oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Remote DoS in Linux sfc driver through TCP MSS option (CVE-2012-3412)

From: Ben Hutchings <bhutchings () solarflare com>
Date: Fri, 3 Aug 2012 17:07:02 +0100
Issue
-----

On Linux, a peer (or local user) may cause TCP to use a nominal MSS of
as little as 88 (actual MSS of 76 with timestamps).  Given that we have
a sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once.  This
results in a single skb that expands to 861 segments.

In the sfc driver, such an skb will require hundreds of DMA descriptors;
a substantial fraction of a TX ring or even more than a full ring.  The
TX queue selected for the skb may stall and trigger the TX watchdog
repeatedly (since the problem skb will be retried after the TX reset).

Fix
---

This issue is fixed in David Miller's net.git repository by the
following commits:

30b678d net: Allow driver to limit number of GSO segments per skb
7e6d06f sfc: Fix maximum number of TSO segments and minimum TX queue size
1485348 tcp: Apply device TSO segment limit earlier

The out-of-tree sfc driver, available from
<https://support.solarflare.com>, was fixed in a different way (not
dependent on kernel changes) in version 3.2.1.6099.

The OpenOnload package, available from
<http://www.openonload.org/download.html>, was updated to include the
fixed sfc driver in version 201205-u1.

The fixed sfc driver will be included in a new EnterpriseOnload release
shortly.

Mitigation
----------

If all processes that may send on the sfc interface use Onload, or do
not use TCP, the vulnerability does not exist.

The vulnerability can otherwise be avoided by making a temporary
configuration change.  For an sfc interface named eth0, either:

a. Increase the TX queue size:
       ethtool -G eth0 tx 4096
   This can increase TX latency and memory usage.

or:

b. Disable TSO:
       ethtool -K eth0 tso off
   This can reduce TX throughput and/or increase CPU usage.

-- 
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
Previous By Date Next
Previous By Thread Next

Current thread: