[PATCH 0/1][C] CVE-2018-5391 - Mitigation for FragmentSmack

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][C] CVE-2018-5391 - Mitigation for FragmentSmack

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/?cve=CVE-2018-5391

This patch revert mitigates FragmentSmack in Cosmic to match the mitigation
that we have in place in older Ubuntu kernels.

In the near future, we'll want to backport a series of upstream patches that
uses rb trees for the IP fragment queue but, due to how close we are to the
18.10 release, it is best if we simply mitigate the vulnerability with this
patch revert.

Tyler

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] UBUNTU: SAUCE: Revert "net: increase fragment memory usage limits"

Tyler Hicks-2
This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4. It
made denial of service attacks on the IP fragment handling easier to
carry out.

CVE-2018-5391

Signed-off-by: Tyler Hicks <[hidden email]>
---
 include/net/ipv6.h     |  4 ++--
 net/ipv4/ip_fragment.c | 22 +++++++---------------
 2 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 8f73be494503..04a865cb4a83 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -373,8 +373,8 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev)
     idev->cnf.accept_ra;
 }
 
-#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */
-#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */
+#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */
+#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */
 #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */
 
 int __ipv6_addr_type(const struct in6_addr *addr);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index d14d741fb05e..bd10399eb916 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_net(struct net *net)
 {
  int res;
 
- /* Fragment cache limits.
- *
- * The fragment memory accounting code, (tries to) account for
- * the real memory usage, by measuring both the size of frag
- * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
- * and the SKB's truesize.
- *
- * A 64K fragment consumes 129736 bytes (44*2944)+200
- * (1500 truesize == 2944, sizeof(struct ipq) == 200)
- *
- * We will commit 4MB at one time. Should we cross that limit
- * we will prune down to 3MB, making room for approx 8 big 64K
- * fragments 8x128k.
+ /*
+ * Fragment cache limits. We will commit 256K at one time. Should we
+ * cross that limit we will prune down to 192K. This should cope with
+ * even the most extreme cases without allowing an attacker to
+ * measurably harm machine performance.
  */
- net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
- net->ipv4.frags.low_thresh  = 3 * 1024 * 1024;
+ net->ipv4.frags.high_thresh = 256 * 1024;
+ net->ipv4.frags.low_thresh = 192 * 1024;
  /*
  * Important NOTE! Fragment queue must be destroyed before MSL expires.
  * RFC791 is wrong proposing to prolongate timer each fragment arrival
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][C] CVE-2018-5391 - Mitigation for FragmentSmack

Thadeu Lima de Souza Cascardo-3
In reply to this post by Tyler Hicks-2
Applied to cosmic master-next branch.

Thanks.
Cascardo.

Applied-to: cosmic/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team