fix CVE-2021-25220

2022-03-30 16:47:27 +08:00 · 2022-03-30 16:47:27 +08:00 · 561cbdf00a
commit 561cbdf00a
parent e94219e77c
2 changed files with 217 additions and 1 deletions
--- a/CVE-2021-25220.patch
+++ b/CVE-2021-25220.patch
@ -0,0 +1,208 @@
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/f1bc36f19362f9f2173bf9511e85781058f19c64
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index dd82f273a4d5a2d34edd1cbcba8c9daf78a71b34..677384b1081d060ccc0acc92e476eb7664577806 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -65,6 +65,8 @@
 #include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/validator.h>
 +#include <dns/zone.h>
 +
 #ifdef WANT_QUERYTRACE
 #define RTRACE(m)                                                             \
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
@@ -339,6 +341,8 @@ struct fetchctx {
 	dns_fetch_t *qminfetch;
 	dns_rdataset_t qminrrset;
 	dns_name_t qmindcname;
 +	dns_fixedname_t fwdfname;
 +	dns_name_t *fwdname;
 	/*%
 	 * The number of events we're waiting for.
@@ -3766,6 +3770,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 		if (result == ISC_R_SUCCESS) {
 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 +			dns_name_copynf(domain, fctx->fwdname);
 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
 			    isstrictsubdomain(domain, &fctx->domain))
 			{
@@ -5155,6 +5160,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->querysent = 0;
 	fctx->referrals = 0;
 +
 +	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
 +
 	TIME_NOW(&fctx->start);
 	fctx->timeouts = 0;
 	fctx->lamecount = 0;
@@ -5217,6 +5225,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
 					   fname, &forwarders);
 		if (result == ISC_R_SUCCESS) {
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 +			dns_name_copynf(fname, fctx->fwdname);
 		}
 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
@@ -7120,6 +7129,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
 	}
 }
 +/*
 + * Returns true if 'name' is external to the namespace for which
 + * the server being queried can answer, either because it's not a
 + * subdomain or because it's below a forward declaration or a
 + * locally served zone.
 + */
 +static inline bool
 +name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
 +	isc_result_t result;
 +	dns_forwarders_t *forwarders = NULL;
 +	dns_fixedname_t fixed, zfixed;
 +	dns_name_t *fname = dns_fixedname_initname(&fixed);
 +	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
 +	dns_name_t *apex = NULL;
 +	dns_name_t suffix;
 +	dns_zone_t *zone = NULL;
 +	unsigned int labels;
 +	dns_namereln_t rel;
 +
 +	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
 +
 +	/*
 +	 * The name is outside the queried namespace.
 +	 */
 +	rel = dns_name_fullcompare(name, apex, &(int){ 0 },
 +				   &(unsigned int){ 0U });
 +	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
 +		return (true);
 +	}
 +
 +	/*
 +	 * If the record lives in the parent zone, adjust the name so we
 +	 * look for the correct zone or forward clause.
 +	 */
 +	labels = dns_name_countlabels(name);
 +	if (dns_rdatatype_atparent(type) && labels > 1U) {
 +		dns_name_init(&suffix, NULL);
 +		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
 +		name = &suffix;
 +	} else if (rel == dns_namereln_equal) {
 +		/* If 'name' is 'apex', no further checking is needed. */
 +		return (false);
 +	}
 +
 +	/*
 +	 * If there is a locally served zone between 'apex' and 'name'
 +	 * then don't cache.
 +	 */
 +	LOCK(&fctx->res->view->lock);
 +	if (fctx->res->view->zonetable != NULL) {
 +		unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
 +		result = dns_zt_find(fctx->res->view->zonetable, name, options,
 +				     zfname, &zone);
 +		if (zone != NULL) {
 +			dns_zone_detach(&zone);
 +		}
 +		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 +			if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
 +						 &(unsigned int){ 0U }) ==
 +			    dns_namereln_subdomain)
 +			{
 +				UNLOCK(&fctx->res->view->lock);
 +				return (true);
 +			}
 +		}
 +	}
 +	UNLOCK(&fctx->res->view->lock);
 +
 +	/*
 +	 * Look for a forward declaration below 'name'.
 +	 */
 +	result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
 +				   &forwarders);
 +
 +	if (ISFORWARDER(fctx->addrinfo)) {
 +		/*
 +		 * See if the forwarder declaration is better.
 +		 */
 +		if (result == ISC_R_SUCCESS) {
 +			return (!dns_name_equal(fname, fctx->fwdname));
 +		}
 +
 +		/*
 +		 * If the lookup failed, the configuration must have
 +		 * changed: play it safe and don't cache.
 +		 */
 +		return (true);
 +	} else if (result == ISC_R_SUCCESS &&
 +		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
 +		   !ISC_LIST_EMPTY(forwarders->fwdrs))
 +	{
 +		/*
 +		 * If 'name' is covered by a 'forward only' clause then we
 +		 * can't cache this repsonse.
 +		 */
 +		return (true);
 +	}
 +
 +	return (false);
 +}
 +
 static isc_result_t
 check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
 	      dns_section_t section) {
@@ -7146,7 +7256,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
 	result = dns_message_findname(rctx->query->rmessage, section, addname,
 				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
 -		external = !dns_name_issubdomain(name, &fctx->domain);
 +		external = name_external(name, type, fctx);
 		if (type == dns_rdatatype_a) {
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
@@ -8770,6 +8880,13 @@ rctx_answer_scan(respctx_t *rctx) {
 			break;
 		case dns_namereln_subdomain:
 +			/*
 +			 * Don't accept DNAME from parent namespace.
 +			 */
 +			if (name_external(name, dns_rdatatype_dname, fctx)) {
 +				continue;
 +			}
 +
 			/*
 			 * In-scope DNAME records must have at least
 			 * as many labels as the domain being queried.
@@ -9083,13 +9200,11 @@ rctx_authority_positive(respctx_t *rctx) {
 				       DNS_SECTION_AUTHORITY);
 	while (!done && result == ISC_R_SUCCESS) {
 		dns_name_t *name = NULL;
 -		bool external;
 		dns_message_currentname(rctx->query->rmessage,
 					DNS_SECTION_AUTHORITY, &name);
 -		external = !dns_name_issubdomain(name, &fctx->domain);
 -		if (!external) {
 +		if (!name_external(name, dns_rdatatype_ns, fctx)) {
 			dns_rdataset_t *rdataset = NULL;
 			/*
@@ -9476,7 +9591,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
 		}
 		if (!dns_name_issubdomain(name, &fctx->domain)) {
 -			/* Invalid name found; preserve it for logging later */
 +			/*
 +			 * Invalid name found; preserve it for logging
 +			 * later.
 +			 */
 			rctx->found_name = name;
 			rctx->found_type = ISC_LIST_HEAD(name->list)->type;
 			continue;
--- a/bind.spec
+++ b/bind.spec
@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  2
+Release:  3
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -80,6 +80,7 @@ Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch
 Patch6000: CVE-2022-0396.patch
 Patch6001: CVE-2021-25220.patch
 %{?systemd_ordering}
 Requires:       coreutils
@ -372,6 +373,7 @@ in HTML and PDF format.
 %patch164 -p1 -b .rh1666814
 %patch6000 -p1
 %patch6001 -p1
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1094,6 +1096,12 @@ fi;
 %endif
 %changelog
 * Wed Mar 30 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-3
 - Type:CVE
 - CVE:CVE-2021-25220
 - SUG:NA
 - DESC:fix CVE-2021-25220
 * Wed Mar 30 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-2
 - Type:CVE
 - CVE:CVE-2022-0396