| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-47678: icmp: change the order of rate limits |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| icmp: change the order of rate limits |
| |
| ICMP messages are ratelimited : |
| |
| After the blamed commits, the two rate limiters are applied in this order: |
| |
| 1) host wide ratelimit (icmp_global_allow()) |
| |
| 2) Per destination ratelimit (inetpeer based) |
| |
| In order to avoid side-channels attacks, we need to apply |
| the per destination check first. |
| |
| This patch makes the following change : |
| |
| 1) icmp_global_allow() checks if the host wide limit is reached. |
| But credits are not yet consumed. This is deferred to 3) |
| |
| 2) The per destination limit is checked/updated. |
| This might add a new node in inetpeer tree. |
| |
| 3) icmp_global_consume() consumes tokens if prior operations succeeded. |
| |
| This means that host wide ratelimit is still effective |
| in keeping inetpeer tree small even under DDOS. |
| |
| As a bonus, I removed icmp_global.lock as the fast path |
| can use a lock-free operation. |
| |
| The Linux kernel CVE team has assigned CVE-2024-47678 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 3.18 with commit 4cdf507d54525842dfd9f6313fdafba039084046 and fixed in 6.1.113 with commit 997ba8889611891f91e8ad83583466aeab6239a3 |
| Issue introduced in 3.18 with commit 4cdf507d54525842dfd9f6313fdafba039084046 and fixed in 6.6.54 with commit 662ec52260cc07b9ae53ecd3925183c29d34288b |
| Issue introduced in 3.18 with commit 4cdf507d54525842dfd9f6313fdafba039084046 and fixed in 6.10.13 with commit a7722921adb046e3836eb84372241f32584bdb07 |
| Issue introduced in 3.18 with commit 4cdf507d54525842dfd9f6313fdafba039084046 and fixed in 6.11.2 with commit 483397b4ba280813e4a9c161a0a85172ddb43d19 |
| Issue introduced in 3.18 with commit 4cdf507d54525842dfd9f6313fdafba039084046 and fixed in 6.12 with commit 8c2bd38b95f75f3d2a08c93e35303e26d480d24e |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-47678 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| include/net/ip.h |
| net/ipv4/icmp.c |
| net/ipv6/icmp.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3 |
| https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b |
| https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07 |
| https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19 |
| https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e |
