Bug 567530

Summary: kernel: RTO (Retransmission Timeouts) Remote DoS
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, davej, kmcmartin, lwang, pmatouse, rcvalle, tao, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:15:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 567532    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-02-23 07:43:58 UTC 
Description of problem:
Make sure, that TCP has a nonzero RTT estimation after three-way handshake. Currently, a listening TCP has a value of 0 for srtt, rttvar and rto right after the three-way handshake is completed with TCP timestamps disabled. This will lead to corrupt RTO recalculation and retransmission flood when RTO is recalculated on backoff reversion as introduced in "Revert RTO on ICMP destination unreachable"
(f1ecd5d9e7366609d640ff4040304ea197fbc618). This behaviour can be provoked by connecting to a server which "responds first" (like SMTP) and rejecting every packet after the handshake with dest-unreachable, which will lead to softirq
load on the server (up to 30% per socket in some tests).

Thanks to Ilpo Jarvinen for providing debug patches and to Denys Fedoryshchenko for reporting and testing.

Changes since v3: Removed bad characters in patchfile.

Reported-by: Denys Fedoryshchenko <denys.lb>
Signed-off-by: Damian Lukowski <damian.de>
Signed-off-by: David S. Miller <davem>

Upstream commit:
http://git.kernel.org/linus/598856407d4e20ebb4de01a91a93d89325924d43

"Revert RTO on ICMP destination unreachable" was introduced in:
http://git.kernel.org/linus/f1ecd5d9e7366609d640ff4040304ea197fbc618 (v2.6.32-rc1)

Reference:
http://www.securityfocus.com/bid/38355
Comment 1 Eugene Teo (Security Response) 2010-02-23 07:47:19 UTC 
Not vulnerable. This issue did not affect the versions of the Linux kernel as
shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit f1ecd5d9e that introduced the problem.
Comment 4 Fedora Update System 2010-02-28 00:34:35 UTC 
kernel-2.6.32.9-67.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/kernel-2.6.32.9-67.fc12
Comment 5 Chuck Ebbert 2010-02-28 00:45:42 UTC 
Fixed in Fedora:

  2.6.32.9-37.fc11
  2.6.32.9-66.fc12

We can't mark this bug as fixed in Bodhi because it transforms the entire update into a security update even though no released Fedora kernel has this bug.