From patchwork Mon Feb 22 14:35:50 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1443160
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dkl9N6Sz9z9sVV;
	Tue, 23 Feb 2021 01:36:07 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lECJe-0005EE-0U; Mon, 22 Feb 2021 14:36:02 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lECJc-0005De-J6
 for kernel-team@lists.ubuntu.com; Mon, 22 Feb 2021 14:36:00 +0000
Received: from mail-pl1-f200.google.com ([209.85.214.200])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lECJc-0004Vs-7Q
 for kernel-team@lists.ubuntu.com; Mon, 22 Feb 2021 14:36:00 +0000
Received: by mail-pl1-f200.google.com with SMTP id z9so8308231plg.19
 for <kernel-team@lists.ubuntu.com>; Mon, 22 Feb 2021 06:36:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=PzDUR/ZYn8hjDJL8n7EdqlAtLIfpY0D3hes5stC0KVM=;
 b=RLnoXfJKdWk16M5CIKo7eZTYHG2kHppeyFDKub0bPCOE/jzu1Jb7ttTCMy4rLu2Rbg
 f5+KmtaWA9L6KHCiesUKRZW/BHgAx9MdjRNIHAz0goDvOTd5wPnl372wC9dUMLGVZb8j
 mjccVfnXT0rOdNK/N4tYuLwtH7+Ipj6XfxfEaULeHSCZCfSUTe7+WJzTjTsLNf1nneJO
 1mEl4IdIdWHnkQqFWjX6zHtIpG61YsT4KKt/kC7Fo9EsAhTf08fC/D3CUB7jSvgvgFKI
 xLiKLAjixFn3kOsZ10kHAAl5CLK4GZd6ICg6FQVEL0LLyfi2VAde9qiCBHh7TF9vSfZR
 mfyQ==
X-Gm-Message-State: AOAM531squxAgzqBLM4hod1oVYNDMiW5GsBDMOl4b5WYD/4vU4tTKNJv
 qamsbr2+UMrT6mLs1msdLSgO7AWVLSR1SaeOgh7VXSCsVcWzP9qAt9vTzWH+5JFKysKxh9O8EZW
 nq7LWG6uqhCbzuKxdjSijLfDJ7gbQiB7FJy9gMATUNA==
X-Received: by 2002:a17:902:be08:b029:e2:fa81:8732 with SMTP id
 r8-20020a170902be08b02900e2fa818732mr22114535pls.13.1614004558683;
 Mon, 22 Feb 2021 06:35:58 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJyz/+uEZMoZV2zPsT1bVJu4GqUdQgf7QzlXSZ623pb6yePJXKwpuj+H7Mxty/egm7zdnfaBPg==
X-Received: by 2002:a17:902:be08:b029:e2:fa81:8732 with SMTP id
 r8-20020a170902be08b02900e2fa818732mr22114511pls.13.1614004558456;
 Mon, 22 Feb 2021 06:35:58 -0800 (PST)
Received: from localhost.localdomain ([69.163.84.166])
 by smtp.gmail.com with ESMTPSA id j125sm7634618pfd.27.2021.02.22.06.35.57
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 22 Feb 2021 06:35:57 -0800 (PST)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH] icmp: randomize the global rate limiter
Date: Mon, 22 Feb 2021 07:35:50 -0700
Message-Id: <20210222143550.28728-2-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210222143550.28728-1-tim.gardner@canonical.com>
References: <20210222143550.28728-1-tim.gardner@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Eric Dumazet <edumazet@google.com>

Keyu Man reported that the ICMP rate limiter could be used
by attackers to get useful signal. Details will be provided
in an upcoming academic publication.

Our solution is to add some noise, so that the attackers
no longer can get help from the predictable token bucket limiter.

Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(backported from commit b38e7819cae946e2edf869e604af1e65a5d241c5)
CVE-2020-25705
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

Back port notes: dropped edits to Documentation/networking/ip-sysctl.rst
as that file does not yet exist.
---
 net/ipv4/icmp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f369e7ce685b..dcffda472585 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -239,7 +239,7 @@ static struct {
 /**
  * icmp_global_allow - Are we allowed to send one more ICMP message ?
  *
- * Uses a token bucket to limit our ICMP messages to sysctl_icmp_msgs_per_sec.
+ * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec.
  * Returns false if we reached the limit and can not send another packet.
  * Note: called with BH disabled
  */
@@ -267,7 +267,10 @@ bool icmp_global_allow(void)
 	}
 	credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
 	if (credit) {
-		credit--;
+		/* We want to use a credit of one in average, but need to randomize
+		 * it for security reasons.
+		 */
+		credit = max_t(int, credit - prandom_u32_max(3), 0);
 		rc = true;
 	}
 	WRITE_ONCE(icmp_global.credit, credit);