Security update to bind 9.11.6-P1, plus patches ("Replace atomic

operations in bin/named/client.c with isc_refcount reference counting") from https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch for wider arch support. Fixes: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective https://kb.isc.org/docs/cve-2018-5743
2019-04-27 22:26:55 +00:00 · 2019-04-27 22:26:55 +00:00 · e39953dc90
commit e39953dc90
parent 94afad4a26
5 changed files with 143 additions and 5 deletions
--- a/net/isc-bind/Makefile
+++ b/net/isc-bind/Makefile
@ -1,18 +1,18 @@
-# $OpenBSD: Makefile,v 1.89 2019/03/01 17:17:08 sthen Exp $
+# $OpenBSD: Makefile,v 1.90 2019/04/27 22:26:55 sthen Exp $

 COMMENT=	Berkeley Internet Name Daemon: DNS server and tools

 # 9.11 is an ESV.  After 9.11 the format changes: odd numbers are devel,
 # even numbers are stable (and for stable branches, point releases are
 # bug fixes only).  The next ESV will be 9.16.
-V=		9.11.6
+V=		9.11.6-P1
 EPOCH=		0

 DISTNAME=	bind-$V
 PKGNAME=	isc-bind-${V:S/-P/pl/}

 # in shared_libs.log but not installed: isc-nosymtbl, t_api
-SHARED_LIBS +=  isc                  4.0
+SHARED_LIBS +=  isc                  4.1
 SHARED_LIBS +=  isccc                2.0
 SHARED_LIBS +=  dns                  8.0
 SHARED_LIBS +=  isccfg               3.0
--- a/net/isc-bind/distinfo
+++ b/net/isc-bind/distinfo
@ -1,2 +1,2 @@
-SHA256 (bind-9.11.6.tar.gz) = RJkAfzpri7qE/HVwU8rqvzZGbW99J4uszvn9EJvqxtQ=
-SIZE (bind-9.11.6.tar.gz) = 8125093
+SHA256 (bind-9.11.6-P1.tar.gz) = WKziq7TQSLZ6vN7wZJ7NbL07BlJzSkGh00+ULVUA+O8=
+SIZE (bind-9.11.6-P1.tar.gz) = 8102241
--- a/net/isc-bind/patches/patch-bin_named_client_c
+++ b/net/isc-bind/patches/patch-bin_named_client_c
@ -0,0 +1,73 @@
+$OpenBSD: patch-bin_named_client_c,v 1.1 2019/04/27 22:26:55 sthen Exp $
+
+From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Wed, 17 Apr 2019 15:22:27 +0200
+Subject: [PATCH] Replace atomic operations in bin/named/client.c with
+ isc_refcount reference counting
+
+Index: bin/named/client.c
+--- bin/named/client.c.orig
+++ bin/named/client.c
+@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
+ static void
+ mark_tcp_active(ns_client_t *client, bool active) {
+ 	if (active && !client->tcpactive) {
+-		isc_atomic_xadd(&client->interface->ntcpactive, 1);
+		isc_refcount_increment0(&client->interface->ntcpactive, NULL);
+ 		client->tcpactive = active;
+ 	} else if (!active && client->tcpactive) {
+-		uint32_t old =
+-			isc_atomic_xadd(&client->interface->ntcpactive, -1);
+-		INSIST(old > 0);
+		isc_refcount_decrement(&client->interface->ntcpactive, NULL);
+ 		client->tcpactive = active;
+ 	}
+ }
+@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
+ 		if (client->mortal && TCP_CLIENT(client) &&
+ 		    client->newstate != NS_CLIENTSTATE_FREED &&
+ 		    !ns_g_clienttest &&
+-		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+		    isc_refcount_current(&client->interface->ntcpaccepting) == 0)
+ 		{
+ 			/* Nobody else is accepting */
+ 			client->mortal = false;
+@@ -3326,7 +3324,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ 	isc_result_t result;
+ 	ns_client_t *client = event->ev_arg;
+ 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+-	uint32_t old;
+ 
+ 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
+ 	REQUIRE(NS_CLIENT_VALID(client));
+@@ -3346,8 +3343,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ 	INSIST(client->naccepts == 1);
+ 	client->naccepts--;
+ 
+-	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+-	INSIST(old > 0);
+	isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
+ 
+ 	/*
+ 	 * We must take ownership of the new socket before the exit
+@@ -3478,8 +3474,8 @@ client_accept(ns_client_t *client) {
+ 		 * quota is tcp-clients plus the number of listening
+ 		 * interfaces plus 1.)
+ 		 */
+-		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+-			(client->tcpactive ? 1 : 0));
+		exit = (isc_refcount_current(&client->interface->ntcpactive) >
+			(client->tcpactive ? 1U : 0U));
+ 		if (exit) {
+ 			client->newstate = NS_CLIENTSTATE_INACTIVE;
+ 			(void)exit_check(client);
+@@ -3537,7 +3533,7 @@ client_accept(ns_client_t *client) {
+ 	 * listening for connections itself to prevent the interface
+ 	 * going dead.
+ 	 */
+-	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+	isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
+ }
+ 
+ static void
--- a/net/isc-bind/patches/patch-bin_named_include_named_interfacemgr_h
+++ b/net/isc-bind/patches/patch-bin_named_include_named_interfacemgr_h
@ -0,0 +1,33 @@
+$OpenBSD: patch-bin_named_include_named_interfacemgr_h,v 1.1 2019/04/27 22:26:55 sthen Exp $
+
+From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Wed, 17 Apr 2019 15:22:27 +0200
+Subject: [PATCH] Replace atomic operations in bin/named/client.c with
+ isc_refcount reference counting
+
+Index: bin/named/include/named/interfacemgr.h
+--- bin/named/include/named/interfacemgr.h.orig
+++ bin/named/include/named/interfacemgr.h
+@@ -45,6 +45,7 @@
+ #include <isc/magic.h>
+ #include <isc/mem.h>
+ #include <isc/socket.h>
+#include <isc/refcount.h>
+ 
+ #include <dns/result.h>
+ 
+@@ -75,11 +76,11 @@ struct ns_interface {
+ 						/*%< UDP dispatchers. */
+ 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
+ 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
+-	int32_t			ntcpaccepting;	/*%< Number of clients
+	isc_refcount_t		ntcpaccepting;	/*%< Number of clients
+ 						     ready to accept new
+ 						     TCP connections on this
+ 						     interface */
+-	int32_t			ntcpactive;	/*%< Number of clients
+	isc_refcount_t		ntcpactive;	/*%< Number of clients
+ 						     servicing TCP queries
+ 						     (whether accepting or
+ 						     connected) */
--- a/net/isc-bind/patches/patch-bin_named_interfacemgr_c
+++ b/net/isc-bind/patches/patch-bin_named_interfacemgr_c
@ -0,0 +1,32 @@
+$OpenBSD: patch-bin_named_interfacemgr_c,v 1.1 2019/04/27 22:26:55 sthen Exp $
+
+From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Wed, 17 Apr 2019 15:22:27 +0200
+Subject: [PATCH] Replace atomic operations in bin/named/client.c with
+ isc_refcount reference counting
+
+Index: bin/named/interfacemgr.c
+--- bin/named/interfacemgr.c.orig
+++ bin/named/interfacemgr.c
+@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockad
+ 	 * connections will be handled in parallel even though there is
+ 	 * only one client initially.
+ 	 */
+-	ifp->ntcpaccepting = 0;
+-	ifp->ntcpactive = 0;
+	isc_refcount_init(&ifp->ntcpaccepting, 0);
+	isc_refcount_init(&ifp->ntcpactive, 0);
+ 
+ 	ifp->nudpdispatch = 0;
+ 
+@@ -617,6 +617,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
+ 	DESTROYLOCK(&ifp->lock);
+ 
+ 	ns_interfacemgr_detach(&ifp->mgr);
+
+	isc_refcount_destroy(&ifp->ntcpactive);
+	isc_refcount_destroy(&ifp->ntcpaccepting);
+ 
+ 	ifp->magic = 0;
+ 	isc_mem_put(mctx, ifp, sizeof(*ifp));