[Devel] [PATCH RHEL7 COMMIT] ms/tcp: make challenge acks less predictable

Konstantin Khorenko khorenko at virtuozzo.com
Fri Aug 19 06:04:08 PDT 2016 

No rush with the kernel here as ReadyKernel patch (no reboot!) for Virtuozzo 7 was published even prior to RHEL7 kernel update.

https://readykernel.com/patch/readykernel-patch-15.2-2.1-1.vl7/
https://virtuozzo.com/reasons-upgrade-virtuozzo-7/

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 08/19/2016 03:56 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh7-3.10.0-327.28.2.vz7.17.1
> ------>
> commit 25e0c77a1021261a217631850fd084876e3794de
> Author: Vasily Averin <vvs at virtuozzo.com>
> Date:   Fri Aug 19 16:56:23 2016 +0400
>
>     ms/tcp: make challenge acks less predictable
>
>     upstream patch:
>     https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
>     fixes CVE-2016-5696 challenge ACK counter information disclosure
>
>     >From 75ff39ccc1bd5d3c455b6822ab09e533c551f758 Mon Sep 17 00:00:00 2001
>     From: Eric Dumazet <edumazet at google.com>
>     Date: Sun, 10 Jul 2016 10:04:02 +0200
>     Subject: tcp: make challenge acks less predictable
>
>     Yue Cao claims that current host rate limiting of challenge ACKS
>     (RFC 5961) could leak enough information to allow a patient attacker
>     to hijack TCP sessions. He will soon provide details in an academic
>     paper.
>
>     This patch increases the default limit from 100 to 1000, and adds
>     some randomization so that the attacker can no longer hijack
>     sessions without spending a considerable amount of probes.
>
>     Based on initial analysis and patch from Linus.
>
>     Note that we also have per socket rate limiting, so it is tempting
>     to remove the host limit in the future.
>
>     v2: randomize the count of challenge acks per second, not the period.
>
>     Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
>     Reported-by: Yue Cao <ycao009 at ucr.edu>
>     Signed-off-by: Eric Dumazet <edumazet at google.com>
>     Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
>     Cc: Yuchung Cheng <ycheng at google.com>
>     Cc: Neal Cardwell <ncardwell at google.com>
>     Acked-by: Neal Cardwell <ncardwell at google.com>
>     Acked-by: Yuchung Cheng <ycheng at google.com>
>     Signed-off-by: David S. Miller <davem at davemloft.net>
>
>     https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5696
>     https://jira.sw.ru/browse/PSBM-50954
>
>     Signed-off-by:	Vasily Averin <vvs at virtuozzo.com>
> ---
>  net/ipv4/tcp_input.c | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index d987f31..ed1261e 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -86,7 +86,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
>  EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
>
>  /* rfc5961 challenge ack rate limiting */
> -int sysctl_tcp_challenge_ack_limit = 100;
> +int sysctl_tcp_challenge_ack_limit = 1000;
>
>  int sysctl_tcp_stdurg __read_mostly;
>  int sysctl_tcp_rfc1337 __read_mostly;
> @@ -3302,7 +3302,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
>  	static u32 challenge_timestamp;
>  	static unsigned int challenge_count;
>  	struct tcp_sock *tp = tcp_sk(sk);
> -	u32 now;
> +	u32 count, now;
>
>  	/* First check our per-socket dupack rate limit. */
>  	if (tcp_oow_rate_limited(sock_net(sk), skb,
> @@ -3310,13 +3310,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
>  				 &tp->last_oow_ack_time))
>  		return;
>
> -	/* Then check the check host-wide RFC 5961 rate limit. */
> +	/* Then check host-wide RFC 5961 rate limit. */
>  	now = jiffies / HZ;
>  	if (now != challenge_timestamp) {
> +		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
> +
>  		challenge_timestamp = now;
> -		challenge_count = 0;
> +		WRITE_ONCE(challenge_count, half +
> +			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
>  	}
> -	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
> +	count = READ_ONCE(challenge_count);
> +	if (count > 0) {
> +		WRITE_ONCE(challenge_count, count - 1);
>  		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
>  		tcp_send_ack(sk);
>  	}
> .
>

More information about the Devel mailing list