[PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack mitigation (CVE-2016-5696)

[mancha security <mancha1@zoho.com>]

[-- Attachment #1.1: Type: text/plain, Size: 809 bytes --]

Hello.

Recently Yue Cao et al. published findings related to a side-channel
vulnerability in Linux's RFC 5961 TCP challenge ACK implementation in
kernels 3.6+.

They find the vulnerability can be leveraged by off-path attackers to
trigger connection terminations or data injection. [1]

The attached backported mitigation for use with 3.10.x (applies cleanly
to 3.10.102) is based on Eric Dumazet's (& Linus Torvalds') mainline
patch. [2]

I submit it for your consideration for inclusion in 3.10.103.

Additionally, it is sufficiently self-contained so it likely can be used
with 3.12.x.

Cheers,

--mancha (https://twitter.com/mancha140)

=======
[1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd


[-- Attachment #1.2: linux-3.10.102_CVE-2016-5696.diff --]
[-- Type: text/plain, Size: 2553 bytes --]

From 64ee6444c1e18bda1a3f585e3a5096fd703f8e4a Mon Sep 17 00:00:00 2001
From: mancha security <mancha1@zoho.com>
Date: Thu, 11 Aug 2016
Subject: CVE-2016-5696

Yue Cao et al [1] discovered a side-channel vulnerability in the Linux TCP
specification as implemented in kernel 3.6 onwards.

This vulnerability allows off-path attackers to infer if any two hosts are
communicating using a TCP connection and, if so, further infer TCP sequence
numbers. An attacker can leverage this to trigger connection terminations
or data injection.

This backported fix for use with 3.10.102 LTS is based on a patch by Linus
Torvalds and Eric Dumazet. It increases the RFC 5961 global challenge ACK
rate limit (tcp_challenge_ack_limit) from 100 to 1000. Channel noise is
introduced by making the effective global challenge ACK rate limit a random
number drawn from an interval with radius (tcp_challenge_ack_limit/2) centered
around tcp_challenge_ack_limit. The default interval is [500,1500).

[1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd

---
 net/ipv4/tcp_input.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -63,6 +63,8 @@
 
 #define pr_fmt(fmt) "TCP: " fmt
 
+#define prandom_u32_max(ep_ro) (u32)(((u64) prandom_u32() * ep_ro) >> 32)
+
 #include <linux/mm.h>
 #include <linux/slab.h>
 #include <linux/module.h>
@@ -87,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_most
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
 
 /* rfc5961 challenge ack rate limiting */
-int sysctl_tcp_challenge_ack_limit = 100;
+int sysctl_tcp_challenge_ack_limit = 1000;
 
 int sysctl_tcp_stdurg __read_mostly;
 int sysctl_tcp_rfc1337 __read_mostly;
@@ -3288,12 +3290,17 @@ static void tcp_send_challenge_ack(struc
 	static u32 challenge_timestamp;
 	static unsigned int challenge_count;
 	u32 now = jiffies / HZ;
+	u32 count;
 
 	if (now != challenge_timestamp) {
+		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
 		challenge_timestamp = now;
-		challenge_count = 0;
+		ACCESS_ONCE(challenge_count) = half +
+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit);
 	}
-	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+	count = ACCESS_ONCE(challenge_count);
+	if (count > 0) {
+		ACCESS_ONCE(challenge_count) = count - 1;
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
 		tcp_send_ack(sk);
 	}

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]