diff --git a/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch new file mode 100644 index 0000000000000000000000000000000000000000..20996e4e253f4dfaf25f359540d00b81ecfb26ba --- /dev/null +++ b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch @@ -0,0 +1,119 @@ +From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 11 Oct 2021 18:13:39 +0000 +Subject: [PATCH] Fix catalog zone reconfiguration crash + +The following scenario triggers a "named" crash: + +1. Configure a catalog zone. +2. Start "named". +3. Comment out the "catalog-zone" clause. +4. Run `rndc reconfig`. +5. Uncomment the "catalog-zone" clause. +6. Run `rndc reconfig` again. + +Implement the required cleanup of the in-memory catalog zone during +the first `rndc reconfig`, so that the second `rndc reconfig` could +find it in an expected state. + +(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a +--- + bin/named/server.c | 2 ++ + lib/dns/include/dns/zone.h | 20 ++++++++++++++++++++ + lib/dns/win32/libdns.def.in | 2 ++ + lib/dns/zone.c | 18 ++++++++++++++++++ + 4 files changed, 42 insertions(+) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 860ccae8a1..9c0f12f63f 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, + + if (zone_is_catz) { + dns_zone_catz_enable(zone, view->catzs); ++ } else if (dns_zone_catz_is_enabled(zone)) { ++ dns_zone_catz_disable(zone); + } + + /* +diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h +index 08e2263c5b..33ab5c60fd 100644 +--- a/lib/dns/include/dns/zone.h ++++ b/lib/dns/include/dns/zone.h +@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); + * \li prior to calling, zone->catzs is NULL or is equal to 'catzs' + */ + ++void ++dns_zone_catz_disable(dns_zone_t *zone); ++/*%< ++ * Disable zone as catalog zone, if it is one. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone); ++/*%< ++ * Return a boolean indicating whether the zone is enabled as catalog zone. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ + void + dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db); + /*%< +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index 31f511103f..1e0f7cf64a 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown + dns_zone_addnsec3chain + dns_zone_asyncload + dns_zone_attach ++dns_zone_catz_disable + dns_zone_catz_enable + dns_zone_catz_enable_db ++dns_zone_catz_is_enabled + dns_zone_cdscheck + dns_zone_checknames + dns_zone_clearforwardacl +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 65a3aacab7..bc33e6ede8 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + UNLOCK_ZONE(zone); + } + ++void ++dns_zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ LOCK_ZONE(zone); ++ if (zone->catzs != NULL) { ++ dns_catz_catzs_detach(&zone->catzs); ++ } ++ UNLOCK_ZONE(zone); ++} ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ return (zone->catzs != NULL); ++} ++ + /* + * If a zone is a catalog zone, attach it to update notification in database. + */ +-- +2.27.0 + diff --git a/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch new file mode 100644 index 0000000000000000000000000000000000000000..aba4616334374cfe925ff958293dd1b950682d0d --- /dev/null +++ b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch @@ -0,0 +1,162 @@ +From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 1 Dec 2021 17:41:20 +0100 +Subject: [PATCH] Improve the logging on failed TCP accept + +Previously, when TCP accept failed, we have logged a message with +ISC_LOG_ERROR level. One common case, how this could happen is that the +client hits TCP client quota and is put on hold and when resumed, the +client has already given up and closed the TCP connection. In such +case, the named would log: + + TCP connection failed: socket is not connected + +This message was quite confusing because it actually doesn't say that +it's related to the accepting the TCP connection and also it logs +everything on the ISC_LOG_ERROR level. + +Change the log message to "Accepting TCP connection failed" and for +specific error states lower the severity of the log message to +ISC_LOG_INFO. + +(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6 +--- + lib/isc/netmgr/netmgr-int.h | 3 +++ + lib/isc/netmgr/netmgr.c | 27 +++++++++++++++++++++++++++ + lib/isc/netmgr/tcp.c | 20 ++------------------ + lib/isc/netmgr/tcpdns.c | 22 ++-------------------- + 4 files changed, 34 insertions(+), 38 deletions(-) + +diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h +index f7b54f9..b4299d5 100644 +--- a/lib/isc/netmgr/netmgr-int.h ++++ b/lib/isc/netmgr/netmgr-int.h +@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async); + void + isc__nmsocket_connecttimeout_cb(uv_timer_t *timer); + ++void ++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota); ++ + #define STREAM_CLIENTS_PER_CONN 23 +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 3283eb6e4f..54042a9123 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) { + } + } + ++void ++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) { ++ int level; ++ ++ switch (result) { ++ case ISC_R_SUCCESS: ++ case ISC_R_NOCONN: ++ return; ++ case ISC_R_QUOTA: ++ case ISC_R_SOFTQUOTA: ++ if (!can_log_quota) { ++ return; ++ } ++ level = ISC_LOG_INFO; ++ break; ++ case ISC_R_NOTCONNECTED: ++ level = ISC_LOG_INFO; ++ break; ++ default: ++ level = ISC_LOG_ERROR; ++ } ++ ++ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR, ++ level, "Accepting TCP connection failed: %s", ++ isc_result_totext(result)); ++} ++ + static void + isc__nmsocket_readtimeout_cb(uv_timer_t *timer) { + isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer); +diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c +index 5cca9f5214..1b5e80d3a7 100644 +--- a/lib/isc/netmgr/tcp.c ++++ b/lib/isc/netmgr/tcp.c +@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) { + + result = accept_connection(ssock, quota); + done: +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcp_quota()) { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcp_quota()); + } + + void +@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(sock->tid == isc_nm_tid()); + + result = accept_connection(sock, ievent->quota); +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcp_quota()) { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcp_quota()); + } + + static isc_result_t +diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c +index 188790c8b4..b76dcbc66c 100644 +--- a/lib/isc/netmgr/tcpdns.c ++++ b/lib/isc/netmgr/tcpdns.c +@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) { + + result = accept_connection(ssock, quota); + done: +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcpdns_quota()) +- { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); + } + + void +@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(ievent->sock->tid == isc_nm_tid()); + + result = accept_connection(ievent->sock, ievent->quota); +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcpdns_quota()) +- { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); + } + + static isc_result_t +-- +2.27.0 + diff --git a/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch b/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch new file mode 100644 index 0000000000000000000000000000000000000000..fcdf67524a5b88ec29a7f70d9cb9ffe19a65f088 --- /dev/null +++ b/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch @@ -0,0 +1,85 @@ +From 885e44650b547cff88095d01769e303474582612 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 5 Jan 2022 09:38:36 +0000 +Subject: [PATCH] Separate the locked parts of dns_zone_catz_enable/disable + functions + +Separate the locked parts of dns_zone_catz_enable() and +dns_zone_catz_disable() functions into static functions. This will +let us perform those tasks from the other parts of the module while +the zone is locked, avoiding one pair of additional unlocking and +locking operations. + +(cherry picked from commit 6b937ed5f67a13cf6ad6249380073a6e647d7897) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/885e44650b547cff88095d01769e303474582612 +--- + lib/dns/zone.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 2faf12519e..9205271574 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -871,6 +871,10 @@ static inline void + zone_attachdb(dns_zone_t *zone, dns_db_t *db); + static inline void + zone_detachdb(dns_zone_t *zone); ++static void ++zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); ++static void ++zone_catz_disable(dns_zone_t *zone); + static isc_result_t + default_journal(dns_zone_t *zone); + static void +@@ -1930,28 +1934,42 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) { + zone->rpzs->zones[zone->rpz_num]); + } + +-void +-dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { ++static void ++zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + REQUIRE(DNS_ZONE_VALID(zone)); + REQUIRE(catzs != NULL); + +- LOCK_ZONE(zone); + INSIST(zone->catzs == NULL || zone->catzs == catzs); + dns_catz_catzs_set_view(catzs, zone->view); + if (zone->catzs == NULL) { + dns_catz_catzs_attach(catzs, &zone->catzs); + } +- UNLOCK_ZONE(zone); + } + + void +-dns_zone_catz_disable(dns_zone_t *zone) { ++dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); ++ zone_catz_enable(zone, catzs); ++ UNLOCK_ZONE(zone); ++} ++ ++static void ++zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ + if (zone->catzs != NULL) { + dns_catz_catzs_detach(&zone->catzs); + } ++} ++ ++void ++dns_zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ LOCK_ZONE(zone); ++ zone_catz_disable(zone); + UNLOCK_ZONE(zone); + } + +-- +2.27.0 + diff --git a/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch new file mode 100644 index 0000000000000000000000000000000000000000..f11e7ee965889b3e1b7adce2aef5e5ed7973bb05 --- /dev/null +++ b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch @@ -0,0 +1,235 @@ +From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 3 May 2022 12:28:31 +0200 +Subject: [PATCH] Check if key metadata is modified before writing + +Add a new parameter to the dst_key structure, mark a key modified if +dst_key_(un)set[bool,num,state,time] is called. Only write out key +files during a keymgr run if the metadata has changed. + +(cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3 +--- + lib/dns/dst_api.c | 26 ++++++++++++++++++++++++++ + lib/dns/dst_internal.h | 1 + + lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++ + lib/dns/keymgr.c | 17 ++++++++++++++++- + 4 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index ab371330f0..8873a041b8 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) { + return (key->external); + } + ++void ++dst_key_setmodified(dst_key_t *key, bool value) { ++ key->modified = value; ++} ++ ++bool ++dst_key_ismodified(dst_key_t *key) { ++ return (key->modified); ++} ++ + isc_result_t + dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg, + int type, const char *directory, isc_mem_t *mctx, +@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, + (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) + { + RETERR(computeid(pubkey)); ++ pubkey->modified = false; + *keyp = pubkey; + pubkey = NULL; + goto out; +@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, + RETERR(DST_R_INVALIDPRIVATEKEY); + } + ++ key->modified = false; + *keyp = key; + key = NULL; + +@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) { + REQUIRE(type <= DST_MAX_BOOLEAN); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->boolset[type] || ++ key->bools[type] != value; + key->bools[type] = value; + key->boolset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_BOOLEAN); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->boolset[type]; + key->boolset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) { + REQUIRE(type <= DST_MAX_NUMERIC); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->numset[type] || ++ key->nums[type] != value; + key->nums[type] = value; + key->numset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_NUMERIC); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->numset[type]; + key->numset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) { + REQUIRE(type <= DST_MAX_TIMES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->timeset[type] || ++ key->times[type] != when; + key->times[type] = when; + key->timeset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_TIMES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->timeset[type]; + key->timeset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) { + REQUIRE(type <= DST_MAX_KEYSTATES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->keystateset[type] || ++ key->keystates[type] != state; + key->keystates[type] = state; + key->keystateset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_KEYSTATES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->keystateset[type]; + key->keystateset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) { + dst_key_unsetstate(to, i); + } + } ++ ++ dst_key_setmodified(to, dst_key_ismodified(from)); + } +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index e26837bfe4..4933cfd5aa 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -147,6 +147,7 @@ struct dst_key { + bool inactive; /*%< private key not present as it is + * inactive */ + bool external; /*%< external key */ ++ bool modified; /*%< set to true if key file metadata has changed */ + + int fmt_major; /*%< private key format, major version + * */ +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index d50761a63c..eab5501029 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key); + * 'key' to be valid. + */ + ++void ++dst_key_setmodified(dst_key_t *key, bool value); ++/*%< ++ * If 'value' is true, this marks the key to indicate that key file metadata ++ * has been modified. If 'value' is false, this resets the value, for example ++ * after you have written the key to file. ++ * ++ * Requires: ++ * 'key' to be valid. ++ */ ++ ++bool ++dst_key_ismodified(dst_key_t *key); ++/*%< ++ * Check if the key file has been modified. ++ * ++ * Requires: ++ * 'key' to be valid. ++ */ ++ + bool + dst_key_haskasp(dst_key_t *key); + /*%< +diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c +index 965782b1f3..b01286575f 100644 +--- a/lib/dns/keymgr.c ++++ b/lib/dns/keymgr.c +@@ -1512,6 +1512,7 @@ transition: + /* It is safe to make the transition. */ + dst_key_setstate(dkey->key, i, next_state); + dst_key_settime(dkey->key, keystatetimes[i], now); ++ INSIST(dst_key_ismodified(dkey->key)); + changed = true; + } + } +@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, + for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL; + dkey = ISC_LIST_NEXT(dkey, link)) + { +- if (!dkey->purge) { ++ if (dst_key_ismodified(dkey->key) && !dkey->purge) { + dns_dnssec_get_hints(dkey, now); + RETERR(dst_key_tofile(dkey->key, options, directory)); ++ dst_key_setmodified(dkey->key, false); + } + } + +@@ -2205,6 +2207,13 @@ failure: + } + } + ++ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(origin, namebuf, sizeof(namebuf)); ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, ++ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3), ++ "keymgr: %s done", namebuf); ++ } + return (result); + } + +@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, + + dns_dnssec_get_hints(ksk_key, now); + result = dst_key_tofile(ksk_key->key, options, directory); ++ if (result == ISC_R_SUCCESS) { ++ dst_key_setmodified(ksk_key->key, false); ++ } + isc_dir_close(&dir); + + return (result); +@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, + + dns_dnssec_get_hints(key, now); + result = dst_key_tofile(key->key, options, directory); ++ if (result == ISC_R_SUCCESS) { ++ dst_key_setmodified(key->key, false); ++ } + isc_dir_close(&dir); + + return (result); +-- +2.27.0 + diff --git a/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch b/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc17cb69e4a0d021e80e4048f24678811a5e2602 --- /dev/null +++ b/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch @@ -0,0 +1,76 @@ +From 7c42c04f3fa1c6b936debe48b435b9ef9da464bd Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Mon, 16 May 2022 19:00:47 +0200 +Subject: [PATCH] Fix CID 352776: Concurrent data access violations + +*** CID 352776: Concurrent data access violations (MISSING_LOCK) +/lib/dns/dst_api.c: 474 in dst_key_setmodified() +468 dst_key_isexternal(dst_key_t *key) { +469 return (key->external); +470 } +471 +472 void +473 dst_key_setmodified(dst_key_t *key, bool value) { +>>> CID 352776: Concurrent data access violations (MISSING_LOCK) +>>> Accessing "key->modified" without holding lock +>>> "dst_key.mdlock". Elsewhere, "dst_key.modified" is accessed with +>>> "dst_key.mdlock" held 8 out of 11 times (8 of these accesses +>>> strongly imply that it is necessary). +474 key->modified = value; +475 } +476 +477 bool +478 dst_key_ismodified(dst_key_t *key) { +479 return (key->modified); + +(cherry picked from commit 1fa24d0afbc01d25d71446156758b3a945db5b5f) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c42c04f3fa1c6b936debe48b435b9ef9da464bd +--- + lib/dns/dst_api.c | 12 ++++++++++-- + lib/dns/include/dst/dst.h | 2 +- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 8873a041b8..e5a52aea37 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -492,12 +492,20 @@ dst_key_isexternal(dst_key_t *key) { + + void + dst_key_setmodified(dst_key_t *key, bool value) { ++ isc_mutex_lock(&key->mdlock); + key->modified = value; ++ isc_mutex_unlock(&key->mdlock); + } + + bool +-dst_key_ismodified(dst_key_t *key) { +- return (key->modified); ++dst_key_ismodified(const dst_key_t *key) { ++ bool modified; ++ ++ isc_mutex_lock(&(((dst_key_t *)key)->mdlock)); ++ modified = key->modified; ++ isc_mutex_unlock(&(((dst_key_t *)key)->mdlock)); ++ ++ return (modified); + } + + isc_result_t +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index eab5501029..3185e9f91b 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -1119,7 +1119,7 @@ dst_key_setmodified(dst_key_t *key, bool value); + */ + + bool +-dst_key_ismodified(dst_key_t *key); ++dst_key_ismodified(const dst_key_t *key); + /*%< + * Check if the key file has been modified. + * +-- +2.27.0 + diff --git a/backport-0037-Require-valid-key-for-dst_key-functions.patch b/backport-0037-Require-valid-key-for-dst_key-functions.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab19afbe86b1b9a25d16d5b490cd5b984c419f72 --- /dev/null +++ b/backport-0037-Require-valid-key-for-dst_key-functions.patch @@ -0,0 +1,70 @@ +From d3147417c55cb1277cac42034198a3011c8f5cfb Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 17 May 2022 12:02:43 +0200 +Subject: [PATCH] Require valid key for dst_key functions + +Make sure that the key structure is valid when calling the following +functions: +- dst_key_setexternal +- dst_key_isexternal +- dst_key_setmodified +- dst_key_ismodified + +This commit is adapted because 9.16 has a different approach +of deconsting the variable. + +(cherry picked from commit 888ec4e0d407a9333017d6997a2be81a69658e1f) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d3147417c55cb1277cac42034198a3011c8f5cfb +--- + lib/dns/dst_api.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index e5a52aea37..f5741a1af4 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -482,16 +482,22 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) { + + void + dst_key_setexternal(dst_key_t *key, bool value) { ++ REQUIRE(VALID_KEY(key)); ++ + key->external = value; + } + + bool + dst_key_isexternal(dst_key_t *key) { ++ REQUIRE(VALID_KEY(key)); ++ + return (key->external); + } + + void + dst_key_setmodified(dst_key_t *key, bool value) { ++ REQUIRE(VALID_KEY(key)); ++ + isc_mutex_lock(&key->mdlock); + key->modified = value; + isc_mutex_unlock(&key->mdlock); +@@ -500,10 +506,15 @@ dst_key_setmodified(dst_key_t *key, bool value) { + bool + dst_key_ismodified(const dst_key_t *key) { + bool modified; ++ dst_key_t *k; + +- isc_mutex_lock(&(((dst_key_t *)key)->mdlock)); ++ REQUIRE(VALID_KEY(key)); ++ ++ DE_CONST(key, k); ++ ++ isc_mutex_lock(&k->mdlock); + modified = key->modified; +- isc_mutex_unlock(&(((dst_key_t *)key)->mdlock)); ++ isc_mutex_unlock(&k->mdlock); + + return (modified); + } +-- +2.27.0 + diff --git a/bind.spec b/bind.spec index e1b31c62729f382460b232bda779ac512397cc07..bbf3c209ec5112c94b9bd3b0b523710abe395795 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 10 +Release: 11 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -87,6 +87,13 @@ Patch6004:backport-CVE-2022-38177.patch Patch6005:backport-CVE-2022-38178.patch Patch6006:backport-CVE-2022-2906.patch Patch6007:backport-CVE-2022-2881.patch +Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch +Patch6009:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch +Patch6010:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch +Patch6011:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch +Patch6012:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch +Patch6013:backport-0037-Require-valid-key-for-dst_key-functions.patch + Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -391,6 +398,12 @@ in HTML and PDF format. %patch6005 -p1 %patch6006 -p1 %patch6007 -p1 +%patch6008 -p1 +%patch6009 -p1 +%patch6010 -p1 +%patch6011 -p1 +%patch6012 -p1 +%patch6013 -p1 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1113,6 +1126,17 @@ fi; %endif %changelog +* Thu Sep 29 2022 huangyu - 32:9.16.23-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: Fix catalog zone reconfiguration crash +Improve the logging on failed TCP accept +Separate the locked parts of dns_zone_catz_enable-di +Check if key-metadata is modified before writing +Fix CID-352776 Concurrent data access violations +Require valid key for dst_key functions + * Wed Sep 28 2022 huangyu - 32:9.16.23-10 - DESC:fix CVE-2022-2881 CVE-2022-2906 CVE-2022-2795 CVE-2022-38177 CVE-2022-38178 CVE-2022-3080