d73765a55863c5e96ef890b75cee26664cb /meta
parent: 0430d232607f7e8de0ed551722443f3e638b54a6 (diff)
download: poky-12b0635ae0cb295320e7ccb0a9cc07f83459df8c.tar.gz
3 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch
new file mode 100644
index 0000000000..f63c333264
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch
@@ -0,0 +1,76 @@
+From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Fri, 24 Sep 2021 09:35:11 +0200
+Subject: [PATCH] Disable lame-ttl cache
+The lame-ttl cache is implemented in ADB as per-server locked
+linked-list "indexed" with <qname,qtype>.  This list has to be walked
+every time there's a new query or new record added into the lame cache.
+Determined attacker can use this to degrade performance of the resolver.
+Resolver testing has shown that disabling the lame cache has little
+impact on the resolver performance and it's a minimal viable defense
+against this kind of attack.
+CVE: CVE-2021-25219
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ bin/named/config.c    | 2 +-
+ bin/named/server.c    | 7 +++++--
+ doc/arm/reference.rst | 6 +++---
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+diff --git a/bin/named/config.c b/bin/named/config.c
+index fa8473db7c..b6453b814e 100644
+--- a/bin/named/config.c
+++ b/bin/named/config.c
+@@ -151,7 +151,7 @@ options {\n\
+        fetches-per-server 0;\n\
+        fetches-per-zone 0;\n\
+        glue-cache yes;\n\
+-       lame-ttl 600;\n"
+       lame-ttl 0;\n"
+ #ifdef HAVE_LMDB
+                            "   lmdb-mapsize 32M;\n"
+ #endif /* ifdef HAVE_LMDB */
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 638703e8c2..35ad6a0b7f 100644
+--- a/bin/named/server.c
+++ b/bin/named/server.c
+@@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
+        result = named_config_get(maps, "lame-ttl", &obj);
+        INSIST(result == ISC_R_SUCCESS);
+        lame_ttl = cfg_obj_asduration(obj);
+-       if (lame_ttl > 1800) {
+-               lame_ttl = 1800;
+       if (lame_ttl > 0) {
+               cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+                           "disabling lame cache despite lame-ttl > 0 as it "
+                           "may cause performance issues");
+               lame_ttl = 0;
+        }
+        dns_resolver_setlamettl(view->resolver, lame_ttl);
+ 
+diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
+index 3bc4439745..fea854f3d1 100644
+--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
+@@ -3358,9 +3358,9 @@ Tuning
+ ^^^^^^
+ 
+ ``lame-ttl``
+-   This sets the number of seconds to cache a lame server indication. 0
+-   disables caching. (This is **NOT** recommended.) The default is
+-   ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes).
+   This is always set to 0. More information is available in the
+   `security advisory for CVE-2021-25219
+   <https://kb.isc.org/docs/cve-2021-25219>`_.
+ 
+ ``servfail-ttl``
+    This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch
new file mode 100644
index 0000000000..1217f7f186
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch
@@ -0,0 +1,65 @@
+From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Mon, 15 Nov 2021 16:26:52 +0800
+Subject: [PATCH] Enable lame response detection even with disabled lame cache
+Previously, when lame cache would be disabled by setting lame-ttl to 0,
+it would also disable lame answer detection.  In this commit, we enable
+the lame response detection even when the lame cache is disabled.  This
+enables stopping answer processing early rather than going through the
+whole answer processing flow.
+CVE: CVE-2021-25219
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/dns/resolver.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 50fadc0..9291bd4 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
+  */
+ static isc_result_t
+ rctx_lameserver(respctx_t *rctx) {
+-       isc_result_t result;
+       isc_result_t result = ISC_R_SUCCESS;
+        fetchctx_t *fctx = rctx->fctx;
+        resquery_t *query = rctx->query;
+ 
+-       if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
+-           !is_lame(fctx, query->rmessage))
+-       {
+       if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
+                return (ISC_R_SUCCESS);
+        }
+ 
+        inc_stats(fctx->res, dns_resstatscounter_lame);
+        log_lame(fctx, query->addrinfo);
+-       result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
+-                                 fctx->type, rctx->now + fctx->res->lame_ttl);
+-       if (result != ISC_R_SUCCESS) {
+-               isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-                             DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+-                             "could not mark server as lame: %s",
+-                             isc_result_totext(result));
+       if (fctx->res->lame_ttl != 0) {
+               result = dns_adb_marklame(fctx->adb, query->addrinfo,
+                                         &fctx->name, fctx->type,
+                                         rctx->now + fctx->res->lame_ttl);
+               if (result != ISC_R_SUCCESS) {
+                       isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+                                     DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+                                     "could not mark server as lame: %s",
+                                     isc_result_totext(result));
+               }
+        }
+        rctx->broken_server = DNS_R_LAME;
+        rctx->next_server = true;
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/bind/bind_9.16.20.bb b/meta/recipes-connectivity/bind/bind_9.16.20.bb
index ddf323fb9c..0ba0a46b15 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.20.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.20.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
           file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2021-25219-1.patch \
+           file://CVE-2021-25219-2.patch \
           "
 SRC_URI[sha256sum] = "4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58"
author	Mingli Yu <mingli.yu@windriver.com>	2021-11-17 17:18:25 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-12-17 10:02:39 +0000
commit	12b0635ae0cb295320e7ccb0a9cc07f83459df8c (patch)
tree	aa191d73765a55863c5e96ef890b75cee26664cb /meta
parent	0430d232607f7e8de0ed551722443f3e638b54a6 (diff)
download	poky-12b0635ae0cb295320e7ccb0a9cc07f83459df8c.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch new file mode 100644 index 0000000000..f63c333264 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-1.patch
@@ -0,0 +1,76 @@
		1	From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
		3	Date: Fri, 24 Sep 2021 09:35:11 +0200
		4	Subject: [PATCH] Disable lame-ttl cache
		5
		6	The lame-ttl cache is implemented in ADB as per-server locked
		7	linked-list "indexed" with <qname,qtype>. This list has to be walked
		8	every time there's a new query or new record added into the lame cache.
		9	Determined attacker can use this to degrade performance of the resolver.
		10
		11	Resolver testing has shown that disabling the lame cache has little
		12	impact on the resolver performance and it's a minimal viable defense
		13	against this kind of attack.
		14
		15	CVE: CVE-2021-25219
		16
		17	Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662]
		18
		19	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		20	---
		21	bin/named/config.c \| 2 +-
		22	bin/named/server.c \| 7 +++++--
		23	doc/arm/reference.rst \| 6 +++---
		24	3 files changed, 9 insertions(+), 6 deletions(-)
		25
		26	diff --git a/bin/named/config.c b/bin/named/config.c
		27	index fa8473db7c..b6453b814e 100644
		28	--- a/bin/named/config.c
		29	+++ b/bin/named/config.c
		30	@@ -151,7 +151,7 @@ options {\n\
		31	fetches-per-server 0;\n\
		32	fetches-per-zone 0;\n\
		33	glue-cache yes;\n\
		34	- lame-ttl 600;\n"
		35	+ lame-ttl 0;\n"
		36	#ifdef HAVE_LMDB
		37	" lmdb-mapsize 32M;\n"
		38	#endif /* ifdef HAVE_LMDB */
		39	diff --git a/bin/named/server.c b/bin/named/server.c
		40	index 638703e8c2..35ad6a0b7f 100644
		41	--- a/bin/named/server.c
		42	+++ b/bin/named/server.c
		43	@@ -4806,8 +4806,11 @@ configure_view(dns_view_t view, dns_viewlist_t viewlist, cfg_obj_t *config,
		44	result = named_config_get(maps, "lame-ttl", &obj);
		45	INSIST(result == ISC_R_SUCCESS);
		46	lame_ttl = cfg_obj_asduration(obj);
		47	- if (lame_ttl > 1800) {
		48	- lame_ttl = 1800;
		49	+ if (lame_ttl > 0) {
		50	+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
		51	+ "disabling lame cache despite lame-ttl > 0 as it "
		52	+ "may cause performance issues");
		53	+ lame_ttl = 0;
		54	}
		55	dns_resolver_setlamettl(view->resolver, lame_ttl);
		56
		57	diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
		58	index 3bc4439745..fea854f3d1 100644
		59	--- a/doc/arm/reference.rst
		60	+++ b/doc/arm/reference.rst
		61	@@ -3358,9 +3358,9 @@ Tuning
		62	^^^^^^
		63
		64	``lame-ttl``
		65	- This sets the number of seconds to cache a lame server indication. 0
		66	- disables caching. (This is NOT recommended.) The default is
		67	- ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes).
		68	+ This is always set to 0. More information is available in the
		69	+ `security advisory for CVE-2021-25219
		70	+ <https://kb.isc.org/docs/cve-2021-25219>`_.
		71
		72	``servfail-ttl``
		73	This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
		74	--
		75	2.17.1
		76


diff --git a/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch new file mode 100644 index 0000000000..1217f7f186 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.20/CVE-2021-25219-2.patch
@@ -0,0 +1,65 @@
		1	From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
		3	Date: Mon, 15 Nov 2021 16:26:52 +0800
		4	Subject: [PATCH] Enable lame response detection even with disabled lame cache
		5
		6	Previously, when lame cache would be disabled by setting lame-ttl to 0,
		7	it would also disable lame answer detection. In this commit, we enable
		8	the lame response detection even when the lame cache is disabled. This
		9	enables stopping answer processing early rather than going through the
		10	whole answer processing flow.
		11
		12	CVE: CVE-2021-25219
		13
		14	Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787]
		15
		16	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		17	---
		18	lib/dns/resolver.c \| 23 ++++++++++++-----------
		19	1 file changed, 12 insertions(+), 11 deletions(-)
		20
		21	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		22	index 50fadc0..9291bd4 100644
		23	--- a/lib/dns/resolver.c
		24	+++ b/lib/dns/resolver.c
		25	@@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
		26	*/
		27	static isc_result_t
		28	rctx_lameserver(respctx_t *rctx) {
		29	- isc_result_t result;
		30	+ isc_result_t result = ISC_R_SUCCESS;
		31	fetchctx_t *fctx = rctx->fctx;
		32	resquery_t *query = rctx->query;
		33
		34	- if (fctx->res->lame_ttl == 0 \|\| ISFORWARDER(query->addrinfo) \|\|
		35	- !is_lame(fctx, query->rmessage))
		36	- {
		37	+ if (ISFORWARDER(query->addrinfo) \|\| !is_lame(fctx, query->rmessage)) {
		38	return (ISC_R_SUCCESS);
		39	}
		40
		41	inc_stats(fctx->res, dns_resstatscounter_lame);
		42	log_lame(fctx, query->addrinfo);
		43	- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
		44	- fctx->type, rctx->now + fctx->res->lame_ttl);
		45	- if (result != ISC_R_SUCCESS) {
		46	- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
		47	- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
		48	- "could not mark server as lame: %s",
		49	- isc_result_totext(result));
		50	+ if (fctx->res->lame_ttl != 0) {
		51	+ result = dns_adb_marklame(fctx->adb, query->addrinfo,
		52	+ &fctx->name, fctx->type,
		53	+ rctx->now + fctx->res->lame_ttl);
		54	+ if (result != ISC_R_SUCCESS) {
		55	+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
		56	+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
		57	+ "could not mark server as lame: %s",
		58	+ isc_result_totext(result));
		59	+ }
		60	}
		61	rctx->broken_server = DNS_R_LAME;
		62	rctx->next_server = true;
		63	--
		64	2.17.1
		65


diff --git a/meta/recipes-connectivity/bind/bind_9.16.20.bb b/meta/recipes-connectivity/bind/bind_9.16.20.bb index ddf323fb9c..0ba0a46b15 100644 --- a/meta/recipes-connectivity/bind/bind_9.16.20.bb +++ b/meta/recipes-connectivity/bind/bind_9.16.20.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
18	file://bind-ensure-searching-for-json-headers-searches-sysr.patch \	18	file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20	file://0001-avoid-start-failure-with-bind-user.patch \	20	file://0001-avoid-start-failure-with-bind-user.patch \
		21	file://CVE-2021-25219-1.patch \
		22	file://CVE-2021-25219-2.patch \
21	"	23	"
22		24
23	SRC_URI[sha256sum] = "4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58"	25	SRC_URI[sha256sum] = "4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58"