63 lines
1.7 KiB
Diff
63 lines
1.7 KiB
Diff
From 272afcd999cb07593f5dd943e22dc1a03d42b090 Mon Sep 17 00:00:00 2001
|
|
From: Aram Sargsyan <aram@isc.org>
|
|
Date: Thu, 5 Jan 2023 15:01:35 +0000
|
|
Subject: [PATCH] Fix a use-after-free bug in dns_zonemgr_releasezone()
|
|
|
|
The dns_zonemgr_releasezone() function makes a decision to destroy
|
|
'zmgr' (based on its references count, after decreasing it) inside
|
|
a lock, and then destroys the object outside of the lock.
|
|
|
|
This causes a race with dns_zonemgr_detach(), which could destroy
|
|
the object in the meantime.
|
|
|
|
Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
|
|
the object (if needed) using dns_zonemgr_detach(), outside of the
|
|
lock.
|
|
|
|
Conflict: NA
|
|
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/272afcd999cb07593f5dd943e22dc1a03d42b090
|
|
|
|
(cherry picked from commit c1fc2122531bdd27ca38434a2632e8dac532bc13)
|
|
---
|
|
lib/dns/zone.c | 12 ++----------
|
|
1 file changed, 2 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
|
|
index 4b864da..bf47aa0 100644
|
|
--- a/lib/dns/zone.c
|
|
+++ b/lib/dns/zone.c
|
|
@@ -18815,8 +18815,6 @@ unlock:
|
|
|
|
void
|
|
dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
|
|
- bool free_now = false;
|
|
-
|
|
REQUIRE(DNS_ZONE_VALID(zone));
|
|
REQUIRE(DNS_ZONEMGR_VALID(zmgr));
|
|
REQUIRE(zone->zmgr == zmgr);
|
|
@@ -18828,19 +18826,13 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
|
|
|
|
zonemgr_keymgmt_delete(zmgr, zone);
|
|
|
|
+ /* Detach below, outside of the write lock. */
|
|
zone->zmgr = NULL;
|
|
|
|
- if (isc_refcount_decrement(&zmgr->refs) == 1) {
|
|
- free_now = true;
|
|
- }
|
|
-
|
|
UNLOCK_ZONE(zone);
|
|
RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
|
|
|
|
- if (free_now) {
|
|
- zonemgr_free(zmgr);
|
|
- }
|
|
- ENSURE(zone->zmgr == NULL);
|
|
+ dns_zonemgr_detach(&zmgr);
|
|
}
|
|
|
|
void
|
|
--
|
|
2.33.0
|
|
|