CVE-2012-3412

Bug #1034281 reported by Karma Dorje on 2012-08-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Fedora)
Fix Released
High
linux (Ubuntu)
Undecided
Unassigned

Bug Description

A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.

In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset).

Upstream patch:
http://www.spinics.net/lists/netdev/msg206332.html

References:
http://seclists.org/oss-sec/2012/q3/171

CVE References

A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.

In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset).

Upstream patch:
http://www.spinics.net/lists/netdev/msg206332.html

References:
http://seclists.org/oss-sec/2012/q3/171

Acknowledgements:

Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting this issue.

Created kernel tracking bugs for this issue

Affects: fedora-all [bug 845558]

Mitigation as recommended by Ben Hutchings
------------------------------------------

If all processes that may send on the sfc interface use Onload, or do
not use TCP, the vulnerability does not exist.

The vulnerability can otherwise be avoided by making a temporary
configuration change. For an sfc interface named eth0, either:

a. Increase the TX queue size:
       ethtool -G eth0 tx 4096
   This can increase TX latency and memory usage.

or:

b. Disable TSO:
       ethtool -K eth0 tso off
   This can reduce TX throughput and/or increase CPU usage.

Karma Dorje (taaroa) on 2012-08-08
tags: added: kernel-cve-tracking-bug
visibility: private → public
Karma Dorje (taaroa) on 2012-08-13
Changed in linux (Ubuntu):
status: New → Confirmed

This issue has been addressed in following products:

  RHEV-H, V2V and Agents for RHEL-5

Via RHSA-2012:1324 https://rhn.redhat.com/errata/RHSA-2012-1324.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1323 https://rhn.redhat.com/errata/RHSA-2012-1323.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:1347 https://rhn.redhat.com/errata/RHSA-2012-1347.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1366 https://rhn.redhat.com/errata/RHSA-2012-1366.html

This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2012:1375 https://rhn.redhat.com/errata/RHSA-2012-1375.html

Karma Dorje (taaroa) on 2012-10-19
Changed in linux (Ubuntu):
status: Confirmed → Fix Released

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2012:1401 https://rhn.redhat.com/errata/RHSA-2012-1401.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.1 EUS - Server Only

Via RHSA-2012:1430 https://rhn.redhat.com/errata/RHSA-2012-1430.html

Changed in linux (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.