[PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack mitigation (CVE-2016-5696)

[PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack mitigation (CVE-2016-5696)

[mancha security]

[-- Attachment #1.1: Type: text/plain, Size: 809 bytes --]

Hello.

Recently Yue Cao et al. published findings related to a side-channel
vulnerability in Linux's RFC 5961 TCP challenge ACK implementation in
kernels 3.6+.

They find the vulnerability can be leveraged by off-path attackers to
trigger connection terminations or data injection. [1]

The attached backported mitigation for use with 3.10.x (applies cleanly
to 3.10.102) is based on Eric Dumazet's (& Linus Torvalds') mainline
patch. [2]

I submit it for your consideration for inclusion in 3.10.103.

Additionally, it is sufficiently self-contained so it likely can be used
with 3.12.x.

Cheers,

--mancha (https://twitter.com/mancha140)

=======
[1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd


[-- Attachment #1.2: linux-3.10.102_CVE-2016-5696.diff --]
[-- Type: text/plain, Size: 2553 bytes --]

From 64ee6444c1e18bda1a3f585e3a5096fd703f8e4a Mon Sep 17 00:00:00 2001
From: mancha security <mancha1@zoho.com>
Date: Thu, 11 Aug 2016
Subject: CVE-2016-5696

Yue Cao et al [1] discovered a side-channel vulnerability in the Linux TCP
specification as implemented in kernel 3.6 onwards.

This vulnerability allows off-path attackers to infer if any two hosts are
communicating using a TCP connection and, if so, further infer TCP sequence
numbers. An attacker can leverage this to trigger connection terminations
or data injection.

This backported fix for use with 3.10.102 LTS is based on a patch by Linus
Torvalds and Eric Dumazet. It increases the RFC 5961 global challenge ACK
rate limit (tcp_challenge_ack_limit) from 100 to 1000. Channel noise is
introduced by making the effective global challenge ACK rate limit a random
number drawn from an interval with radius (tcp_challenge_ack_limit/2) centered
around tcp_challenge_ack_limit. The default interval is [500,1500).

[1] http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd

---
 net/ipv4/tcp_input.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -63,6 +63,8 @@
 
 #define pr_fmt(fmt) "TCP: " fmt
 
+#define prandom_u32_max(ep_ro) (u32)(((u64) prandom_u32() * ep_ro) >> 32)
+
 #include <linux/mm.h>
 #include <linux/slab.h>
 #include <linux/module.h>
@@ -87,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_most
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
 
 /* rfc5961 challenge ack rate limiting */
-int sysctl_tcp_challenge_ack_limit = 100;
+int sysctl_tcp_challenge_ack_limit = 1000;
 
 int sysctl_tcp_stdurg __read_mostly;
 int sysctl_tcp_rfc1337 __read_mostly;
@@ -3288,12 +3290,17 @@ static void tcp_send_challenge_ack(struc
 	static u32 challenge_timestamp;
 	static unsigned int challenge_count;
 	u32 now = jiffies / HZ;
+	u32 count;
 
 	if (now != challenge_timestamp) {
+		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
 		challenge_timestamp = now;
-		challenge_count = 0;
+		ACCESS_ONCE(challenge_count) = half +
+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit);
 	}
-	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+	count = ACCESS_ONCE(challenge_count);
+	if (count > 0) {
+		ACCESS_ONCE(challenge_count) = count - 1;
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
 		tcp_send_ack(sk);
 	}

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack mitigation (CVE-2016-5696)

[Willy Tarreau]

Hi,

On Thu, Aug 18, 2016 at 10:33:39PM +0000, mancha security wrote:
> Hello.
> 
> Recently Yue Cao et al. published findings related to a side-channel
> vulnerability in Linux's RFC 5961 TCP challenge ACK implementation in
> kernels 3.6+.
> 
> They find the vulnerability can be leveraged by off-path attackers to
> trigger connection terminations or data injection. [1]
> 
> The attached backported mitigation for use with 3.10.x (applies cleanly
> to 3.10.102) is based on Eric Dumazet's (& Linus Torvalds') mainline
> patch. [2]
> 
> I submit it for your consideration for inclusion in 3.10.103.
> 
> Additionally, it is sufficiently self-contained so it likely can be used
> with 3.12.x.

That's very kind of you, but Chas Williams already provided us with this
backport. I hope to be able to work on 3.10.103 this week-end.

Thanks!
Willy

Re: [PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack mitigation (CVE-2016-5696)

[mancha security]

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

On Fri, Aug 19, 2016 at 07:19:22AM +0200, Willy Tarreau wrote:
> 
> That's very kind of you, but Chas Williams already provided us with this
> backport. I hope to be able to work on 3.10.103 this week-end.
> 
> Thanks!
> Willy

Ah, thanks for the update.

Cheers!

--mancha

PS My patch is probably better :)

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 3.10.x/3.12.x] net: challenge ACK side-channel attack mitigation (CVE-2016-5696)

[Willy Tarreau]

On Fri, Aug 19, 2016 at 05:48:25AM +0000, mancha security wrote:
> On Fri, Aug 19, 2016 at 07:19:22AM +0200, Willy Tarreau wrote:
> > 
> > That's very kind of you, but Chas Williams already provided us with this
> > backport. I hope to be able to work on 3.10.103 this week-end.
> > 
> > Thanks!
> > Willy
> 
> Ah, thanks for the update.
> 
> Cheers!
> 
> --mancha
> 
> PS My patch is probably better :)

They're the same except that you added a macro to  define the random
function while Chas used the already provided reciprocal_divide().

Willy