Bug 2320212 (CVE-2024-47678) - CVE-2024-47678 kernel: icmp: change the order of rate limits
Summary: CVE-2024-47678 kernel: icmp: change the order of rate limits
Keywords:
Status: NEW
Alias: CVE-2024-47678
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2320305
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 13:02 UTC by OSIDB Bzimport
Modified: 2024-12-12 15:58 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 13:02:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

icmp: change the order of rate limits

ICMP messages are ratelimited :

After the blamed commits, the two rate limiters are applied in this order:

1) host wide ratelimit (icmp_global_allow())

2) Per destination ratelimit (inetpeer based)

In order to avoid side-channels attacks, we need to apply
the per destination check first.

This patch makes the following change :

1) icmp_global_allow() checks if the host wide limit is reached.
   But credits are not yet consumed. This is deferred to 3)

2) The per destination limit is checked/updated.
   This might add a new node in inetpeer tree.

3) icmp_global_consume() consumes tokens if prior operations succeeded.

This means that host wide ratelimit is still effective
in keeping inetpeer tree small even under DDOS.

As a bonus, I removed icmp_global.lock as the fast path
can use a lock-free operation.
Comment 1 Robb Gatica 2024-10-21 14:01:33 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47678-0b1b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.