From eaabf060312f6aad1c0c195ad33e5ea612acc47a Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Tue, 27 Sep 2022 10:43:24 +0200 Subject: [PATCH] BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree To avoid any UAF when a resolution is released, a mechanism was added to abort a resolution and delayed the released at the end of the current execution path. This mechanism depends on an hard assumption: Any reference on an aborted resolution must be removed. So, when a resolution is aborted, it is removed from the resolver lists and inserted into a death row list. However, a resolution may still be referenced in the query_ids tree. It is the tree containing all resolutions with a pending request. Because aborted resolutions are released outside the resolvers lock, it is possible to release a resolution on a side while a query ansswer is received and processed on another one. Thus, it is still possible to have a UAF because of this bug. To fix the issue, when a resolution is aborted, it is removed from any list, but it is also removed from the query_ids tree. This patch should solve the issue #1862 and may be related to #1875. It must be backported as far as 2.2. --- src/resolvers.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/resolvers.c b/src/resolvers.c index a0ebb6009d..4bbc6e50b3 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -594,6 +594,11 @@ static void enter_resolver_code() /* Add a resolution to the death_row. */ static void abort_resolution(struct resolv_resolution *res) { + /* Remove the resolution from query_ids tree and from any resolvers list */ + eb32_delete(&res->qid); + res->query_id = 0; + res->qid.key = 0; + LIST_DEL_INIT(&res->list); LIST_APPEND(&death_row, &res->list); }