Hello. Recently Yue Cao et al. published findings related to a side-channel vulnerability in Linux's RFC 5961 TCP challenge ACK implementation in kernels 3.6+. They find the vulnerability can be leveraged by off-path attackers to trigger connection terminations or data injection. [1] The attached backported mitigation for use with 3.10.x (applies cleanly to 3.10.102) is based on Eric Dumazet's (& Linus Torvalds') mainline patch. [2] I submit it for your consideration for inclusion in 3.10.103. Additionally, it is sufficiently self-contained so it likely can be used with 3.12.x. Cheers, --mancha (https://twitter.com/mancha140) ======= [1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf [2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd
From 64ee6444c1e18bda1a3f585e3a5096fd703f8e4a Mon Sep 17 00:00:00 2001 From: mancha security <mancha1@xxxxxxxx> Date: Thu, 11 Aug 2016 Subject: CVE-2016-5696 Yue Cao et al [1] discovered a side-channel vulnerability in the Linux TCP specification as implemented in kernel 3.6 onwards. This vulnerability allows off-path attackers to infer if any two hosts are communicating using a TCP connection and, if so, further infer TCP sequence numbers. An attacker can leverage this to trigger connection terminations or data injection. This backported fix for use with 3.10.102 LTS is based on a patch by Linus Torvalds and Eric Dumazet. It increases the RFC 5961 global challenge ACK rate limit (tcp_challenge_ack_limit) from 100 to 1000. Channel noise is introduced by making the effective global challenge ACK rate limit a random number drawn from an interval with radius (tcp_challenge_ack_limit/2) centered around tcp_challenge_ack_limit. The default interval is [500,1500). [1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf [2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd --- net/ipv4/tcp_input.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -63,6 +63,8 @@ #define pr_fmt(fmt) "TCP: " fmt +#define prandom_u32_max(ep_ro) (u32)(((u64) prandom_u32() * ep_ro) >> 32) + #include <linux/mm.h> #include <linux/slab.h> #include <linux/module.h> @@ -87,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_most EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); /* rfc5961 challenge ack rate limiting */ -int sysctl_tcp_challenge_ack_limit = 100; +int sysctl_tcp_challenge_ack_limit = 1000; int sysctl_tcp_stdurg __read_mostly; int sysctl_tcp_rfc1337 __read_mostly; @@ -3288,12 +3290,17 @@ static void tcp_send_challenge_ack(struc static u32 challenge_timestamp; static unsigned int challenge_count; u32 now = jiffies / HZ; + u32 count; if (now != challenge_timestamp) { + u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; challenge_timestamp = now; - challenge_count = 0; + ACCESS_ONCE(challenge_count) = half + + prandom_u32_max(sysctl_tcp_challenge_ack_limit); } - if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { + count = ACCESS_ONCE(challenge_count); + if (count > 0) { + ACCESS_ONCE(challenge_count) = count - 1; NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); tcp_send_ack(sk); }
Attachment:
pgpbBG6OrJ_To.pgp
Description: PGP signature