lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAL+tcoDW=VELoJoU6GOLQQNScdC+8+1s0aK4_YkiLog9eOcuFA@mail.gmail.com>
Date: Thu, 7 Nov 2024 13:23:50 +0800
From: Jason Xing <kerneljasonxing@...il.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, 
	horms@...nel.org, kernelxing@...cent.com, kuba@...nel.org, 
	netdev@...r.kernel.org, pabeni@...hat.com
Subject: Re: [PATCH net-next] tcp: avoid RST in 3-way shakehands due to
 failure in tcp_timewait_state_process

On Thu, Nov 7, 2024 at 12:15 PM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> From: Jason Xing <kerneljasonxing@...il.com>
> Date: Thu, 7 Nov 2024 11:16:04 +0800
> > > Here is how things happen in production:
> > > Time        Client(A)        Server(B)
> > > 0s          SYN-->
> > > ...
> > > 132s                         <-- FIN
> > > ...
> > > 169s        FIN-->
> > > 169s                         <-- ACK
> > > 169s        SYN-->
> > > 169s                         <-- ACK
> >
> > I noticed the above ACK doesn't adhere to RFC 6191. It says:
> > "If the previous incarnation of the connection used Timestamps, then:
> >      if ...
> >      ...
> >      * Otherwise, silently drop the incoming SYN segment, thus leaving
> >          the previous incarnation of the connection in the TIME-WAIT
> >          state.
> > "
> > But the timewait socket sends an ACK because of this code snippet:
> > tcp_timewait_state_process()
> >     -> // the checks of SYN packet failed.
> >     -> if (!th->rst) {
> >         -> return TCP_TW_ACK; // this line can be traced back to 2005
>
> This is a challenge ACK following RFC 5961.

Please note the idea of challenge ack was proposed in 2010. But this
code snippet has already existed before 2005. If it is a challenge
ack, then at least we need to count it (by using NET_INC_STATS(net,
LINUX_MIB_TCPCHALLENGEACK);).

>
> If SYN is returned here, the client may lose the chance to RST the
> previous connection in TIME_WAIT.
>
> https://www.rfc-editor.org/rfc/rfc9293.html#section-3.10.7.4-2.4.1
> ---8<---
>       -  TIME-WAIT STATE
>
>          o  If the SYN bit is set in these synchronized states, it may
>             be either a legitimate new connection attempt (e.g., in the
>             case of TIME-WAIT), an error where the connection should be
>             reset, or the result of an attack attempt, as described in
>             RFC 5961 [9].  For the TIME-WAIT state, new connections can
>             be accepted if the Timestamp Option is used and meets
>             expectations (per [40]).  For all other cases, RFC 5961
>             provides a mitigation with applicability to some situations,
>             though there are also alternatives that offer cryptographic
>             protection (see Section 7).  RFC 5961 recommends that in
>             these synchronized states, if the SYN bit is set,
>             irrespective of the sequence number, TCP endpoints MUST send
>             a "challenge ACK" to the remote peer:
>
>             <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
> ---8<---
>
> https://datatracker.ietf.org/doc/html/rfc5961#section-4
> ---8<---
>    1) If the SYN bit is set, irrespective of the sequence number, TCP
>       MUST send an ACK (also referred to as challenge ACK) to the remote
>       peer:
>
>       <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
>
>       After sending the acknowledgment, TCP MUST drop the unacceptable
>       segment and stop processing further.
> ---8<---

The RFC 5961 4.2 was implemented in tcp_validate_incoming():
        /* step 4: Check for a SYN
         * RFC 5961 4.2 : Send a challenge ack
         */
        if (th->syn) {
                if (sk->sk_state == TCP_SYN_RECV && sk->sk_socket && th->ack &&
                    TCP_SKB_CB(skb)->seq + 1 == TCP_SKB_CB(skb)->end_seq &&
                    TCP_SKB_CB(skb)->seq + 1 == tp->rcv_nxt &&
                    TCP_SKB_CB(skb)->ack_seq == tp->snd_nxt)
                        goto pass;
syn_challenge:
                if (syn_inerr)
                        TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);
                NET_INC_STATS(sock_net(sk),
LINUX_MIB_TCPSYNCHALLENGE);
                tcp_send_challenge_ack(sk);
                SKB_DR_SET(reason, TCP_INVALID_SYN);
                goto discard;
        }

Also, this quotation you mentioned obviously doesn't match the kernel
implementation:
"If the SYN bit is set, irrespective of the sequence number, TCP MUST
send an ACK"
The tcp_timewait_state_process() does care about the seq number, or
else timewait socket would refuse every SYN packet.

Thanks,
Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ