Bug 480137 - Improve udp port randomization
Summary: Improve udp port randomization
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.8
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Vitaly Mayatskikh
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks: 458022 480951
TreeView+ depends on / blocked
 
Reported: 2009-01-15 11:19 UTC by Vitaly Mayatskikh
Modified: 2009-05-18 19:37 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 480951 (view as bug list)
Environment:
Last Closed: 2009-05-18 19:37:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1024 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 14:57:26 UTC

Description Vitaly Mayatskikh 2009-01-15 11:19:59 UTC 
Current implementation of udp port randomization contains several problems mentioned in upstream commit:

commit 9088c5609584684149f3fb5b065aa7f18dcb03ff
Author: Eric Dumazet <dada1>
Date:   Wed Oct 8 11:44:17 2008 -0700

    udp: Improve port randomization
    
    Current UDP port allocation is suboptimal.
    We select the shortest chain to chose a port (out of 512)
    that will hash in this shortest chain.
    
    First, it can lead to give not so ramdom ports and ease
    give attackers more opportunities to break the system.
    
    Second, it can consume a lot of CPU to scan all table
    in order to find the shortest chain.
    
    Third, in some pathological cases we can fail to find
    a free port even if they are plenty of them.
    
    This patch zap the search for a short chain and only
    use one random seed. Problem of getting long chains
    should be addressed in another way, since we can
    obtain long chains with non random ports.

We need to integrate those changes from upstream GIT:

9088c560 udp: Improve port randomization
f24d43c0 udp: complete port availability checking

I can confirm that my concern mentioned in comments for bug 458022 are completely solved by these patches.

Note: RHEL-5 kernel needs these changes as well.
Comment 2 RHEL Program Management 2009-02-23 22:49:27 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Vivek Goyal 2009-02-26 16:47:44 UTC 
Committed in 82.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 6 errata-xmlrpc 2009-05-18 19:37:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html
Note You need to log in before you can comment on or make changes to this bug.