diff --git a/patches.suse/icmp-randomize-the-global-rate-limiter.patch b/patches.suse/icmp-randomize-the-global-rate-limiter.patch new file mode 100644 index 0000000..27f3940 --- /dev/null +++ b/patches.suse/icmp-randomize-the-global-rate-limiter.patch @@ -0,0 +1,66 @@ +From: Eric Dumazet +Date: Thu, 15 Oct 2020 11:42:00 -0700 +Subject: icmp: randomize the global rate limiter +Patch-mainline: v5.10-rc1 +Git-commit: b38e7819cae946e2edf869e604af1e65a5d241c5 +References: git-fixes + +Keyu Man reported that the ICMP rate limiter could be used +by attackers to get useful signal. Details will be provided +in an upcoming academic publication. + +Our solution is to add some noise, so that the attackers +no longer can get help from the predictable token bucket limiter. + +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + Documentation/networking/ip-sysctl.txt | 4 +++- + net/ipv4/icmp.c | 7 +++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -995,12 +995,14 @@ icmp_ratelimit - INTEGER + icmp_msgs_per_sec - INTEGER + Limit maximal number of ICMP packets sent per second from this host. + Only messages whose type matches icmp_ratemask (see below) are +- controlled by this limit. ++ controlled by this limit. For security reasons, the precise count ++ of messages per second is randomized. + Default: 1000 + + icmp_msgs_burst - INTEGER + icmp_msgs_per_sec controls number of ICMP packets sent per second, + while icmp_msgs_burst controls the burst size of these packets. ++ For security reasons, the precise burst size is randomized. + Default: 50 + + icmp_ratemask - INTEGER +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -239,7 +239,7 @@ static struct { + /** + * icmp_global_allow - Are we allowed to send one more ICMP message ? + * +- * Uses a token bucket to limit our ICMP messages to sysctl_icmp_msgs_per_sec. ++ * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec. + * Returns false if we reached the limit and can not send another packet. + * Note: called with BH disabled + */ +@@ -267,7 +267,10 @@ bool icmp_global_allow(void) + } + credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); + if (credit) { +- credit--; ++ /* We want to use a credit of one in average, but need to randomize ++ * it for security reasons. ++ */ ++ credit = max_t(int, credit - prandom_u32_max(3), 0); + rc = true; + } + WRITE_ONCE(icmp_global.credit, credit); diff --git a/series.conf b/series.conf index 95ce4c8..6b6ce49 100644 --- a/series.conf +++ b/series.conf @@ -15667,6 +15667,7 @@ patches.suse/module-statically-initialize-init-section-freeing-da.patch patches.suse/Werror-return-type.patch patches.suse/KVM-x86-mmu-Commit-zap-of-remaining-invalid-pages-wh.patch + patches.suse/icmp-randomize-the-global-rate-limiter.patch patches.suse/r8169-fix-operation-under-forced-interrupt-threading.patch patches.suse/nfc-Ensure-presence-of-NFC_ATTR_FIRMWARE_NAME-attrib.patch patches.suse/ibmvnic-save-changed-mac-address-to-adapter-mac_addr.patch