[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9ef0c93114814352877825321e9e2826@AcuMS.aculab.com>
Date: Mon, 29 May 2023 13:32:02 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Jeffrey E Altman' <jaltman@...istor.com>, Kenny Ho <y2kenny@...il.com>
CC: Andrew Lunn <andrew@...n.ch>, Marc Dionne <marc.dionne@...istor.com>,
Kenny Ho <Kenny.Ho@....com>, David Howells <dhowells@...hat.com>, "David S.
Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, "Jakub
Kicinski" <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
"linux-afs@...ts.infradead.org" <linux-afs@...ts.infradead.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] Remove hardcoded static string length
From: Jeffrey E Altman
> Sent: 27 May 2023 16:09
>
> On 5/25/2023 11:37 AM, Kenny Ho wrote:
> > On Thu, May 25, 2023 at 11:04 AM David Laight<David.Laight@...lab.com> wrote:
> >>> "The standard formulation seems to be: <project> <version> built
> >>> <yyyy>-<mm>-<dd>"
> >> Which I don't recall the string actually matching?
> >> Also the people who like reproducible builds don't like __DATE__.
> > That's correct, it was not matching even when it was introduced. I am
> > simply taking that as people caring about the content and not simply
> > making rxrpc_version_string == UTS_RELEASE. The current format is:
> >
> > "linux-" UTS_RELEASE " AF_RXRPC"
> >
> > Kenny
>
> The RX_PACKET_TYPE_VERSION query is issued by the "rxdebug <host> <port>
> -version" command which prints the received string to stdout. It has
> also been used some implementations to record the version of the peer.
> Although it is required that a response to the RX_PACKET_TYPE_VERSION
> query be issued, there is no requirement that the returned string
> contain anything beyond a single NUL octet.
Does that mean that the zero-padding/truncation to 65 bytes is bogus?
Additionally is the response supposed to the '\0' terminated?
The existing code doesn't guarantee that at all.
> Although it is convenient to be able to remotely identify the version of
> an Rx implementation, there are good reasons why this information should
> not be exposed to an anonymous requester:
>
> 1. Linux AF_RXRPC is part of the kernel. As such, returning
> UTS_RELEASE identifies to potential attackers the explicit kernel
> version, architecture and perhaps distro. As this query can be
> issued anonymously, this provides an information disclosure that can
> be used to target known vulnerabilities in the kernel.
I guess it could even be used as a probe to find more/interesting
systems to attack once inside the firewall.
> 2. The RX_PACKET_TYPE_VERSION reply is larger than the query by the
> number of octets in the version data. As the query is received via
> udp with no reachability test, it means that the
> RX_PACKET_TYPE_VERSION query/response can be used to perform an 3.3x
> amplification attack: 28 octets in and potentially 93 octets out.
>
> With my security hat on I would suggest that either AF_RXRPC return a
> single NUL octet or the c-string "AF_RXRPC" and nothing more.
Is there any point including "AF_RXRPC"?
It is almost certainly implied by the message format.
Or the exact text from the standard - which might be:
"version string - to be supplied by O.E.M."
(I've seen hardware versions with strings like the above that
exactly match the datasheet....)
Limiting the version to (eg) 6.2 would give a hint to the
capabilities/bugs without giving away all the relative addresses
in something like a RHEL kernel.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists