fix CVE-2021-25220

2022-03-30 16:04:51 +08:00 · 2022-03-30 16:04:51 +08:00 · 5ff97c72ad
commit 5ff97c72ad
parent 3e3d699ed8
2 changed files with 214 additions and 1 deletions
--- a/backport-CVE-2021-25220.patch
+++ b/backport-CVE-2021-25220.patch
@ -0,0 +1,205 @@
+Conflict: rmessage to fctx->rmessage
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/fc9cb6cf91c1a36b797ffef0a277dbb3989d43dc
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 32cdbb9..153825c 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -63,6 +63,7 @@
+ #include <dns/stats.h>
+ #include <dns/tsig.h>
+ #include <dns/validator.h>
+#include <dns/zone.h>
+ 
+ #ifdef WANT_QUERYTRACE
+ #define RTRACE(m)       isc_log_write(dns_lctx, \
+@@ -312,6 +313,8 @@ struct fetchctx {
+ 	bool			ns_ttl_ok;
+ 	uint32_t			ns_ttl;
+ 	isc_counter_t *			qc;
+	dns_fixedname_t			fwdfname;
+	dns_name_t			*fwdname;
+ 
+ 	/*%
+ 	 * The number of events we're waiting for.
+@@ -3386,6 +3389,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 		if (result == ISC_R_SUCCESS) {
+ 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+ 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copy(domain, fctx->fwdname, NULL);
+ 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+ 			    isstrictsubdomain(domain, &fctx->domain)) {
+ 				fcount_decr(fctx);
+@@ -4415,6 +4419,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->restarts = 0;
+ 	fctx->querysent = 0;
+ 	fctx->referrals = 0;
+
+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
+ 	TIME_NOW(&fctx->start);
+ 	fctx->timeouts = 0;
+ 	fctx->lamecount = 0;
+@@ -4473,8 +4480,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 		domain = dns_fixedname_initname(&fixed);
+ 		result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
+ 					    domain, &forwarders);
+-		if (result == ISC_R_SUCCESS)
+		if (result == ISC_R_SUCCESS) {
+ 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copy(domain, fctx->fwdname, NULL);
+		}
+ 
+ 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+ 			/*
+@@ -6224,6 +6233,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
+ 		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
+ }
+ 
+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static inline bool
+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders = NULL;
+	dns_fixedname_t fixed, zfixed;
+	dns_name_t *fname = dns_fixedname_initname(&fixed);
+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+	dns_name_t *apex = NULL;
+	dns_name_t suffix;
+	dns_zone_t *zone = NULL;
+	unsigned int labels;
+	dns_namereln_t rel;
+	/*
+	 * The following two variables do not influence code flow; they are
+	 * only necessary for calling dns_name_fullcompare().
+	 */
+	int _orderp = 0;
+	unsigned int _nlabelsp = 0;
+
+	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+
+	/*
+	 * The name is outside the queried namespace.
+	 */
+	rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+		return (true);
+	}
+
+	/*
+	 * If the record lives in the parent zone, adjust the name so we
+	 * look for the correct zone or forward clause.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1U) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	} else if (rel == dns_namereln_equal) {
+		/* If 'name' is 'apex', no further checking is needed. */
+		return (false);
+	}
+
+	/*
+	 * If there is a locally served zone between 'apex' and 'name'
+	 * then don't cache.
+	 */
+	LOCK(&fctx->res->view->lock);
+	if (fctx->res->view->zonetable != NULL) {
+		unsigned int options = DNS_ZTFIND_NOEXACT;
+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
+				     zfname, &zone);
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			if (dns_name_fullcompare(zfname, apex, &_orderp,
+						 &_nlabelsp) ==
+			    dns_namereln_subdomain)
+			{
+				UNLOCK(&fctx->res->view->lock);
+				return (true);
+			}
+		}
+	}
+	UNLOCK(&fctx->res->view->lock);
+
+	/*
+	 * Look for a forward declaration below 'name'.
+	 */
+	result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
+				    &forwarders);
+
+	if (ISFORWARDER(fctx->addrinfo)) {
+		/*
+		 * See if the forwarder declaration is better.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * If the lookup failed, the configuration must have
+		 * changed: play it safe and don't cache.
+		 */
+		return (true);
+	} else if (result == ISC_R_SUCCESS &&
+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
+	{
+		/*
+		 * If 'name' is covered by a 'forward only' clause then we
+		 * can't cache this repsonse.
+		 */
+		return (true);
+	}
+
+	return (false);
+}
+
+ static isc_result_t
+ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+ 	      dns_section_t section)
+@@ -6252,7 +6367,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+ 	result = dns_message_findname(fctx->rmessage, section, addname,
+ 				      dns_rdatatype_any, 0, &name, NULL);
+ 	if (result == ISC_R_SUCCESS) {
+-		external = !dns_name_issubdomain(name, &fctx->domain);
+		external = name_external(name, type, fctx);
+ 		if (type == dns_rdatatype_a) {
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+ 			     rdataset != NULL;
+@@ -7134,6 +7249,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 			break;
+ 
+ 		case dns_namereln_subdomain:
+			/*
+			 * Don't accept DNAME from parent namespace.
+			 */
+			if (name_external(name, dns_rdatatype_dname, fctx)) {
+				continue;
+			}
+
+ 			/*
+ 			 * In-scope DNAME records must have at least
+ 			 * as many labels as the domain being queried.
+@@ -7369,11 +7491,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 	 */
+ 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		bool external;
+ 		name = NULL;
+ 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+-		external = !dns_name_issubdomain(name, &fctx->domain);
+-		if (!external) {
+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+ 			/*
+ 			 * We expect to find NS or SIG NS rdatasets, and
+ 			 * nothing else.
+-- 
+2.23.0
+
--- a/bind.spec
+++ b/bind.spec
@ -19,7 +19,7 @@ Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
 Version:        9.11.21
-Release:        9
+Release:        10
 Epoch:          32
 Url:            http://www.isc.org/products/BIND/
 Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@ -164,6 +164,7 @@ Patch195: CVE-2020-8625.patch
 Patch196: CVE-2021-25214.patch
 Patch197: CVE-2021-25215.patch
 Patch198: backport-CVE-2021-25219.patch
+Patch199: backport-CVE-2021-25220.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -371,6 +372,7 @@ are used for building ISC DHCP.
 %patch196 -p1
 %patch197 -p1
 %patch198 -p1
+%patch199 -p1

 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
@ -1156,6 +1158,12 @@ rm -rf ${RPM_BUILD_ROOT}


 %changelog
+* Wed Mar 30 2022 jiangheng <jiangheng12@huawei.com> - 9.11.21-10
+- Type:CVE
+- ID:CVE-2021-25220
+- SUG:NA
+- DESC:fix CVE-2021-25220
+
 * Mon Nov 15 2021 jiangheng <jiangheng12@huawei.com> - 9.11.21-9
 - Type:CVE
 - ID:CVE-2021-25219