asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net/ipv4
History
Eric Dumazet 4818f18704 ipv6: tcp: drop silly ICMPv6 packet too big messages 
commit c7bb4b89033b764eb07db4e060548a6311d801ee upstream.

While TCP stack scales reasonably well, there is still one part that
can be used to DDOS it.

IPv6 Packet too big messages have to lookup/insert a new route,
and if abused by attackers, can easily put hosts under high stress,
with many cpus contending on a spinlock while one is stuck in fib6_run_gc()

ip6_protocol_deliver_rcu()
 icmpv6_rcv()
  icmpv6_notify()
   tcp_v6_err()
    tcp_v6_mtu_reduced()
     inet6_csk_update_pmtu()
      ip6_rt_update_pmtu()
       __ip6_rt_update_pmtu()
        ip6_rt_cache_alloc()
         ip6_dst_alloc()
          dst_alloc()
           ip6_dst_gc()
            fib6_run_gc()
             spin_lock_bh() ...

Some of our servers have been hit by malicious ICMPv6 packets
trying to _increase_ the MTU/MSS of TCP flows.

We believe these ICMPv6 packets are a result of a bug in one ISP stack,
since they were blindly sent back for _every_ (small) packet sent to them.

These packets are for one TCP flow:
09:24:36.266491 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.266509 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.316688 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.316704 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.608151 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240

TCP stack can filter some silly requests :

1) MTU below IPV6_MIN_MTU can be filtered early in tcp_v6_err()
2) tcp_v6_mtu_reduced() can drop requests trying to increase current MSS.

This tests happen before the IPv6 routing stack is entered, thus
removing the potential contention and route exhaustion.

Note that IPv6 stack was performing these checks, but too late
(ie : after the route has been added, and after the potential
garbage collect war)

v2: fix typo caught by Martin, thanks !
v3: exports tcp_mtu_to_mss(), caught by David, thanks !

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
Cc: Martin KaFai Lau <kafai@fb.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-07-28 11:13:45 +02:00
..
bpfilter bpfilter: remove trailing newline 2018-07-24 14:10:42 -07:00
netfilter netfilter: x_tables: fix compat match/target pad out-of-bound write 2021-04-16 11:49:31 +02:00
af_inet.c net: don't clear sock->sk early to avoid trouble in strparser 2020-01-27 14:50:52 +01:00
ah4.c
arp.c
cipso_ipv4.c net: ipv4: fix memory leak in netlbl_cipsov4_add_std 2021-06-30 08:48:15 -04:00
datagram.c inet: stop leaking jiffies on the wire 2019-11-10 11:27:37 +01:00
devinet.c devinet: fix memleak in inetdev_init() 2020-06-10 21:34:58 +02:00
esp4.c esp: avoid unneeded kmap_atomic call 2021-01-23 15:49:55 +01:00
esp4_offload.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2018-07-27 09:33:37 -07:00
fib_frontend.c net/ipv4: swap flow ports when validating source 2021-07-20 16:15:51 +02:00
fib_lookup.h
fib_notifier.c
fib_rules.c
fib_semantics.c net: Fix the arp error in some cases 2020-06-30 23:17:06 -04:00
fib_trie.c ipv4: Silence suspicious RCU usage warning 2020-08-11 15:32:34 +02:00
fou.c net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv 2019-04-27 09:36:31 +02:00
gre_demux.c erspan: fix version 1 check in gre_parse_header() 2021-01-12 20:10:19 +01:00
gre_offload.c net: gre: recompute gre csum for sctp over gre tunnels 2020-08-11 15:32:34 +02:00
icmp.c icmp: don't send out ICMP messages with a source address of 0.0.0.0 2021-06-30 08:48:21 -04:00
igmp.c net: ipv4: fix memory leak in ip_mc_add1_src 2021-06-30 08:48:20 -04:00
inet_connection_sock.c tcp: relookup sock for RST+ACK packets handled by obsolete req sock 2021-04-07 12:48:47 +02:00
inet_diag.c inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() 2020-11-24 13:27:16 +01:00
inet_fragment.c net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-04-27 09:36:33 +02:00
inet_hashtables.c net: initialize fastreuse on inet_inherit_port 2020-08-19 08:15:04 +02:00
inet_timewait_sock.c
inetpeer.c inetpeer: fix data-race in inet_putpeer / inet_putpeer 2020-01-04 19:13:29 +01:00
ip_forward.c net: clear skb->tstamp in forwarding paths 2019-01-09 17:38:31 +01:00
ip_fragment.c net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-04-27 09:36:33 +02:00
ip_gre.c ip_gre: set dev->hard_header_len and dev->needed_headroom properly 2020-10-30 10:38:28 +01:00
ip_input.c vrf: check accept_source_route on the original netdevice 2019-04-17 08:38:42 +02:00
ip_options.c vrf: check accept_source_route on the original netdevice 2019-04-17 08:38:42 +02:00
ip_output.c net: ip: avoid OOM kills with large UDP sends over loopback 2021-07-20 16:16:02 +02:00
ip_sockglue.c net: bpfilter: fix iptables failure if bpfilter_umh is disabled 2019-12-01 09:17:18 +01:00
ip_tunnel.c net: ip_tunnel: fix mtu calculation 2021-02-10 09:21:09 +01:00
ip_tunnel_core.c ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL 2019-08-04 09:30:57 +02:00
ip_vti.c ip_vti: receive ipip packet by calling ip_tunnel_rcv 2020-06-03 08:19:46 +02:00
ipcomp.c
ipconfig.c net: ipconfig: Don't override command-line hostnames or domains 2021-06-30 08:48:13 -04:00
ipip.c net: ipip: fix wrong address family in init error path 2020-06-03 08:19:10 +02:00
ipmr.c ipmr: Fix skb headroom in ipmr_get_route(). 2019-11-20 18:45:11 +01:00
ipmr_base.c net: ipmr: fix unresolved entry dumps 2018-10-17 22:35:42 -07:00
Kconfig vti[6]: fix packet tx through bpf_redirect() in XinY cases 2020-04-02 15:28:18 +02:00
Makefile net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
metrics.c
netfilter.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-11-18 19:18:44 +01:00
netlink.c ipv4: Add ICMPv6 support when parse route ipproto 2019-03-10 07:17:17 +01:00
ping.c ping: Check return value of function 'ping_queue_rcv_skb' 2021-06-30 08:48:30 -04:00
proc.c tcp: tcp_fragment() should apply sane memory limits 2019-06-17 19:51:56 +02:00
protocol.c
raw.c ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop 2019-07-03 13:14:46 +02:00
raw_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
route.c net: lwtunnel: handle MTU calculation in forwading 2021-07-20 16:15:52 +02:00
syncookies.c net: Update window_clamp if SOCK_RCVBUF is set 2020-11-18 19:18:51 +01:00
sysctl_net_ipv4.c tcp: add tcp_min_snd_mss sysctl 2019-06-17 19:51:56 +02:00
tcp.c tcp: add sanity tests to TCP_QUEUE_SEQ 2021-03-17 16:43:43 +01:00
tcp_bbr.c tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate 2020-11-24 13:27:18 +01:00
tcp_bic.c
tcp_cdg.c
tcp_cong.c net: Only allow init netns to set default tcp cong to a restricted algo 2021-05-22 10:59:39 +02:00
tcp_cubic.c tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT 2020-06-30 23:17:06 -04:00
tcp_dctcp.c tcp: Ensure DCTCP reacts to losses 2019-04-17 08:38:41 +02:00
tcp_diag.c tcp: annotate tp->write_seq lockless reads 2021-03-17 16:43:43 +01:00
tcp_fastopen.c
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: annotate tp->copied_seq lockless reads 2021-03-17 16:43:42 +01:00
tcp_ipv4.c tcp: annotate data races around tp->mtu_info 2021-07-28 11:13:45 +02:00
tcp_lp.c
tcp_metrics.c
tcp_minisocks.c tcp: relookup sock for RST+ACK packets handled by obsolete req sock 2021-04-07 12:48:47 +02:00
tcp_nv.c
tcp_offload.c
tcp_output.c ipv6: tcp: drop silly ICMPv6 packet too big messages 2021-07-28 11:13:45 +02:00
tcp_rate.c
tcp_recovery.c tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN 2021-02-03 23:23:27 +01:00
tcp_scalable.c
tcp_timer.c tcp: fix SNMP TCP timeout under-estimation 2019-12-13 08:52:20 +01:00
tcp_ulp.c tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach 2018-08-16 14:58:08 -07:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c udp: fix race between close() and udp_abort() 2021-06-30 08:48:16 -04:00
udp_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
udp_impl.h
udp_offload.c net: Fix gro aggregation for udp encaps with zero csum 2021-03-17 16:43:42 +01:00
udp_tunnel.c
udplite.c
xfrm4_input.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm4_mode_tunnel.c
xfrm4_output.c xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish 2020-04-29 16:31:23 +02:00
xfrm4_policy.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c