[PATCH 4/4] tcp: make challenge acks less predictable

Fri Aug 12 13:58:25 UTC 2016

On 08/12/2016 07:30 AM, Tim Gardner wrote:
> From: Eric Dumazet <edumazet at google.com>
> 
> Yue Cao claims that current host rate limiting of challenge ACKS
> (RFC 5961) could leak enough information to allow a patient attacker
> to hijack TCP sessions. He will soon provide details in an academic
> paper.
> 
> This patch increases the default limit from 100 to 1000, and adds
> some randomization so that the attacker can no longer hijack
> sessions without spending a considerable amount of probes.
> 
> Based on initial analysis and patch from Linus.
> 
> Note that we also have per socket rate limiting, so it is tempting
> to remove the host limit in the future.
> 
> v2: randomize the count of challenge acks per second, not the period.
> 
> Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
> Reported-by: Yue Cao <ycao009 at ucr.edu>
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
> Cc: Yuchung Cheng <ycheng at google.com>
> Cc: Neal Cardwell <ncardwell at google.com>
> Acked-by: Neal Cardwell <ncardwell at google.com>
> Acked-by: Yuchung Cheng <ycheng at google.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> 
> CVE-2016-5696
> 
> (backported from commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 upstream)
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
>  net/ipv4/tcp_input.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 2cc1313..1bf94fa 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -86,7 +86,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
>  EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
>  
>  /* rfc5961 challenge ack rate limiting */
> -int sysctl_tcp_challenge_ack_limit = 100;
> +int sysctl_tcp_challenge_ack_limit = 1000;
>  
>  int sysctl_tcp_stdurg __read_mostly;
>  int sysctl_tcp_rfc1337 __read_mostly;
> @@ -3288,17 +3288,25 @@ static void tcp_send_challenge_ack(struct sock *sk)
>  	/* unprotected vars, we dont care of overwrites */
>  	static u32 challenge_timestamp;
>  	static unsigned int challenge_count;
> -	u32 now = jiffies / HZ;
> +	u32 count, now = jiffies / HZ;
>  
> +	/* Check host-wide RFC 5961 rate limit. */
>  	if (now != challenge_timestamp) {
> +		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
> +
>  		challenge_timestamp = now;
> -		challenge_count = 0;
> +		*((volatile unsigned int *) &challenge_count) =
> +		WRITE_ONCE(challenge_count, half +
> +			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));

This seems kind of bogus. ^^

-- 
Tim Gardner tim.gardner at canonical.com