Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionDaisuke Higashi
2019-03-03 13:18:44 UTC
-- Description of problem:
The Linux kernel 3.15 introduced a new socket option IP_PMTUDISC_OMIT / IPV6_PMTUDISC_OMIT [1] and the kernel feature itself was backported to RHEL7 kernel [3.10.0-217.el7], but the corresponding macros was not backported to <netinet/in.h>.
(actually these macros are defined in /usr/include/bits/in.h --- <netinet/in.h> includes it.)
The IP*_PMTUDISC_OMIT sockopt is used to mitigate DNS IP fragment attack [2] by
some DNS server implementation by default (if available) [3][4]. Due to missing IP*_PMTUDISC_OMIT macro, this mitigation is not enabled at compile time. Backporting these macros into glibc headers
will resolve this issue.
-- Version-Release number of selected component (if applicable):
I have confirmed this issue on RHEL 7.6.
kernel/glibc-related versions:
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.5.1.el7.x86_64
glibc-2.17-260.el7_6.3.x86_64
glibc-common-2.17-260.el7_6.3.x86_64
glibc-headers-2.17-260.el7_6.3.x86_64
glibc-devel-2.17-260.el7_6.3.x86_64
-- How reproducible:
100%
-- Steps to Reproduce:
Compile and run this code and see if "IP*_PMTUDISC_OMIT defined" or not.
------
#include <netinet/in.h>
#include <stdio.h>
main() {
// IP_PMTUDISC_DONT is available on RHEL7
#if defined (IP_PMTUDISC_DONT)
printf("IP_PMTUDISC_DONT defined\n");
#endif
#if defined (IPV6_PMTUDISC_DONT)
printf("IPV6_PMTUDISC_DONT defined\n");
#endif
// IP_PMTUDISC_OMIT is missing on RHEL7
#if defined (IP_PMTUDISC_OMIT)
printf("IP_PMTUDISC_OMIT defined\n");
#endif
#if defined (IPV6_PMTUDISC_OMIT)
printf("IPV6_PMTUDISC_OMIT defined\n");
#endif
}
------
-- Actual results:
IP*_PMTUDISC_OMIT macro is not defined even if <netinet/in.h> is included.
-- Expected results:
IP*_PMTUDISC_OMIT macro is defined when <netinet/in.h> is included
(and corresponding feature is enabled at DNS server's compile time)
-- Additional info:
[1] Linux kernel introduced IP*_PMTUDISC_OMIT
https://lists.openwall.net/netdev/2014/02/26/4
[2] IP fragmentation attack on DNS
https://ripe67.ripe.net/presentations/240-ipfragattack.pdf
[3] Unbound 1.5.0 introduced this feature.
https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0
[4] BIND 9.9.10 introduced this feature.
https://www.isc.org/blogs/bind-april-2017/
Patches backported:
commit 7c70f2272edd4efcc4525f1bbb50e92de1a27a57
Author: Mike Frysinger <vapier>
Date: Thu Jan 30 18:56:56 2014 -0500
linux: bits/in.h: sync with latest kernel headers
This pulls in the latest defines for {g,s}etsockopt.
Reviewed-by: Carlos O'Donell <carlos>
Signed-off-by: Mike Frysinger <vapier>
commit 76e5216e317f39da2bc5bf905721cd9554ee6d09
Author: Joseph Myers <joseph>
Date: Mon Jun 23 15:48:42 2014 +0000
Update headers for Linux 3.15.
This patch updates glibc headers for changes / new definitions in
Linux 3.15. In the course of my review I noticed that
IPV6_PMTUDISC_INTERFACE was absent from glibc despite the inclusion of
IP_PMTUDISC_INTERFACE; I added it along with IP_PMTUDISC_OMIT and
IPV6_PMTUDISC_OMIT. I did not add FALLOC_FL_NO_HIDE_STALE given the
kernel header comment that it is reserved.
I confirmed that this issue is fixed in RHEL7.7 beta.
IP_PMTUDISC_OMIT feature of several DNS servers [1] is enabled at compile time
and it ignores forged ICMPv4 type3-code4 on IPv4/UDP as expected.
Thank you!
[1] I have tested NSD 4.1.27 and BIND 9.11.6.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2019:2118
-- Description of problem: The Linux kernel 3.15 introduced a new socket option IP_PMTUDISC_OMIT / IPV6_PMTUDISC_OMIT [1] and the kernel feature itself was backported to RHEL7 kernel [3.10.0-217.el7], but the corresponding macros was not backported to <netinet/in.h>. (actually these macros are defined in /usr/include/bits/in.h --- <netinet/in.h> includes it.) The IP*_PMTUDISC_OMIT sockopt is used to mitigate DNS IP fragment attack [2] by some DNS server implementation by default (if available) [3][4]. Due to missing IP*_PMTUDISC_OMIT macro, this mitigation is not enabled at compile time. Backporting these macros into glibc headers will resolve this issue. -- Version-Release number of selected component (if applicable): I have confirmed this issue on RHEL 7.6. kernel/glibc-related versions: kernel-headers-3.10.0-957.5.1.el7.x86_64 kernel-3.10.0-957.5.1.el7.x86_64 glibc-2.17-260.el7_6.3.x86_64 glibc-common-2.17-260.el7_6.3.x86_64 glibc-headers-2.17-260.el7_6.3.x86_64 glibc-devel-2.17-260.el7_6.3.x86_64 -- How reproducible: 100% -- Steps to Reproduce: Compile and run this code and see if "IP*_PMTUDISC_OMIT defined" or not. ------ #include <netinet/in.h> #include <stdio.h> main() { // IP_PMTUDISC_DONT is available on RHEL7 #if defined (IP_PMTUDISC_DONT) printf("IP_PMTUDISC_DONT defined\n"); #endif #if defined (IPV6_PMTUDISC_DONT) printf("IPV6_PMTUDISC_DONT defined\n"); #endif // IP_PMTUDISC_OMIT is missing on RHEL7 #if defined (IP_PMTUDISC_OMIT) printf("IP_PMTUDISC_OMIT defined\n"); #endif #if defined (IPV6_PMTUDISC_OMIT) printf("IPV6_PMTUDISC_OMIT defined\n"); #endif } ------ -- Actual results: IP*_PMTUDISC_OMIT macro is not defined even if <netinet/in.h> is included. -- Expected results: IP*_PMTUDISC_OMIT macro is defined when <netinet/in.h> is included (and corresponding feature is enabled at DNS server's compile time) -- Additional info: [1] Linux kernel introduced IP*_PMTUDISC_OMIT https://lists.openwall.net/netdev/2014/02/26/4 [2] IP fragmentation attack on DNS https://ripe67.ripe.net/presentations/240-ipfragattack.pdf [3] Unbound 1.5.0 introduced this feature. https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0 [4] BIND 9.9.10 introduced this feature. https://www.isc.org/blogs/bind-april-2017/