Commit Graph

34118 Commits

Author SHA1 Message Date
Tinderbox User
96094c577f Merge branch 'prep-release' into security-v9_16 v9.16.27 2022-03-07 08:48:03 +00:00
Tinderbox User
af230d1e20 prep 9.16.27 2022-03-07 08:47:06 +00:00
Michał Kępień
16cc3e4465 Merge branch 'michal/prepare-documentation-for-bind-9.16.27' into 'security-v9_16'
Prepare documentation for BIND 9.16.27

See merge request isc-private/bind9!393
2022-03-07 08:30:43 +00:00
Michał Kępień
4e38e7b924 Prepare release notes for BIND 9.16.27 2022-03-04 15:12:48 +01:00
Michał Kępień
39a641559d Reorder release notes 2022-03-04 15:12:48 +01:00
Michał Kępień
0b15187e7b Tweak and reword release notes 2022-03-04 15:12:48 +01:00
Michał Kępień
917ac0b67f Fix typo in CHANGES 2022-03-04 15:12:48 +01:00
Michał Kępień
4ef5055257 Merge branch '3112-ensure-correct-ordering-in-isc__nm_process_sock_buffer-v9_16' into 'security-v9_16'
[CVE-2022-0396] [v9_16] Resolve #3112 TCP sockets stuck in CLOSE_WAIT

See merge request isc-private/bind9!376
2022-03-03 14:27:03 +00:00
Michał Kępień
56d8ac91b3 Merge branch '2950-confidential-cache-acceptance-rules-v9_16' into 'security-v9_16'
[CVE-2021-25220] [v9_16] prevent cache poisoning from forwarder responses

See merge request isc-private/bind9!380
2022-03-03 14:20:19 +00:00
Ondřej Surý
a9e4dac45e Add CHANGES and release note for [GL #3112] 2022-03-03 13:33:00 +01:00
Petr Špaček
f0fc4b0bbc Add Release Note for [GL #2950] 2022-03-03 13:33:00 +01:00
Ondřej Surý
8d4ba2b77f Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
asynchronously to ensure correct order of multiple packets processing in
the isc__nm_process_sock_buffer().  When not run asynchronously, it
would cause:

  a) out-of-order processing of the return codes from processbuffer();

  b) stack growth because the next TCP DNS message read callback will
     be called from within the current TCP DNS message read callback.

The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
sockets which calls isc__nm_process_sock_buffer().  If the read callback
(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
attach to the nmhandle (f.e. because it wants to drop the processing or
we send the response directly via uv_try_write()), the
isc__nm_resume_processing() (via .closehandle_cb) would call
isc__nm_process_sock_buffer() recursively.

The below shortened code path shows how the stack can grow:

 1: ns__client_request(handle, ...);
 2: isc_nm_tcpdns_sequential(handle);
 3: ns_query_start(client, handle);
 4:   query_lookup(qctx);
 5:     query_send(qctcx->client);
 6:       isc__nmhandle_detach(&client->reqhandle);
 7:         nmhandle_detach_cb(&handle);
 8:           sock->closehandle_cb(sock); // isc__nm_resume_processing
 9:             isc__nm_process_sock_buffer(sock);
10:               processbuffer(sock); // isc__nm_tcpdns_processbuffer
11:                 isc_nmhandle_attach(req->handle, &handle);
12:                 isc__nm_readcb(sock, req, ISC_R_SUCCESS);
13:                   isc__nm_async_readcb(NULL, ...);
14:                     uvreq->cb.recv(...); // ns__client_request

Instead, if 'sock->closehandle_cb' is set, we need to run detach the
handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
the code flow above does not start this recursion. This ensures the
correct order when processing multiple packets in the function
'isc__nm_process_sock_buffer()' and prevents the stack growth.

When not run asynchronously, the out-of-order processing leaves the
first TCP socket open until all requests on the stream have been
processed.

If the pipelining is disabled on the TCP via `keep-response-order`
configuration option, named would keep the first socket in lingering
CLOSE_WAIT state when the client sends an incomplete packet and then
closes the connection from the client side.
2022-03-03 13:33:00 +01:00
Petr Špaček
b1280c7a0d Add CHANGES note for [GL #2950] 2022-03-03 13:33:00 +01:00
Mark Andrews
e04dec4c77 Look for zones deeper than the current domain or forward name
When caching glue, we need to ensure that there is no closer
source of truth for the name. If the owner name for the glue
record would be answered by a locally configured zone, do not
cache.
2022-03-03 13:33:00 +01:00
Mark Andrews
2df037777e Check cached names for possible "forward only" clause
When caching additional and glue data *not* from a forwarder, we must
check that there is no "forward only" clause covering the owner name
that would take precedence.  Such names would normally be allowed by
baliwick rules, but a "forward only" zone introduces a new baliwick
scope.
2022-03-03 13:33:00 +01:00
Mark Andrews
52d918c315 Check that the forward declaration is unchanged and not overridden
If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.
2022-03-03 13:33:00 +01:00
Mark Andrews
853c6c284a Add additional name checks when using a forwarder
When using a forwarder, check that the owner name of response
records are within the bailiwick of the forwarded name space.
2022-03-03 13:33:00 +01:00
Arаm Sаrgsyаn
96b564173e Merge branch '3172-libressl-3.5.0-compat-v9_16' into 'v9_16'
[v9_16] Resolve "BIND is not compatible with LibreSSL 3.5.0"

See merge request isc-projects/bind9!5915
2022-03-02 11:40:19 +00:00
Aram Sargsyan
908fdeb4d2 Add CHANGES entry for [GL #3172]
(cherry picked from commit 0f399851d88b7958a45bfbc4f626e82bdc34c771)
2022-03-02 09:34:29 +00:00
Aram Sargsyan
73e660a806 Use autoconf check for BN_GENCB_new()
BIND unconditionally uses shims for BN_GENCB_new(), BN_GENCB_free(),
and BN_GENCB_get_arg() for all LibreSSL versions and, correctly, for
OpenSSL <1.1.0 versions.

This breaks LibreSSL compilation starting with LibreSSL 3.5.0.

Use autoconf check instead to check whether the family of the functions
are available.

(cherry picked from commit 749973f3259b7638a6af02b7da2f40ae28bdd402)
2022-03-02 09:34:29 +00:00
Aram Sargsyan
2325ed66c5 Remove EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() shims
LibreSSL 3.5.0 fails to compile with these shims. We could have just
removed the LibreSSL check from the pre-processor condition, but it
seems that these shims are no longer needed because all the supported
versions of OpenSSL and LibreSSL have those functions.

According to EVP_ENCRYPTINIT(3) manual page in LibreSSL,
EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() first appeared in
OpenSSL 0.9.8b, and have been available since OpenBSD 4.5.

(cherry picked from commit a3789053682b57a2031de8c544134f1923e76cf3)
2022-03-02 09:31:50 +00:00
Mark Andrews
4ac616bb4a Merge branch '3175-add-missing-grow-data-call-in-isc-lex-gettoken-v9_16' into 'v9_16'
Grow the lex token buffer in one more place

See merge request isc-projects/bind9!5919
2022-03-02 02:13:30 +00:00
Mark Andrews
cb7511495e Add CHANGES note for [GL #3175]
(cherry picked from commit ce8703a79e)
2022-03-02 01:04:40 +00:00
Mark Andrews
c1a127643f Add seed that demonstrated INSIST triggered in isc_lex_gettoken
this is similar to the input found by ClusterFuzz Issue 45027 with
the 0xff characters replaced for readability.

(cherry picked from commit d36938321e)
2022-03-02 01:04:40 +00:00
Mark Andrews
0b6af23d61 Grow the lex token buffer in one more place
when parsing key pairs, if the '=' character fell at max_token
a protective INSIST preventing buffer overrun could be triggered.
Attempt to grow the buffer immediately before the INSIST.

Also removed an unnecessary INSIST on the opening double quote
of key buffer pair.

(cherry picked from commit 4c356d2770)
2022-03-02 01:04:40 +00:00
Mark Andrews
84a96a1bb0 Merge branch '3176-issue-45110-by-clusterfuzz-external-bind9-dns_master_load_fuzzer-undefined-shift-in-soa_get-v9_16' into 'v9_16'
Use unsigned arithmetic when shifting by 24

See merge request isc-projects/bind9!5918
2022-03-02 01:01:24 +00:00
Mark Andrews
a247d282bf Use unsigned arithmetic when shifting by 24
By default C promotes short unsigned values to signed int which
leads to undefined behaviour when the value is shifted by too much.
Force unsigned arithmetic to be perform by explicitly casting to a
unsigned type.

(cherry picked from commit b8b99603f1)
2022-03-02 11:06:53 +11:00
Ondřej Surý
98183ef28b Merge branch '3177-add-missing-isc_nm_tcpsocket-to-isc__nmsocket_reset-v9_16' into 'v9_16'
Handle TCP sockets in isc__nmsocket_reset()

See merge request isc-projects/bind9!5912
2022-02-28 11:14:14 +00:00
Ondřej Surý
ac5952aee8 Handle TCP sockets in isc__nmsocket_reset()
The isc__nmsocket_reset() was missing a case for raw TCP sockets (used
by RNDC and DoH) which would case a assertion failure when write timeout
would be triggered.

TCP sockets are now also properly handled in isc__nmsocket_reset().

(cherry picked from commit b220fb32bd)
2022-02-28 11:44:47 +01:00
Mark Andrews
604a267054 Merge branch '3170-tiny-typo-in-doc-build-script-v9_16' into 'v9_16'
correctly exclude logging-categories.rst

See merge request isc-projects/bind9!5903
2022-02-24 22:14:26 +00:00
Mark Andrews
287df673dc correctly exclude logging-categories.rst
(cherry picked from commit 0069a689a6)
2022-02-25 01:20:54 +11:00
Ondřej Surý
9f7ddf8c18 Merge branch '3166-disable-inactivehandles-caching-with-address-sanitizer-v9_16' into 'v9_16'
Disable inactive handles caching when compiled with sanitizers

See merge request isc-projects/bind9!5897
2022-02-23 23:44:58 +00:00
Ondřej Surý
fe5cd40a3a Disable inactive uvreqs caching when compiled with sanitizers
When isc__nm_uvreq_t gets deactivated, it could be just put onto array
stack to be reused later to save some initialization time.
Unfortunately, this might hide some use-after-free errors.

Disable the inactive uvreqs caching when compiled with Address or
Thread Sanitizer.

(cherry picked from commit be339b3c83)
2022-02-24 00:16:31 +01:00
Ondřej Surý
55780afdb9 Disable inactive handles caching when compiled with sanitizers
When isc_nmhandle_t gets deactivated, it could be just put onto array
stack to be reused later to safe some initialization time.
Unfortunately, this might hide some use-after-free errors.

Disable the inactive handles caching when compiled with Address or
Thread Sanitizer.

(cherry picked from commit 92cce1da65)
2022-02-24 00:10:18 +01:00
Ondřej Surý
822879f2c7 Merge branch '3167-remove-isc__nmsocket_t-ah_handles-v9_16' into 'v9_16'
Remove active handles tracking from isc__nmsocket_t

See merge request isc-projects/bind9!5895
2022-02-23 22:55:22 +00:00
Ondřej Surý
7765263e68 Remove active handles tracking from isc__nmsocket_t
The isc__nmsocket_t has locked array of isc_nmhandle_t that's not used
for anything.  The isc__nmhandle_get() adds the isc_nmhandle_t to the
locked array (and resized if necessary) and removed when
isc_nmhandle_put() finally destroys the handle.  That's all it does, so
it serves no useful purpose.

Remove the .ah_handles, .ah_size, and .ah_frees members of the
isc__nmsocket_t and .ah_pos member of the isc_nmhandle_t struct.

(cherry picked from commit e2555a306f)
2022-02-23 23:50:54 +01:00
Ondřej Surý
eff10e681a Merge branch '3166-delay-isc__nm_uvreq_t-deallocation-v9_16' into 'v9_16'
Delay isc__nm_uvreq_t deallocation to connection callback

See merge request isc-projects/bind9!5893
2022-02-23 22:47:53 +00:00
Ondřej Surý
7b8e265a40 Delay isc__nm_uvreq_t deallocation to connection callback
When the TCP, TCPDNS or TLSDNS connection times out, the isc__nm_uvreq_t
would be pushed into sock->inactivereqs before the uv_tcp_connect()
callback finishes.  Because the isc__nmsocket_t keeps the list of
inactive isc__nm_uvreq_t, this would cause use-after-free only when the
sock->inactivereqs is full (which could never happen because the failure
happens in connection timeout callback) or when the sock->inactivereqs
mechanism is completely removed (f.e. when running under Address or
Thread Sanitizer).

Delay isc__nm_uvreq_t deallocation to the connection callback and only
signal the connection callback should be called by shutting down the
libuv socket from the connection timeout callback.

(cherry picked from commit 3268627916)
2022-02-23 23:36:09 +01:00
Ondřej Surý
bfecb1b6f7 Merge branch 'ondrej-cleanup-nm_destroy-dequeue-v9_16' into 'v9_16'
Properly free up enqueued netievents in nm_destroy()

See merge request isc-projects/bind9!5890
2022-02-23 22:30:55 +00:00
Ondřej Surý
af2bddc242 Properly free up enqueued netievents in nm_destroy()
When the isc_netmgr is being destroyed, the normal and priority queues
should be dequeued and netievents properly freed.  This wasn't the case.

(cherry picked from commit 88418c3372)
2022-02-23 22:53:41 +01:00
Michał Kępień
28e9d7d222 Merge branch '3147-fix-more-ns_statscounter_recursclients-underflows-v9_16' into 'v9_16'
[v9_16] Fix more ns_statscounter_recursclients underflows

See merge request isc-projects/bind9!5881
2022-02-23 14:03:01 +00:00
Michał Kępień
ae2fa12d2d Add CHANGES entry for GL #3147
(cherry picked from commit 600f9010d2)
2022-02-23 14:45:06 +01:00
Michał Kępień
2344201385 Add release note for GL #3147
(cherry picked from commit 1c462a63ec)
2022-02-23 14:45:06 +01:00
Michał Kępień
60e82835ec Fix more ns_statscounter_recursclients underflows
Commit aab691d512 did not fix all possible
scenarios in which the ns_statscounter_recursclients counter underflows.
The solution implemented therein can be ineffective e.g. when CNAME
chaining happens with prefetching enabled.

Here is an example recursive resolution scenario in which the
ns_statscounter_recursclients counter can underflow with the current
logic in effect:

 1. Query processing starts, the answer is not found in the cache, so
    recursion is started.  The NS_CLIENTATTR_RECURSING attribute is set.
    ns_statscounter_recursclients is incremented (Δ = +1).

 2. Recursion completes, returning a CNAME.  client->recursionquota is
    non-NULL, so the NS_CLIENTATTR_RECURSING attribute remains set.
    ns_statscounter_recursclients is decremented (Δ = 0).

 3. Query processing restarts.

 4. The current QNAME (the target of the CNAME from step 2) is found in
    the cache, with a TTL low enough to trigger a prefetch.

 5. query_prefetch() attaches to client->recursionquota.
    ns_statscounter_recursclients is not incremented because
    query_prefetch() does not do that (Δ = 0).

 6. Query processing restarts.

 7. The current QNAME (the target of the CNAME from step 4) is not found
    in the cache, so recursion is started.  client->recursionquota is
    already attached to (since step 5) and the NS_CLIENTATTR_RECURSING
    attribute is set (since step 1), so ns_statscounter_recursclients is
    not incremented (Δ = 0).

 8. The prefetch from step 5 completes.  client->recursionquota is
    detached from in prefetch_done().  ns_statscounter_recursclients is
    not decremented because prefetch_done() does not do that (Δ = 0).

 9. Recursion for the current QNAME completes.  client->recursionquota
    is already detached from, i.e. set to NULL (since step 8), and the
    NS_CLIENTATTR_RECURSING attribute is set (since step 1), so
    ns_statscounter_recursclients is decremented (Δ = -1).

Another possible scenario is that after step 7, recursion for the target
of the CNAME from step 4 completes before the prefetch for the CNAME
itself.  fetch_callback() then notices that client->recursionquota is
non-NULL and decrements ns_statscounter_recursclients, even though
client->recursionquota was attached to by query_prefetch() and therefore
not accompanied by an incrementation of ns_statscounter_recursclients.
The net result is also an underflow.

Instead of trying to properly handle all possible orderings of events
set into motion by normal recursion and prefetch-triggered recursion,
adjust ns_statscounter_recursclients whenever the recursive clients
quota is successfully attached to or detached from.  Remove the
NS_CLIENTATTR_RECURSING attribute altogether as its only purpose is made
obsolete by this change.

(cherry picked from commit f7482b68b9)
2022-02-23 14:45:06 +01:00
Matthijs Mekking
2debaaddbe Merge branch '3164-fix-parental-agents-documentation-v9_16' into 'v9_16'
Fix typo in DNSSEC guide parental-agents example

See merge request isc-projects/bind9!5874
2022-02-22 13:45:34 +00:00
Matthijs Mekking
ff61d74310 Fix typo in DNSSEC guide parental-agents example
The example will not load because of the typo, the comma should be a
semicolon.

(cherry picked from commit fd5e39cc76)
2022-02-22 14:07:30 +01:00
Petr Špaček
3e17e79484 Merge branch '3132-add-send-timeout-python2-fix-v9_16' into 'v9_16'
Fix timeouts system test compatibility with python2

See merge request isc-projects/bind9!5869
2022-02-18 10:54:45 +00:00
Petr Špaček
17ff0227f8 Fix timeouts system test compatibility with python2
v9_16 branch still supports Python 2.7.
Fixup for 260b4c02cf.

Related: !5856
2022-02-18 11:26:58 +01:00
Petr Špaček
a30dac540e Merge branch 'v9_16_26-release' into 'v9_16'
Merge 9.16.26 release branch

See merge request isc-projects/bind9!5866
2022-02-18 09:12:00 +00:00
Petr Špaček
bcd07e71d6 Prepare release notes for BIND 9.16.27 2022-02-18 10:07:48 +01:00