Bug 480137
| Summary: | Improve udp port randomization | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Vitaly Mayatskikh <vmayatsk> | |
| Component: | kernel | Assignee: | Vitaly Mayatskikh <vmayatsk> | |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat Kernel QE team <kernel-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 4.8 | CC: | davem, eteo, lwang, nhorman, security-response-team, tgraf, vgoyal | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 480951 (view as bug list) | Environment: | ||
| Last Closed: | 2009-05-18 19:37:31 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 458022, 480951 | |||
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Committed in 82.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1024.html |
Current implementation of udp port randomization contains several problems mentioned in upstream commit: commit 9088c5609584684149f3fb5b065aa7f18dcb03ff Author: Eric Dumazet <dada1> Date: Wed Oct 8 11:44:17 2008 -0700 udp: Improve port randomization Current UDP port allocation is suboptimal. We select the shortest chain to chose a port (out of 512) that will hash in this shortest chain. First, it can lead to give not so ramdom ports and ease give attackers more opportunities to break the system. Second, it can consume a lot of CPU to scan all table in order to find the shortest chain. Third, in some pathological cases we can fail to find a free port even if they are plenty of them. This patch zap the search for a short chain and only use one random seed. Problem of getting long chains should be addressed in another way, since we can obtain long chains with non random ports. We need to integrate those changes from upstream GIT: 9088c560 udp: Improve port randomization f24d43c0 udp: complete port availability checking I can confirm that my concern mentioned in comments for bug 458022 are completely solved by these patches. Note: RHEL-5 kernel needs these changes as well.