Merge branch '2950-confidential-cache-acceptance-rules-v9_11' into 'security-v9_11'

[CVE-2021-25220] [v9_11] prevent cache poisoning from forwarder responses See merge request isc-private/bind9!381

Merge branch '2950-confidential-cache-acceptance-rules-v9_11' into 'security-v9_11'
[CVE-2021-25220] [v9_11] prevent cache poisoning from forwarder responses See merge request isc-private/bind9!381
fc9cb6cf · Michał Kępień · 37d0a8f4 · d4b1efbc · fc9cb6cf · fc9cb6cf
Commit fc9cb6cf authored Mar 03, 2022 by Michał Kępień
--- a/CHANGES
+++ b/CHANGES
+5817.	[security]	The rules for acceptance of records into the cache
+			have been tightened to prevent the possibility of
+			poisoning if forwarders send records outside
+			the configured bailiwick. (CVE-2021-25220) [GL #2950]
+
 	--- 9.11.36 released ---
  
 5736.	[security]	The "lame-ttl" option is now forcibly set to 0. This

--- a/doc/arm/notes-9.11.37.xml
+++ b/doc/arm/notes-9.11.37.xml
@@ -15,7 +15,15 @@
    <itemizedlist>
      <listitem>
        <para>
-          None.
+          The rules for acceptance of records into the cache have been tightened
+          to prevent the possibility of poisoning if forwarders send records
+          outside the configured bailiwick. (CVE-2021-25220)
+        </para>
+        <para>
+          ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
+          Network and Information Security Lab, Tsinghua University, and
+          Changgen Zou from Qi An Xin Group Corp. for bringing this
+          vulnerability to our attention. [GL #2950]
        </para>
      </listitem>
    </itemizedlist>

--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -63,6 +63,7 @@
 #include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/validator.h>
+#include <dns/zone.h>

 #ifdef WANT_QUERYTRACE
 #define RTRACE(m)       isc_log_write(dns_lctx, \
@@ -311,6 +312,8 @@ struct fetchctx {
 	bool			ns_ttl_ok;
 	uint32_t			ns_ttl;
 	isc_counter_t *			qc;
+	dns_fixedname_t			fwdfname;
+	dns_name_t			*fwdname;

 	/*%
 	 * The number of events we're waiting for.
@@ -3389,6 +3392,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 		if (result == ISC_R_SUCCESS) {
 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copy(domain, fctx->fwdname, NULL);
 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
 			    isstrictsubdomain(domain, &fctx->domain)) {
 				fcount_decr(fctx);
@@ -4418,6 +4422,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->querysent = 0;
 	fctx->referrals = 0;
+
+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
 	TIME_NOW(&fctx->start);
 	fctx->timeouts = 0;
 	fctx->lamecount = 0;
@@ -4476,8 +4483,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 		domain = dns_fixedname_initname(&fixed);
 		result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
 					    domain, &forwarders);
-		if (result == ISC_R_SUCCESS)
+		if (result == ISC_R_SUCCESS) {
 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copy(domain, fctx->fwdname, NULL);
+		}

 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
 			/*
@@ -6226,6 +6235,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
 		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
 }

+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static inline bool
+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders = NULL;
+	dns_fixedname_t fixed, zfixed;
+	dns_name_t *fname = dns_fixedname_initname(&fixed);
+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+	dns_name_t *apex = NULL;
+	dns_name_t suffix;
+	dns_zone_t *zone = NULL;
+	unsigned int labels;
+	dns_namereln_t rel;
+	/*
+	 * The following two variables do not influence code flow; they are
+	 * only necessary for calling dns_name_fullcompare().
+	 */
+	int _orderp = 0;
+	unsigned int _nlabelsp = 0;
+
+	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+
+	/*
+	 * The name is outside the queried namespace.
+	 */
+	rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+		return (true);
+	}
+
+	/*
+	 * If the record lives in the parent zone, adjust the name so we
+	 * look for the correct zone or forward clause.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1U) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	} else if (rel == dns_namereln_equal) {
+		/* If 'name' is 'apex', no further checking is needed. */
+		return (false);
+	}
+
+	/*
+	 * If there is a locally served zone between 'apex' and 'name'
+	 * then don't cache.
+	 */
+	LOCK(&fctx->res->view->lock);
+	if (fctx->res->view->zonetable != NULL) {
+		unsigned int options = DNS_ZTFIND_NOEXACT;
+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
+				     zfname, &zone);
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			if (dns_name_fullcompare(zfname, apex, &_orderp,
+						 &_nlabelsp) ==
+			    dns_namereln_subdomain)
+			{
+				UNLOCK(&fctx->res->view->lock);
+				return (true);
+			}
+		}
+	}
+	UNLOCK(&fctx->res->view->lock);
+
+	/*
+	 * Look for a forward declaration below 'name'.
+	 */
+	result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
+				    &forwarders);
+
+	if (ISFORWARDER(fctx->addrinfo)) {
+		/*
+		 * See if the forwarder declaration is better.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * If the lookup failed, the configuration must have
+		 * changed: play it safe and don't cache.
+		 */
+		return (true);
+	} else if (result == ISC_R_SUCCESS &&
+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
+	{
+		/*
+		 * If 'name' is covered by a 'forward only' clause then we
+		 * can't cache this repsonse.
+		 */
+		return (true);
+	}
+
+	return (false);
+}
+
 static isc_result_t
 check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 	      dns_section_t section)
@@ -6254,7 +6369,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 	result = dns_message_findname(rmessage, section, addname,
 				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
-		external = !dns_name_issubdomain(name, &fctx->domain);
+		external = name_external(name, type, fctx);
 		if (type == dns_rdatatype_a) {
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
@@ -7136,6 +7251,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 			break;

 		case dns_namereln_subdomain:
+			/*
+			 * Don't accept DNAME from parent namespace.
+			 */
+			if (name_external(name, dns_rdatatype_dname, fctx)) {
+				continue;
+			}
+
 			/*
 			 * In-scope DNAME records must have at least
 			 * as many labels as the domain being queried.
@@ -7371,11 +7493,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 	 */
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	while (!done && result == ISC_R_SUCCESS) {
-		bool external;
 		name = NULL;
 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		external = !dns_name_issubdomain(name, &fctx->domain);
-		if (!external) {
+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
 			/*
 			 * We expect to find NS or SIG NS rdatasets, and
 			 * nothing else.