From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
David Ahern <dsahern@kernel.org>, Ray Che <xijiache@gmail.com>,
Willy Tarreau <w@1wt.eu>, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.4 16/25] ipv4: avoid using shared IP generator for connected sockets
Date: Tue, 1 Feb 2022 19:16:40 +0100 [thread overview]
Message-ID: <20220201180822.677134289@linuxfoundation.org> (raw)
In-Reply-To: <20220201180822.148370751@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit 23f57406b82de51809d5812afd96f210f8b627f3 upstream.
ip_select_ident_segs() has been very conservative about using
the connected socket private generator only for packets with IP_DF
set, claiming it was needed for some VJ compression implementations.
As mentioned in this referenced document, this can be abused.
(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)
Before switching to pure random IPID generation and possibly hurt
some workloads, lets use the private inet socket generator.
Not only this will remove one vulnerability, this will also
improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT
Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reported-by: Ray Che <xijiache@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/ip.h | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -353,19 +353,18 @@ static inline void ip_select_ident_segs(
{
struct iphdr *iph = ip_hdr(skb);
+ /* We had many attacks based on IPID, use the private
+ * generator as much as we can.
+ */
+ if (sk && inet_sk(sk)->inet_daddr) {
+ iph->id = htons(inet_sk(sk)->inet_id);
+ inet_sk(sk)->inet_id += segs;
+ return;
+ }
if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
- /* This is only to work around buggy Windows95/2000
- * VJ compression implementations. If the ID field
- * does not change, they drop every other packet in
- * a TCP stream using header compression.
- */
- if (sk && inet_sk(sk)->inet_daddr) {
- iph->id = htons(inet_sk(sk)->inet_id);
- inet_sk(sk)->inet_id += segs;
- } else {
- iph->id = 0;
- }
+ iph->id = 0;
} else {
+ /* Unfortunately we need the big hammer to get a suitable IPID */
__ip_select_ident(net, iph, segs);
}
}
next prev parent reply other threads:[~2022-02-01 18:17 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-01 18:16 [PATCH 4.4 00/25] 4.4.302-rc1 review Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 01/25] can: bcm: fix UAF of bcm op Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 02/25] Bluetooth: refactor malicious adv data check Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 03/25] s390/hypfs: include z/VM guests with access control group set Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 04/25] scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 05/25] udf: Restore i_lenAlloc when inode expansion fails Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 06/25] udf: Fix NULL ptr deref when converting from inline format Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 07/25] PM: wakeup: simplify the output logic of pm_show_wakelocks() Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 08/25] serial: stm32: fix software flow control transfer Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 09/25] tty: n_gsm: fix SW flow control encoding/handling Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 10/25] tty: Add support for Brainboxes UC cards Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 11/25] usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 12/25] USB: core: Fix hang in usb_kill_urb by adding memory barriers Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 13/25] scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 14/25] ipv6_tunnel: Rate limit warning messages Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 15/25] net: fix information leakage in /proc/net/ptype Greg Kroah-Hartman
2022-02-01 18:16 ` Greg Kroah-Hartman [this message]
2022-02-01 18:16 ` [PATCH 4.4 17/25] net-procfs: show net devices bound packet types Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 18/25] drm/msm: Fix wrong size calculation Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 19/25] hwmon: (lm90) Reduce maximum conversion rate for G781 Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 20/25] ipv4: raw: lock the socket in raw_bind() Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 21/25] ipv4: tcp: send zero IPID in SYNACK messages Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 22/25] Bluetooth: MGMT: Fix misplaced BT_HS check Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 23/25] Revert "drm/radeon/ci: disable mclk switching for high refresh rates (v2)" Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 24/25] Revert "tc358743: fix register i2c_rd/wr function fix" Greg Kroah-Hartman
2022-02-01 18:16 ` [PATCH 4.4 25/25] KVM: x86: Fix misplaced backport of "work around leak of uninitialized stack contents" Greg Kroah-Hartman
2022-02-01 19:46 ` [PATCH 4.4 00/25] 4.4.302-rc1 review Shuah Khan
2022-02-01 20:51 ` Shuah Khan
2022-02-01 20:54 ` Pavel Machek
2022-02-01 21:24 ` Guenter Roeck
2022-02-01 22:25 ` Shuah Khan
2022-02-02 8:02 ` Naresh Kamboju
2022-02-02 12:18 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220201180822.677134289@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
--cc=xijiache@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).