lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 25 Sep 2018 22:10:15 +0800
From:   maowenan <maowenan@...wei.com>
To:     <netdev@...r.kernel.org>, <gregkh@...ux-foundation.org>,
        <dwmw2@...radead.org>, <eric.dumazet@...il.com>,
        <davem@...emloft.net>, <stable@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH stable 4.4 V2 0/6] fix SegmentSmack in stable branch
 (CVE-2018-5390)

Hi Greg:

can you review this patch set?
thanks a lot.

On 2018/9/14 16:24, Mao Wenan wrote:
> There are five patches to fix CVE-2018-5390 in latest mainline 
> branch, but only two patches exist in stable 4.4 and 3.18: 
> dc6ae4d tcp: detect malicious patterns in tcp_collapse_ofo_queue()
> 5fbec48 tcp: avoid collapses in tcp_prune_queue() if possible
> I have tested with stable 4.4 kernel, and found the cpu usage was very high.
> So I think only two patches can't fix the CVE-2018-5390.
> test results:
> with fix patch:     78.2%   ksoftirqd
> withoutfix patch:   90%     ksoftirqd
> 
> Then I try to imitate 72cd43ba(tcp: free batches of packets in tcp_prune_ofo_queue())
> to drop at least 12.5 % of sk_rcvbuf to avoid malicious attacks with simple queue 
> instead of RB tree. The result is not very well.
>  
> After analysing the codes of stable 4.4, and debuging the 
> system, shows that search of ofo_queue(tcp ofo using a simple queue) cost more cycles.
> 
> So I try to backport "tcp: use an RB tree for ooo receive queue" using RB tree 
> instead of simple queue, then backport Eric Dumazet 5 fixed patches in mainline,
> good news is that ksoftirqd is turn to about 20%, which is the same with mainline now.
> 
> Stable 4.4 have already back port two patches, 
> f4a3313d(tcp: avoid collapses in tcp_prune_queue() if possible)
> 3d4bf93a(tcp: detect malicious patterns in tcp_collapse_ofo_queue())
> If we want to change simple queue to RB tree to finally resolve, we should apply previous 
> patch 9f5afeae(tcp: use an RB tree for ooo receive queue.) firstly, but 9f5afeae have many 
> conflicts with 3d4bf93a and f4a3313d, which are part of patch series from Eric in 
> mainline to fix CVE-2018-5390, so I need revert part of patches in stable 4.4 firstly, 
> then apply 9f5afeae, and reapply five patches from Eric.
> 
> V1->V2:
> 1) Don't revert 3d4bf93a and f4a3313d firstly, all of 6 patches based on 4.4.155. 
> 2) Add one bug fix patch for RB tree:76f0dcbb5ae1a7c3dbeec13dd98233b8e6b0b32a tcp: fix a stale ooo_last_skb
> 
> Eric Dumazet (5):
>   tcp: increment sk_drops for dropped rx packets
>   tcp: fix a stale ooo_last_skb after a replace
>   tcp: free batches of packets in tcp_prune_ofo_queue()
>   tcp: call tcp_drop() from tcp_data_queue_ofo()
>   tcp: add tcp_ooo_try_coalesce() helper
> 
> Yaogong Wang (1):
>   tcp: use an RB tree for ooo receive queue
> 
>  include/linux/skbuff.h   |   8 +
>  include/linux/tcp.h      |   7 +-
>  include/net/sock.h       |   7 +
>  include/net/tcp.h        |   2 +-
>  net/core/skbuff.c        |  19 +++
>  net/ipv4/tcp.c           |   4 +-
>  net/ipv4/tcp_input.c     | 417 +++++++++++++++++++++++++++++------------------
>  net/ipv4/tcp_ipv4.c      |   3 +-
>  net/ipv4/tcp_minisocks.c |   1 -
>  net/ipv6/tcp_ipv6.c      |   1 +
>  10 files changed, 297 insertions(+), 172 deletions(-)
> 

Powered by blists - more mailing lists