From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from sender153-mail.zoho.com ([74.201.84.153]:21336 "EHLO
        sender153-mail.zoho.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753988AbcHSCWU (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 18 Aug 2016 22:22:20 -0400
Date: Thu, 18 Aug 2016 22:33:39 +0000
From: mancha security <mancha1@zoho.com>
To: stable@vger.kernel.org
Cc: w@1wt.eu, jslaby@suse.cz, edumazet@google.com
Subject: [PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack
 mitigation (CVE-2016-5696)
Message-ID: <20160818223339.GA7217@zoho.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="Pd0ReVV5GZGQvF3a"
Content-Disposition: inline
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


--Pd0ReVV5GZGQvF3a
Content-Type: multipart/mixed; boundary="6c2NcOVqGQ03X4Wi"
Content-Disposition: inline


--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hello.

Recently Yue Cao et al. published findings related to a side-channel
vulnerability in Linux's RFC 5961 TCP challenge ACK implementation in
kernels 3.6+.

They find the vulnerability can be leveraged by off-path attackers to
trigger connection terminations or data injection. [1]

The attached backported mitigation for use with 3.10.x (applies cleanly
to 3.10.102) is based on Eric Dumazet's (& Linus Torvalds') mainline
patch. [2]

I submit it for your consideration for inclusion in 3.10.103.

Additionally, it is sufficiently self-contained so it likely can be used
with 3.12.x.

Cheers,

--mancha (https://twitter.com/mancha140)

=======
[1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd


--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="linux-3.10.102_CVE-2016-5696.diff"
Content-Transfer-Encoding: quoted-printable

=46rom 64ee6444c1e18bda1a3f585e3a5096fd703f8e4a Mon Sep 17 00:00:00 2001
=46rom: mancha security <mancha1@zoho.com>
Date: Thu, 11 Aug 2016
Subject: CVE-2016-5696

Yue Cao et al [1] discovered a side-channel vulnerability in the Linux TCP
specification as implemented in kernel 3.6 onwards.

This vulnerability allows off-path attackers to infer if any two hosts are
communicating using a TCP connection and, if so, further infer TCP sequence
numbers. An attacker can leverage this to trigger connection terminations
or data injection.

This backported fix for use with 3.10.102 LTS is based on a patch by Linus
Torvalds and Eric Dumazet. It increases the RFC 5961 global challenge ACK
rate limit (tcp_challenge_ack_limit) from 100 to 1000. Channel noise is
introduced by making the effective global challenge ACK rate limit a random
number drawn from an interval with radius (tcp_challenge_ack_limit/2) cente=
red
around tcp_challenge_ack_limit. The default interval is [500,1500).

[1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/=
?id=3D75ff39ccc1bd

---
 net/ipv4/tcp_input.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -63,6 +63,8 @@
=20
 #define pr_fmt(fmt) "TCP: " fmt
=20
+#define prandom_u32_max(ep_ro) (u32)(((u64) prandom_u32() * ep_ro) >> 32)
+
 #include <linux/mm.h>
 #include <linux/slab.h>
 #include <linux/module.h>
@@ -87,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_most
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
=20
 /* rfc5961 challenge ack rate limiting */
-int sysctl_tcp_challenge_ack_limit =3D 100;
+int sysctl_tcp_challenge_ack_limit =3D 1000;
=20
 int sysctl_tcp_stdurg __read_mostly;
 int sysctl_tcp_rfc1337 __read_mostly;
@@ -3288,12 +3290,17 @@ static void tcp_send_challenge_ack(struc
 	static u32 challenge_timestamp;
 	static unsigned int challenge_count;
 	u32 now =3D jiffies / HZ;
+	u32 count;
=20
 	if (now !=3D challenge_timestamp) {
+		u32 half =3D (sysctl_tcp_challenge_ack_limit + 1) >> 1;
 		challenge_timestamp =3D now;
-		challenge_count =3D 0;
+		ACCESS_ONCE(challenge_count) =3D half +
+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit);
 	}
-	if (++challenge_count <=3D sysctl_tcp_challenge_ack_limit) {
+	count =3D ACCESS_ONCE(challenge_count);
+	if (count > 0) {
+		ACCESS_ONCE(challenge_count) =3D count - 1;
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
 		tcp_send_ack(sk);
 	}

--6c2NcOVqGQ03X4Wi--

--Pd0ReVV5GZGQvF3a
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXtjfDAAoJEKPZDStQM/UXglEQAKT+BD0N2HaDYwwloLxJxdQg
4BTnaVgWzTsIxHSLMqP+VDrbkqIEkw0CmfeOFTdxeFF/vhBcX+QeoOmbylgAd/4G
co3gpix7uM0sSdlXnBlEl9PRrrpUHdjTbDKD236Tio8hXeaiv4Y2GnYMzbYnkro8
7iZu2KuySWkmaNxQahpEKGv1yd5InU/0cXzFTDUm5s34fNdD3bKkSsnG/5AJpWHg
NSoNvhbHga2yI4ctViSO4WUxTNixJtcoltjD2q9IKNCHSaBl63tmyymnCBsNOfDe
Andwf4kF995+Xp/SEFGTWcO6b1pRdrDnZwEpECs0t50EkzxSXZofYTTrcOweLxzq
onQWHihC+Oude/TGJMqlTXeymhkQE7JyAvpZPvnfczuHQv6UJ2Xh3rXmJI7zqaJg
vpmi8shm4Q5oIdthVpU6ZRQ3+fIkun2JUikifcQ90s1oyo1zJwwYhvUXtthSPhCK
HTusVqnkL4oijTNAb3Zmdd37vfI7gH8KuP1EvO+gwL9VxfvzGtStlgs9ehYCYFCT
RXNpC4IOZXrzPDK+BGuTyf2WiM0CEUgNRoGygy3uLdBdpgb89oPCKKCAcleujwTx
YToAjVnSDEHP5apAKVIDP7QPd2GkS2TtlPWUeY5rd1jPA+ajDt16lnNJTE/gPA/O
yjmcMXblxtdY7s8XNfe9
=dlaf
-----END PGP SIGNATURE-----

--Pd0ReVV5GZGQvF3a--