Fedora
linux package

CVE-2012-3412

Bug #1034281 reported by Karma Dorje
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Fedora)
Fix Released
High
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.

In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset).

Upstream patch:
http://www.spinics.net/lists/netdev/msg206332.html

References:
http://seclists.org/oss-sec/2012/q3/171

CVE References

Revision history for this message
In , Petr (petr-redhat-bugs) wrote :

A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.

In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset).

Upstream patch:
http://www.spinics.net/lists/netdev/msg206332.html

References:
http://seclists.org/oss-sec/2012/q3/171

Acknowledgements:

Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting this issue.

Revision history for this message
In , Petr (petr-redhat-bugs) wrote :

Created kernel tracking bugs for this issue

Affects: fedora-all [bug 845558]

Revision history for this message
In , Petr (petr-redhat-bugs) wrote :

Mitigation as recommended by Ben Hutchings
------------------------------------------

If all processes that may send on the sfc interface use Onload, or do
not use TCP, the vulnerability does not exist.

The vulnerability can otherwise be avoided by making a temporary
configuration change. For an sfc interface named eth0, either:

a. Increase the TX queue size:
       ethtool -G eth0 tx 4096
   This can increase TX latency and memory usage.

or:

b. Disable TSO:
       ethtool -K eth0 tso off
   This can reduce TX throughput and/or increase CPU usage.

Karma Dorje (taaroa)
tags: added: kernel-cve-tracking-bug
visibility: private → public
Karma Dorje (taaroa)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  RHEV-H, V2V and Agents for RHEL-5

Via RHSA-2012:1324 https://rhn.redhat.com/errata/RHSA-2012-1324.html

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1323 https://rhn.redhat.com/errata/RHSA-2012-1323.html

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:1347 https://rhn.redhat.com/errata/RHSA-2012-1347.html

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1366 https://rhn.redhat.com/errata/RHSA-2012-1366.html

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2012:1375 https://rhn.redhat.com/errata/RHSA-2012-1375.html

Karma Dorje (taaroa)
Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2012:1401 https://rhn.redhat.com/errata/RHSA-2012-1401.html

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.1 EUS - Server Only

Via RHSA-2012:1430 https://rhn.redhat.com/errata/RHSA-2012-1430.html

Bug Watch Updater (bug-watch-updater)
Changed in linux (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.