packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bind: add some patches

Browse Source 
Signed-off-by: huangyu <huangyu106@huawei.com>
This commit is contained in:
gaoxingwang 2022-09-29 16:57:21 +08:00 committed by jiangheng
parent bcc9ae1d6c
commit bd4dc94bf1
7 changed files with 773 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
backport-0002-Fix-catalog-zone-reconfiguration-crash.patch Normal file
View File

@ -0,0 +1,119 @@
From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 11 Oct 2021 18:13:39 +0000
Subject: [PATCH] Fix catalog zone reconfiguration crash
The following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.
(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a
---
bin/named/server.c | 2 ++
lib/dns/include/dns/zone.h | 20 ++++++++++++++++++++
lib/dns/win32/libdns.def.in | 2 ++
lib/dns/zone.c | 18 ++++++++++++++++++
4 files changed, 42 insertions(+)
diff --git a/bin/named/server.c b/bin/named/server.c
index 860ccae8a1..9c0f12f63f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
if (zone_is_catz) {
dns_zone_catz_enable(zone, view->catzs);
+ } else if (dns_zone_catz_is_enabled(zone)) {
+ dns_zone_catz_disable(zone);
}
/*
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 08e2263c5b..33ab5c60fd 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
* \li prior to calling, zone->catzs is NULL or is equal to 'catzs'
*/
+void
+dns_zone_catz_disable(dns_zone_t *zone);
+/*%<
+ * Disable zone as catalog zone, if it is one.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone);
+/*%<
+ * Return a boolean indicating whether the zone is enabled as catalog zone.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
void
dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
/*%<
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 31f511103f..1e0f7cf64a 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown
dns_zone_addnsec3chain
dns_zone_asyncload
dns_zone_attach
+dns_zone_catz_disable
dns_zone_catz_enable
dns_zone_catz_enable_db
+dns_zone_catz_is_enabled
dns_zone_cdscheck
dns_zone_checknames
dns_zone_clearforwardacl
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 65a3aacab7..bc33e6ede8 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
UNLOCK_ZONE(zone);
}
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ if (zone->catzs != NULL) {
+ dns_catz_catzs_detach(&zone->catzs);
+ }
+ UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ return (zone->catzs != NULL);
+}
+
/*
* If a zone is a catalog zone, attach it to update notification in database.
*/
--
2.27.0

162
backport-0003-Improve-the-logging-on-failed-TCP-accept.patch Normal file
View File

@ -0,0 +1,162 @@
From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 1 Dec 2021 17:41:20 +0100
Subject: [PATCH] Improve the logging on failed TCP accept
Previously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up and closed the TCP connection. In such
case, the named would log:
TCP connection failed: socket is not connected
This message was quite confusing because it actually doesn't say that
it's related to the accepting the TCP connection and also it logs
everything on the ISC_LOG_ERROR level.
Change the log message to "Accepting TCP connection failed" and for
specific error states lower the severity of the log message to
ISC_LOG_INFO.
(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6
---
lib/isc/netmgr/netmgr-int.h | 3 +++
lib/isc/netmgr/netmgr.c | 27 +++++++++++++++++++++++++++
lib/isc/netmgr/tcp.c | 20 ++------------------
lib/isc/netmgr/tcpdns.c | 22 ++--------------------
4 files changed, 34 insertions(+), 38 deletions(-)
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index f7b54f9..b4299d5 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async);
void
isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
+
#define STREAM_CLIENTS_PER_CONN 23
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 3283eb6e4f..54042a9123 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) {
}
}
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
+ int level;
+
+ switch (result) {
+ case ISC_R_SUCCESS:
+ case ISC_R_NOCONN:
+ return;
+ case ISC_R_QUOTA:
+ case ISC_R_SOFTQUOTA:
+ if (!can_log_quota) {
+ return;
+ }
+ level = ISC_LOG_INFO;
+ break;
+ case ISC_R_NOTCONNECTED:
+ level = ISC_LOG_INFO;
+ break;
+ default:
+ level = ISC_LOG_ERROR;
+ }
+
+ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+ level, "Accepting TCP connection failed: %s",
+ isc_result_totext(result));
+}
+
static void
isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
index 5cca9f5214..1b5e80d3a7 100644
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) {
result = accept_connection(ssock, quota);
done:
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcp_quota()) {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcp_quota());
}
void
@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
REQUIRE(sock->tid == isc_nm_tid());
result = accept_connection(sock, ievent->quota);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcp_quota()) {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcp_quota());
}
static isc_result_t
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index 188790c8b4..b76dcbc66c 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) {
result = accept_connection(ssock, quota);
done:
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcpdns_quota())
- {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
}
void
@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
REQUIRE(ievent->sock->tid == isc_nm_tid());
result = accept_connection(ievent->sock, ievent->quota);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcpdns_quota())
- {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
}
static isc_result_t
--
2.27.0

85
backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch Normal file
View File

@ -0,0 +1,85 @@
From 885e44650b547cff88095d01769e303474582612 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 5 Jan 2022 09:38:36 +0000
Subject: [PATCH] Separate the locked parts of dns_zone_catz_enable/disable
functions
Separate the locked parts of dns_zone_catz_enable() and
dns_zone_catz_disable() functions into static functions. This will
let us perform those tasks from the other parts of the module while
the zone is locked, avoiding one pair of additional unlocking and
locking operations.
(cherry picked from commit 6b937ed5f67a13cf6ad6249380073a6e647d7897)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/885e44650b547cff88095d01769e303474582612
---
lib/dns/zone.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2faf12519e..9205271574 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -871,6 +871,10 @@ static inline void
zone_attachdb(dns_zone_t *zone, dns_db_t *db);
static inline void
zone_detachdb(dns_zone_t *zone);
+static void
+zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
+static void
+zone_catz_disable(dns_zone_t *zone);
static isc_result_t
default_journal(dns_zone_t *zone);
static void
@@ -1930,28 +1934,42 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
zone->rpzs->zones[zone->rpz_num]);
}
-void
-dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+static void
+zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
REQUIRE(DNS_ZONE_VALID(zone));
REQUIRE(catzs != NULL);
- LOCK_ZONE(zone);
INSIST(zone->catzs == NULL || zone->catzs == catzs);
dns_catz_catzs_set_view(catzs, zone->view);
if (zone->catzs == NULL) {
dns_catz_catzs_attach(catzs, &zone->catzs);
}
- UNLOCK_ZONE(zone);
}
void
-dns_zone_catz_disable(dns_zone_t *zone) {
+dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
REQUIRE(DNS_ZONE_VALID(zone));
LOCK_ZONE(zone);
+ zone_catz_enable(zone, catzs);
+ UNLOCK_ZONE(zone);
+}
+
+static void
+zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
if (zone->catzs != NULL) {
dns_catz_catzs_detach(&zone->catzs);
}
+}
+
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ zone_catz_disable(zone);
UNLOCK_ZONE(zone);
}
--
2.27.0

235
backport-0036-Check-if-key-metadata-is-modified-before-writing.patch Normal file
View File

@ -0,0 +1,235 @@
From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 May 2022 12:28:31 +0200
Subject: [PATCH] Check if key metadata is modified before writing
Add a new parameter to the dst_key structure, mark a key modified if
dst_key_(un)set[bool,num,state,time] is called. Only write out key
files during a keymgr run if the metadata has changed.
(cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3
---
lib/dns/dst_api.c | 26 ++++++++++++++++++++++++++
lib/dns/dst_internal.h | 1 +
lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++
lib/dns/keymgr.c | 17 ++++++++++++++++-
4 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index ab371330f0..8873a041b8 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) {
return (key->external);
}
+void
+dst_key_setmodified(dst_key_t *key, bool value) {
+ key->modified = value;
+}
+
+bool
+dst_key_ismodified(dst_key_t *key) {
+ return (key->modified);
+}
+
isc_result_t
dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
int type, const char *directory, isc_mem_t *mctx,
@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
(pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
{
RETERR(computeid(pubkey));
+ pubkey->modified = false;
*keyp = pubkey;
pubkey = NULL;
goto out;
@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
RETERR(DST_R_INVALIDPRIVATEKEY);
}
+ key->modified = false;
*keyp = key;
key = NULL;
@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) {
REQUIRE(type <= DST_MAX_BOOLEAN);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->boolset[type] ||
+ key->bools[type] != value;
key->bools[type] = value;
key->boolset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_BOOLEAN);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->boolset[type];
key->boolset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) {
REQUIRE(type <= DST_MAX_NUMERIC);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->numset[type] ||
+ key->nums[type] != value;
key->nums[type] = value;
key->numset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_NUMERIC);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->numset[type];
key->numset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
REQUIRE(type <= DST_MAX_TIMES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->timeset[type] ||
+ key->times[type] != when;
key->times[type] = when;
key->timeset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_TIMES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->timeset[type];
key->timeset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) {
REQUIRE(type <= DST_MAX_KEYSTATES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->keystateset[type] ||
+ key->keystates[type] != state;
key->keystates[type] = state;
key->keystateset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_KEYSTATES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->keystateset[type];
key->keystateset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) {
dst_key_unsetstate(to, i);
}
}
+
+ dst_key_setmodified(to, dst_key_ismodified(from));
}
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index e26837bfe4..4933cfd5aa 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -147,6 +147,7 @@ struct dst_key {
bool inactive; /*%< private key not present as it is
* inactive */
bool external; /*%< external key */
+ bool modified; /*%< set to true if key file metadata has changed */
int fmt_major; /*%< private key format, major version
* */
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index d50761a63c..eab5501029 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key);
* 'key' to be valid.
*/
+void
+dst_key_setmodified(dst_key_t *key, bool value);
+/*%<
+ * If 'value' is true, this marks the key to indicate that key file metadata
+ * has been modified. If 'value' is false, this resets the value, for example
+ * after you have written the key to file.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
+
+bool
+dst_key_ismodified(dst_key_t *key);
+/*%<
+ * Check if the key file has been modified.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
+
bool
dst_key_haskasp(dst_key_t *key);
/*%<
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 965782b1f3..b01286575f 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1512,6 +1512,7 @@ transition:
/* It is safe to make the transition. */
dst_key_setstate(dkey->key, i, next_state);
dst_key_settime(dkey->key, keystatetimes[i], now);
+ INSIST(dst_key_ismodified(dkey->key));
changed = true;
}
}
@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
dkey = ISC_LIST_NEXT(dkey, link))
{
- if (!dkey->purge) {
+ if (dst_key_ismodified(dkey->key) && !dkey->purge) {
dns_dnssec_get_hints(dkey, now);
RETERR(dst_key_tofile(dkey->key, options, directory));
+ dst_key_setmodified(dkey->key, false);
}
}
@@ -2205,6 +2207,13 @@ failure:
}
}
+ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(origin, namebuf, sizeof(namebuf));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3),
+ "keymgr: %s done", namebuf);
+ }
return (result);
}
@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
dns_dnssec_get_hints(ksk_key, now);
result = dst_key_tofile(ksk_key->key, options, directory);
+ if (result == ISC_R_SUCCESS) {
+ dst_key_setmodified(ksk_key->key, false);
+ }
isc_dir_close(&dir);
return (result);
@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
dns_dnssec_get_hints(key, now);
result = dst_key_tofile(key->key, options, directory);
+ if (result == ISC_R_SUCCESS) {
+ dst_key_setmodified(key->key, false);
+ }
isc_dir_close(&dir);
return (result);
--
2.27.0

76
backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch Normal file
View File

@ -0,0 +1,76 @@
From 7c42c04f3fa1c6b936debe48b435b9ef9da464bd Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 16 May 2022 19:00:47 +0200
Subject: [PATCH] Fix CID 352776: Concurrent data access violations
*** CID 352776: Concurrent data access violations (MISSING_LOCK)
/lib/dns/dst_api.c: 474 in dst_key_setmodified()
468 dst_key_isexternal(dst_key_t *key) {
469 return (key->external);
470 }
471
472 void
473 dst_key_setmodified(dst_key_t *key, bool value) {
>>> CID 352776: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "key->modified" without holding lock
>>> "dst_key.mdlock". Elsewhere, "dst_key.modified" is accessed with
>>> "dst_key.mdlock" held 8 out of 11 times (8 of these accesses
>>> strongly imply that it is necessary).
474 key->modified = value;
475 }
476
477 bool
478 dst_key_ismodified(dst_key_t *key) {
479 return (key->modified);
(cherry picked from commit 1fa24d0afbc01d25d71446156758b3a945db5b5f)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c42c04f3fa1c6b936debe48b435b9ef9da464bd
---
lib/dns/dst_api.c | 12 ++++++++++--
lib/dns/include/dst/dst.h | 2 +-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 8873a041b8..e5a52aea37 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -492,12 +492,20 @@ dst_key_isexternal(dst_key_t *key) {
void
dst_key_setmodified(dst_key_t *key, bool value) {
+ isc_mutex_lock(&key->mdlock);
key->modified = value;
+ isc_mutex_unlock(&key->mdlock);
}
bool
-dst_key_ismodified(dst_key_t *key) {
- return (key->modified);
+dst_key_ismodified(const dst_key_t *key) {
+ bool modified;
+
+ isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
+ modified = key->modified;
+ isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
+
+ return (modified);
}
isc_result_t
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index eab5501029..3185e9f91b 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1119,7 +1119,7 @@ dst_key_setmodified(dst_key_t *key, bool value);
*/
bool
-dst_key_ismodified(dst_key_t *key);
+dst_key_ismodified(const dst_key_t *key);
/*%<
* Check if the key file has been modified.
*
--
2.27.0

70
backport-0037-Require-valid-key-for-dst_key-functions.patch Normal file
View File

@ -0,0 +1,70 @@
From d3147417c55cb1277cac42034198a3011c8f5cfb Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 17 May 2022 12:02:43 +0200
Subject: [PATCH] Require valid key for dst_key functions
Make sure that the key structure is valid when calling the following
functions:
- dst_key_setexternal
- dst_key_isexternal
- dst_key_setmodified
- dst_key_ismodified
This commit is adapted because 9.16 has a different approach
of deconsting the variable.
(cherry picked from commit 888ec4e0d407a9333017d6997a2be81a69658e1f)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d3147417c55cb1277cac42034198a3011c8f5cfb
---
lib/dns/dst_api.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index e5a52aea37..f5741a1af4 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -482,16 +482,22 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
void
dst_key_setexternal(dst_key_t *key, bool value) {
+ REQUIRE(VALID_KEY(key));
+
key->external = value;
}
bool
dst_key_isexternal(dst_key_t *key) {
+ REQUIRE(VALID_KEY(key));
+
return (key->external);
}
void
dst_key_setmodified(dst_key_t *key, bool value) {
+ REQUIRE(VALID_KEY(key));
+
isc_mutex_lock(&key->mdlock);
key->modified = value;
isc_mutex_unlock(&key->mdlock);
@@ -500,10 +506,15 @@ dst_key_setmodified(dst_key_t *key, bool value) {
bool
dst_key_ismodified(const dst_key_t *key) {
bool modified;
+ dst_key_t *k;
- isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
+ REQUIRE(VALID_KEY(key));
+
+ DE_CONST(key, k);
+
+ isc_mutex_lock(&k->mdlock);
modified = key->modified;
- isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
+ isc_mutex_unlock(&k->mdlock);
return (modified);
}
--
2.27.0

28
bind.spec
View File

@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 10
Release: 11
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -87,7 +87,14 @@ Patch6004: CVE-2022-38178.patch
Patch6005: CVE-2022-3080.patch
Patch6006: CVE-2022-2881.patch
Patch6007: CVE-2022-2906.patch
Patch9000: bugfix-limit-numbers-of-test-threads.patch
Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch
Patch6009:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch
Patch6010:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch
Patch6011:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch
Patch6012:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch
Patch6013:backport-0037-Require-valid-key-for-dst_key-functions.patch
Patch9000:bugfix-limit-numbers-of-test-threads.patch
%{?systemd_ordering}
Requires: coreutils
@ -392,6 +399,12 @@ in HTML and PDF format.
%patch6006 -p1
%patch6007 -p1
%patch9000 -p1
%patch6008 -p1
%patch6009 -p1
%patch6010 -p1
%patch6011 -p1
%patch6012 -p1
%patch6013 -p1
%if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11
@ -1115,6 +1128,17 @@ fi;
%endif
%changelog
* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: Fix catalog zone reconfiguration crash
Improve the logging on failed TCP accept
Separate the locked parts of dns_zone_catz_enable-di
Check if key-metadata is modified before writing
Fix CID-352776 Concurrent data access violations
Require valid key for dst_key functions
* Wed Sep 28 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-10
- DESC: fix CVE-2022-2795 CVE-2022-38177 CVE-2022-38178
CVE-2022-3080 CVE-2022-2906 CVE-2022-2881