oss-sec mailing list archives
Remote DoS in Linux sfc driver through TCP MSS option (CVE-2012-3412)
From: Ben Hutchings <bhutchings () solarflare com>
Date: Fri, 3 Aug 2012 17:07:02 +0100
Issue ----- On Linux, a peer (or local user) may cause TCP to use a nominal MSS of as little as 88 (actual MSS of 76 with timestamps). Given that we have a sufficiently prodigious local sender and the peer ACKs quickly enough, it is nevertheless possible to grow the window for such a connection to the point that we will try to send just under 64K at once. This results in a single skb that expands to 861 segments. In the sfc driver, such an skb will require hundreds of DMA descriptors; a substantial fraction of a TX ring or even more than a full ring. The TX queue selected for the skb may stall and trigger the TX watchdog repeatedly (since the problem skb will be retried after the TX reset). Fix --- This issue is fixed in David Miller's net.git repository by the following commits: 30b678d net: Allow driver to limit number of GSO segments per skb 7e6d06f sfc: Fix maximum number of TSO segments and minimum TX queue size 1485348 tcp: Apply device TSO segment limit earlier The out-of-tree sfc driver, available from <https://support.solarflare.com>, was fixed in a different way (not dependent on kernel changes) in version 3.2.1.6099. The OpenOnload package, available from <http://www.openonload.org/download.html>, was updated to include the fixed sfc driver in version 201205-u1. The fixed sfc driver will be included in a new EnterpriseOnload release shortly. Mitigation ---------- If all processes that may send on the sfc interface use Onload, or do not use TCP, the vulnerability does not exist. The vulnerability can otherwise be avoided by making a temporary configuration change. For an sfc interface named eth0, either: a. Increase the TX queue size: ethtool -G eth0 tx 4096 This can increase TX latency and memory usage. or: b. Disable TSO: ethtool -K eth0 tso off This can reduce TX throughput and/or increase CPU usage. -- Ben Hutchings, Staff Engineer, Solarflare Not speaking for my employer; that's the marketing department's job. They asked us to note that Solarflare product names are trademarked.
Current thread:
- Remote DoS in Linux sfc driver through TCP MSS option (CVE-2012-3412) Ben Hutchings (Aug 03)