From owner-svn-doc-head@freebsd.org Mon Aug 6 20:44:35 2018 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 981E71064E4B; Mon, 6 Aug 2018 20:44:35 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C2968A3F5; Mon, 6 Aug 2018 20:44:35 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2D24A121C2; Mon, 6 Aug 2018 20:44:35 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w76KiZeI010669; Mon, 6 Aug 2018 20:44:35 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w76KiY4L010663; Mon, 6 Aug 2018 20:44:34 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201808062044.w76KiY4L010663@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Mon, 6 Aug 2018 20:44:34 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52082 - in head/share: security/advisories security/patches/SA-18:08 xml X-SVN-Group: doc-head X-SVN-Commit-Author: delphij X-SVN-Commit-Paths: in head/share: security/advisories security/patches/SA-18:08 xml X-SVN-Commit-Revision: 52082 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 20:44:35 -0000 Author: delphij Date: Mon Aug 6 20:44:33 2018 New Revision: 52082 URL: https://svnweb.freebsd.org/changeset/doc/52082 Log: Add SA-18:08.tcp. Added: head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc (contents, props changed) head/share/security/patches/SA-18:08/ head/share/security/patches/SA-18:08/tcp-10.patch (contents, props changed) head/share/security/patches/SA-18:08/tcp-10.patch.asc (contents, props changed) head/share/security/patches/SA-18:08/tcp-11.patch (contents, props changed) head/share/security/patches/SA-18:08/tcp-11.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc Mon Aug 6 20:44:33 2018 (r52082) @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:08.tcp Security Advisory + The FreeBSD Project + +Topic: Resource exhaustion in TCP reassembly + +Category: core +Module: inet +Announced: 2018-08-06 +Credits: Juha-Matti Tilli from + Aalto University, Department of Communications and Networking + and Nokia Bell Labs +Affects: All supported versions of FreeBSD. +Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) + 2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1) + 2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12) + 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) + 2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10) +CVE Name: CVE-2018-6922 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite +provides a connection-oriented, reliable, sequence-preserving data +stream service. + +To transmit a stream of data, TCP breaks the data stream into segments +for transmission through the Internet, and reassembles the segments at +the receiving side to recreate the data stream. + +II. Problem Description + +One of the data structures that holds TCP segments uses an inefficient +algorithm to reassemble the data. This causes the CPU time spent on +segment processing to grow linearly with the number of segments in the +reassembly queue. + +III. Impact + +An attacker who has the ability to send TCP traffic to a victim system +can degrade the victim system's network performance and/or consume +excessive CPU by exploiting the inefficiency of TCP reassembly +handling, with relatively small bandwidth cost. + +IV. Workaround + +As a workaround, system administrators should configure their systems +to only accept TCP connections from trusted end-stations, if it is +possible to do so. + +For systems which must accept TCP connections from untrusted +end-stations, the workaround is to limit the size of each reassembly +queue. The capability to do that is added by the patches noted in the +"Solution" section below. + +V. Solution + +As a temporary solution to this problem, these patches limit the size +of each TCP connection's reassembly queue. The value is controlled by +a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum +number of TCP segments that can be outstanding on a session's +reassembly queue. This value defaults to 100. + +Note that setting this value too low could impact the throughput of +TCP connections which experience significant loss or +reordering. However, the higher this number is set, the more resources +can be consumed on TCP reassembly processing. + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.4] +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc +# gpg --verify tcp-10.patch.asc + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc +# gpg --verify tcp-11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r337392 +releng/10.4/ r337389 +stable/11/ r337391 +releng/11.1/ r337388 +releng/11.2/ r337387 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltosd4ACgkQ05eS9J6n +5cKLRRAApitUTx46nToGtbCr/fzEZtYpjU0L/kMDwFw8ngfrb3MR4yht087t8JK1 +jZlbeKRQwYjN+ecLrO3QdWoM4LavQK/cYuWq2tCpJiwqXK15rDJGBJjlBiAsmupF +fGGSD2DcJ/Jz7zTKDkjybCh83QGGTt/HBZRYLc85ipJPHgPQQtnD/OLjFK34Lr45 +vEss9AAkBEe4ZWiSltrQYzqMYf8+sCz/OYP+NGluz4eUjuzKogqyLIAA29auqoNp +UY5tIUhf8dcB9oeARxWlvmxTKSLB5kevF5jsBzxB8Ap1xUfLFip02h6ApL0xuWz2 +ouX/gN8KBgmJoNIP+GbBY29sQCEY0GTIR9q/dO1ZB3CePJFQsvWjtNeBBjIK66On +xJSSrUXDPANfcePbnCN9JdsclSEJ0+EBYol3hSWVY8bX3OMcOZw1wRXXCwN0T3of +QQwbuP0ORt5OdsOObwaxDJEWLEma7N2swWF5YR0oQl0+ETvkIsqFilsTlY6qEB/L +WG9G1Y9uVn++AJs7HzI+vKVEhhwtJep+7ks28sH5J0LQiUGYfwRACYfVLgi6iXNV +YKPB4hUFd2d8QaYWdgU92YBJWrR8bqyDdetifMEG5tP+TFCeNCh6SMpRnL7Lzns+ +hkZiRHJeIT7tGu77xZknFI6ghDHOdemtZ/QiL0NsrM05spWkdIA= +=HNsD +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:08/tcp-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-10.patch Mon Aug 6 20:44:33 2018 (r52082) @@ -0,0 +1,58 @@ +--- share/man/man4/tcp.4.orig ++++ share/man/man4/tcp.4 +@@ -436,6 +436,20 @@ + Reseeding should not be necessary, and will break + .Dv TIME_WAIT + recycling for a few minutes. ++.It Va reass.cursegments ++The current total number of segments present in all reassembly queues. ++.It Va reass.maxsegments ++The maximum limit on the total number of segments across all reassembly ++queues. ++The limit can be adjusted as a tunable. ++.It Va reass.maxqueuelen ++The maximum number of segments allowed in each reassembly queue. ++By default, the system chooses a limit based on each TCP connection's ++receive buffer size and maximum segment size (MSS). ++The actual limit applied to a session's reassembly queue will be the lower of ++the system-calculated automatic limit and the user-specified ++.Va reass.maxqueuelen ++limit. + .It Va rexmit_min , rexmit_slop + Adjust the retransmit timer calculation for + .Tn TCP . +--- sys/netinet/tcp_reass.c.orig ++++ sys/netinet/tcp_reass.c +@@ -96,6 +96,11 @@ + + static uma_zone_t tcp_reass_zone; + ++static u_int tcp_reass_maxqueuelen = 100; ++SYSCTL_UINT(_net_inet_tcp_reass, OID_AUTO, maxqueuelen, CTLFLAG_RWTUN, ++ &tcp_reass_maxqueuelen, 0, ++ "Maximum number of TCP Segments per Reassembly Queue"); ++ + /* Initialize TCP reassembly queue */ + static void + tcp_reass_zone_change(void *tag) +@@ -184,6 +189,10 @@ + * socket receive buffer determines our advertised window and grows + * automatically when socket buffer autotuning is enabled. Use it as the + * basis for our queue limit. ++ * ++ * However, allow the user to specify a ceiling for the number of ++ * segments in each queue. ++ * + * Always let the missing segment through which caused this queue. + * NB: Access to the socket buffer is left intentionally unlocked as we + * can tolerate stale information here. +@@ -194,7 +203,8 @@ + * is understood. + */ + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && +- tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { ++ tp->t_segqlen >= min((so->so_rcv.sb_hiwat / tp->t_maxseg) + 1, ++ tcp_reass_maxqueuelen)) { + tcp_reass_overflows++; + TCPSTAT_INC(tcps_rcvmemdrop); + m_freem(m); Added: head/share/security/patches/SA-18:08/tcp-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-10.patch.asc Mon Aug 6 20:44:33 2018 (r52082) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltoscgACgkQ05eS9J6n +5cJuNg/+JNxnU+NrabjbLdTzRsZ7tFfN0VlS4JQqih7AscM5Fb5/WxLZAoZV7j1B ++emSDdXWD6EHgs9zYDhCuBgj4tqxiEnccsxuY2AJmE5esdq5igwkTGHlsAjmhJan +gxvqbkzlKvSG4CD/tm+haESfnh3pnlYKnGyiSTItDG+m5Cy4yBD/bfpJ+BkcihdL +nT1AakwnaY/i+fYQlZ+RbMmKwIJfuG+rnMFo0haPKA866PRseawSqzcNDYi0WWEH +BNetby5fcn9wjaIzI8ocMtqaK4ck5JCVAX9J9NlmFOFEPAJY2teFRpV9b8bv2yZ/ +y2ddLXo9/LT8jK+xMu7bCzcIJd35qJqgykdJ7Bi7xR3wwXjcgQEKThqNsa/gosUD +fapQcz9Pfb8zAUYjxk8FkGH3oloXcMUE3TT8mgwzx5QhA9QtOE/zNaq5sdB4Z40d ++tHN3dleEYDMCzpkgZfXtqEhJ9eB3gT4oam8v/nO9is8r33I1n32OFdzz5F6BT0+ +XY59fju8IbUwrfClSgEZh0pImrvhmuxy5Z2HuJrwFV8L2dLN4EveybWt0FZCVLH0 +R4Ob8qWwmXBC7IH9DfcE3B3NbrT57/4CfO6t3APiElFKmVwBOPi8/L15+bnBeu5n +nRddTuuAOtwTJRishobLGuBPQZsx3X4y6eOBKcG7HAJb/no5JxA= +=t1Cq +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:08/tcp-11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-11.patch Mon Aug 6 20:44:33 2018 (r52082) @@ -0,0 +1,58 @@ +--- share/man/man4/tcp.4.orig ++++ share/man/man4/tcp.4 +@@ -445,6 +445,20 @@ + Reseeding should not be necessary, and will break + .Dv TIME_WAIT + recycling for a few minutes. ++.It Va reass.cursegments ++The current total number of segments present in all reassembly queues. ++.It Va reass.maxsegments ++The maximum limit on the total number of segments across all reassembly ++queues. ++The limit can be adjusted as a tunable. ++.It Va reass.maxqueuelen ++The maximum number of segments allowed in each reassembly queue. ++By default, the system chooses a limit based on each TCP connection's ++receive buffer size and maximum segment size (MSS). ++The actual limit applied to a session's reassembly queue will be the lower of ++the system-calculated automatic limit and the user-specified ++.Va reass.maxqueuelen ++limit. + .It Va rexmit_min , rexmit_slop + Adjust the retransmit timer calculation for + .Tn TCP . +--- sys/netinet/tcp_reass.c.orig ++++ sys/netinet/tcp_reass.c +@@ -89,6 +89,11 @@ + &tcp_reass_zone, + "Global number of TCP Segments currently in Reassembly Queue"); + ++static u_int tcp_reass_maxqueuelen = 100; ++SYSCTL_UINT(_net_inet_tcp_reass, OID_AUTO, maxqueuelen, CTLFLAG_RWTUN, ++ &tcp_reass_maxqueuelen, 0, ++ "Maximum number of TCP Segments per Reassembly Queue"); ++ + /* Initialize TCP reassembly queue */ + static void + tcp_reass_zone_change(void *tag) +@@ -168,6 +173,10 @@ + * socket receive buffer determines our advertised window and grows + * automatically when socket buffer autotuning is enabled. Use it as the + * basis for our queue limit. ++ * ++ * However, allow the user to specify a ceiling for the number of ++ * segments in each queue. ++ * + * Always let the missing segment through which caused this queue. + * NB: Access to the socket buffer is left intentionally unlocked as we + * can tolerate stale information here. +@@ -178,7 +187,8 @@ + * is understood. + */ + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && +- tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { ++ tp->t_segqlen >= min((so->so_rcv.sb_hiwat / tp->t_maxseg) + 1, ++ tcp_reass_maxqueuelen)) { + TCPSTAT_INC(tcps_rcvreassfull); + *tlenp = 0; + if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) { Added: head/share/security/patches/SA-18:08/tcp-11.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-11.patch.asc Mon Aug 6 20:44:33 2018 (r52082) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltosdMACgkQ05eS9J6n +5cJHEBAAkJVtQ+WaIfr7rYpBIBY04ZMEClsVQ8RDJWVAsiQpG7KzqoPAblUWwJU1 +k1lMkZ+vRnt6tfgvdaud16TT+73Tum/Tdgra04gRLEbw3TAkus00RjEseWU5tHEn +GxSgGNTlUkCfNLEA0GYtkpfoIwhdG06/Gm/9MBxmhexZWwo1WpzVgoDCvJy0lStS +Jw/uHM3gm7you1Ei3d/XV0Y8Xoanaz23DHqKbkeFIwc0KqGFzvN9+eo6Ff/NBgqP +XC5y3J/SCNsBnFCbmzeN373IK0N5C1X27Pb9rW3eDkQ+X3+jQXoezeKuisJP59Q7 +FgfXa3bTtH5ac98ZR7QrPOq2TW/cQBS71zt4AaEIrogMOiFTcy9sdjjy5IUhfKdk +t6VhAJpq4t7tE66iYMr9wl9XdWxfMIkqrV7ejDWYErhPUIzXPR0vbJ4HM8FswnoG +LkOYJjmn4ZtTIJopjZH0qYdx0IfZsGIcqvCkEMfc2xIHqa2JDn11dGsYwzDxh51R +aoSHXiG8TqbyaAUIlcWyDizlxfppr0UugubbriTnbkuHGRgSJ/IMLArkU7LaUJB7 +122q1fvY0uEW404MbncGN+PMYayjRKVdM2gW1BKIQhAnq6y8ll8+7ExkqFsTSzoO +ad5fFUg9E8JIWDFj8R2CS3RKAQ9NtzOic8iuQQp4lijp1NjoIZE= +=RTv1 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Mon Aug 6 15:54:55 2018 (r52081) +++ head/share/xml/advisories.xml Mon Aug 6 20:44:33 2018 (r52082) @@ -8,6 +8,19 @@ 2018 + 8 + + + 6 + + + FreeBSD-SA-18:08.tcp + + + + + + 6