From e2014ba9e3b4236b0384ba17abfb2c9a155412f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 1/3] Bound the amount of work performed for delegations Limit the amount of database lookups that can be triggered in fctx_getaddresses() (i.e. when determining the name server addresses to query next) by setting a hard limit on the number of NS RRs processed for any delegation encountered. Without any limit in place, named can be forced to perform large amounts of database lookups per each query received, which severely impacts resolver performance. The limit used (20) is an arbitrary value that is considered to be big enough for any sane DNS delegation. (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) --- lib/dns/resolver.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 8883008420..e7437656b6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -211,6 +211,17 @@ */ #define NS_FAIL_LIMIT 4 #define NS_RR_LIMIT 5 +/* + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in + * any NS RRset encountered, to avoid excessive resource use while processing + * large delegations. + */ +#define NS_PROCESSING_LIMIT 20 + +STATIC_ASSERT(NS_PROCESSING_LIMIT > NS_RR_LIMIT, + "The maximum number of NS RRs processed for each delegation " + "(NS_PROCESSING_LIMIT) must be larger than the large delegation " + "threshold (NS_RR_LIMIT)."); /* Hash table for zone counters */ #ifndef RES_DOMAIN_HASH_BITS @@ -3538,6 +3549,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { bool need_alternate = false; bool all_spilled = true; unsigned int no_addresses = 0; + unsigned int ns_processed = 0; FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); @@ -3728,6 +3740,11 @@ normal_nses: dns_rdata_reset(&rdata); dns_rdata_freestruct(&ns); + + if (++ns_processed >= NS_PROCESSING_LIMIT) { + result = ISC_R_NOMORE; + break; + } } if (result != ISC_R_NOMORE) { return (result); From 97a9f586c4702de709b284ecb22facee67d079ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 2/3] Add CHANGES entry for GL #3394 (cherry picked from commit e802beedfc13be160d182635cecf6e01fc514d94) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index e8ea8e1e60..059cc4a1b6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5957. [security] Prevent excessive resource use while processing large + delegations. (CVE-2022-2795) [GL #3394] + 5956. [func] Make RRL code treat all QNAMEs that are subject to wildcard processing within a given zone as the same name. [GL #3459] From 7f6cb0d0cc26179fe6243c66fa810fd6a217d55a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 3/3] Add release note for GL #3394 (cherry picked from commit 672072812cae9a346f6bc40ea5b1a81a5ca010ba) --- doc/notes/notes-current.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 306a87ccbb..020cfd08ba 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,7 +15,14 @@ Notes for BIND 9.18.7 Security Fixes ~~~~~~~~~~~~~~ -- None. +- Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be abused to + severely impact the performance of :iscman:`named` running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + + ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat + Bremler-Barr & Shani Stajnrod from Reichman University for bringing + this vulnerability to our attention. :gl:`#3394` Known Issues ~~~~~~~~~~~~