Bug 2257979 (CVE-2023-52340)
Summary: | CVE-2023-52340 kernel: ICMPv6 “Packet Too Big” packets force a DoS of the Linux kernel by forcing 100% CPU | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, ajmitchell, allarkin, anprice, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mcascell, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel 6.3-rc1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw in the routing table size was found in the ICMPv6 handling of "Packet Too Big". The size of the routing table is regulated by periodic garbage collection. However, with "Packet Too Big Messages" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2260726 | ||
Bug Blocks: | 2257965 |
Description
Robb Gatica
2024-01-11 22:16:37 UTC
Additional info: ICMP6 “Packet Too Big” packets force a DoS of the Linux kernel by forcing 100% CPU utilization. ICMP6 “Packet Too Big” Messages can force 100% CPU utilization in network IRQ threads within the Linux kernel on robust systems. When the ICMP6 Packet Too Big messages are received by a host, the Linux kernel will cache the destination information from the packet headers in the routing table to segment or fragment packets to a size that falls within the path MTU reported by the PTB. The Linux kernel garbage collection periodically runs to remove stale routes from the table to prevent the table from becoming oversized. During the handling of the ICMP6 Packet Too Big Messages, the routing table size can exceed the garbage collector threshold which is typically 1024. When the garbage collector threshold is exceeded, the Linux kernel will execute ip6_dst_gc(). In the event that the table exceeds the rt_max_size of 4096, the kernel will initiate the garbage collector function fib6_run_gc() with the force argument set to true. The fib6_run_gc() will obtain the spin lock, spin_lock_bh, and block the Linux kernel from writing additional details to the route table, regardless of the previous garbage collector iterations or if it is needed. In an effort to bypass the garbage collector block, the Linux kernel will raise an exception, rt6_insert_exception(), to continue to write to the route table but the function will obtain the global spin lock, spin_lock_bh(&rt6_exception_lock), which further blocks linux processes. The continue blocking behavior from the garbage collector and route table insert exception leads to a 100% CPU utilization since the queues are full during the execution of fib6_run_gc(). Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2260726] This was fixed for Fedora with the 6.3 stable kernel rebases. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138 |