From nobody Sat Jan 14 09:21:28 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NvCTN2SX2z2sTv4; Sat, 14 Jan 2023 09:21:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NvCTN24PCz45Qc; Sat, 14 Jan 2023 09:21:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673688088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pWx4gcrgwjGo8MuzhASin8i9sPgcYCdP/frddGcblII=; b=fLgkTHswBJCao6FYzqdG6C+MuDCACuO16FpSFbBNmpWTinD2LytiMIlefTkHD31Z1C3j+M yOJchKOTyd/fIr69g432TWp5VdM8MVHitg/zNZ3yP46Cdw7nfezFvweKuqzaMzxGbFnqwH syI3nP72j1mFjM3nrU3rwRmxG3QVujkimuu6lZIklzDieeZOZa8n5HFTaKeDJAb5PgRcMz RNiumUnvAxooSxgIrxpZT/PYczF6ElrkXUEcq+nXqmFkCfj0d+ngtWp28/2h7418zrqpS1 SJgaef+5r9QhByxuuUnbP4L6MYqusIwmNhxNXNV1r9rnFOAuwkil45VZ/GGasQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673688088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pWx4gcrgwjGo8MuzhASin8i9sPgcYCdP/frddGcblII=; b=uOyp4tArZennNV7+6j16/W3uoEQhfE+1ziqcge46rDuUUZ2fDWS7LTdGzvel0o513ESZfE jyOVrgH7cxTkCEWLuDRq4r+/hTk85bDQ8kLhn0s9QCQpb7idKY8t3kl/Mnpiv256uoLTa5 NnaRJ8JL5+tBrMQ0gqaBY0CuWM90yn3Bryoi06Pi1x2bQzll+mwTI46SziJn5JqxaeNYRL O8c0hwhsZW72+uhn3nRpzo9Zj/+9YYVir/1ZB6bE4bxWhgWxi4A3PedfPI6/SQHA/T0kIS aW0GFBqeuP3HPqOeeJB51AqncNMGAGaxwi21e0VI8CKiECmZp3KAlc3A7DCZhA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673688088; a=rsa-sha256; cv=none; b=lRU1wy6HEBvY1RDZdHAfQ+D+AERTGQB7GIB4TcpLTmi9MpxRgPkB/R+1pxb1qQzbwiceTw 1alP4/RCXCiPIBT79xB6wjuD+tjdYRZqzMWuuCRSd0y5EjhtO45pt7zwANIB57TBW3a/Nt FQF64WAeZ1FvFJSqSVykKTDHNICoouabqbmTvmbCVj07Lu8WP0giwWrk6vVpMp6VsimHBC Bm8eS9oqEdc7Oludxg7moTfQcqiOxD1Jtz9zvQ4HDQdwxbk9ZQJnJ6O0ZxcmxwbT2cevRY bEBTw8nYBrRldDkgO2hckSsrZ0VfxHXtpqQ0jfhkxTCuPZFaFLGlAGQIH22wAg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NvCTN19gbzj90; Sat, 14 Jan 2023 09:21:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30E9LSQu067407; Sat, 14 Jan 2023 09:21:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30E9LSHK067406; Sat, 14 Jan 2023 09:21:28 GMT (envelope-from git) Date: Sat, 14 Jan 2023 09:21:28 GMT Message-Id: <202301140921.30E9LSHK067406@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: cd6957878cb7 - 2023Q1 - dns/dnsmasq: fix rare cache corruption problem List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2023Q1 X-Git-Reftype: branch X-Git-Commit: cd6957878cb763b022777f77385ea3153d69de96 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch 2023Q1 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=cd6957878cb763b022777f77385ea3153d69de96 commit cd6957878cb763b022777f77385ea3153d69de96 Author: Matthias Andree AuthorDate: 2023-01-14 09:10:42 +0000 Commit: Matthias Andree CommitDate: 2023-01-14 09:21:24 +0000 dns/dnsmasq: fix rare cache corruption problem Simon Kelley sent an advisory that in rare circumstances, the cache can become corrupted and the DNS subsystem then became disfunctional. This is reported as regression in 2.88. Chances seem higher this happens with DNSSEC enabled, but seems not limited to it. For details, please see the patch contained in this commit, or https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q1/016821.html The symptom of this happening is apparently a cache internal error. 2.89 with this fix and a few others is slated for release in a week. Let's fix the patch already and MFH to 2023Q1 so we keep our liberties to decide whether we need to move quarterly to 2.89 or rather stick with 2.88_1. originally Reported by: Timo van Roermund (to Simon Kelley in private) Reported by: Simon Kelley (upstream maintainer, through mailing list) Obtained from: Simon Kelley (upstream maintainer, Git repository) MFH: 2023Q1 (cherry picked from commit 038ffa5e63e3b419b68989e5c822b8cb108af7da) --- dns/dnsmasq/Makefile | 2 +- dns/dnsmasq/files/patch-zgf172fdb | 85 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile index ba9002cb4f44..ba26d1ec62a8 100644 --- a/dns/dnsmasq/Makefile +++ b/dns/dnsmasq/Makefile @@ -1,7 +1,7 @@ PORTNAME= dnsmasq DISTVERSION= 2.88 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= dns MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/ \ diff --git a/dns/dnsmasq/files/patch-zgf172fdb b/dns/dnsmasq/files/patch-zgf172fdb new file mode 100644 index 000000000000..f3128f57d55f --- /dev/null +++ b/dns/dnsmasq/files/patch-zgf172fdb @@ -0,0 +1,85 @@ +From f172fdbb77c422e27d3b7530f3fe95b98d1608e7 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 11 Jan 2023 23:23:40 +0000 +Subject: [PATCH] Fix bug which can break the invariants on the order of a hash + chain. + +If there are multiple cache records with the same name but different +F_REVERSE and/or F_IMMORTAL flags, the code added in fe9a134b could +concievable break the REVERSE-FORWARD-IMMORTAL order invariant. + +Reproducing this is damn near impossible, but it is responsible +for rare and otherwise inexplicable reversion between 2.87 and 2.88 +which manifests itself as a cache internal error. All observed +cases have depended on DNSSEC being enabled, but the bug could in +theory manifest itself without DNSSEC + +Thanks to Timo van Roermund for reporting the bug and huge +efforts to isolate it. +--- + CHANGELOG | 16 +++++++++++++++- + src/cache.c | 14 +++++++++----- + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 0f36a0f..d6e6753 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,6 +1,20 @@ ++version 2.98 ++ Fix bug introduced in 2.88 (commit fe91134b) which can result ++ in corruption of the DNS cache internal data structures and ++ logging of "cache internal error". This has only been seen ++ in one place in the wild, and it took considerable effort ++ to even generate a test case to reproduce it, but there's ++ no way to be sure it won't strike, and the effect to to break ++ the cache badly. Installations with DNSSEC enabled are more ++ likely to see the problem, but not running DNSSEC does not ++ guarantee that it won't happen. Thanks to Timo van Roermund ++ for reporting the bug and for his great efforts in chasing ++ it down. ++ ++ + version 2.88 + Fix bug in --dynamic-host when an interface has /16 IPv4 +- address. Thanks to Mark Dietzer for spotting this. ++ address. Thanks to Mark Dietzer for spotting this. + + Add --fast-dns-retry option. This gives dnsmasq the ability + to originate retries for upstream DNS queries itself, rather +diff --git a/src/cache.c b/src/cache.c +index 42283bc..0a5fd14 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -236,19 +236,23 @@ static void cache_hash(struct crec *crecp) + + char *name = cache_get_name(crecp); + struct crec **up = hash_bucket(name); +- +- if (!(crecp->flags & F_REVERSE)) ++ unsigned int flags = crecp->flags & (F_IMMORTAL | F_REVERSE); ++ ++ if (!(flags & F_REVERSE)) + { + while (*up && ((*up)->flags & F_REVERSE)) + up = &((*up)->hash_next); + +- if (crecp->flags & F_IMMORTAL) ++ if (flags & F_IMMORTAL) + while (*up && !((*up)->flags & F_IMMORTAL)) + up = &((*up)->hash_next); + } + +- /* Preserve order when inserting the same name multiple times. */ +- while (*up && hostname_isequal(cache_get_name(*up), name)) ++ /* Preserve order when inserting the same name multiple times. ++ Do not mess up the flag invariants. */ ++ while (*up && ++ hostname_isequal(cache_get_name(*up), name) && ++ flags == ((*up)->flags & (F_IMMORTAL | F_REVERSE))) + up = &((*up)->hash_next); + + crecp->hash_next = *up; +-- +2.20.1 +