Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp478862imm; Fri, 14 Sep 2018 01:17:40 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbqiYgW9yhhpzZooE1CSvb2j24BAkzdSDUOxL3QFMWuzbJ4PB9MgqGADaPz8DvWXMjoWOVd X-Received: by 2002:a62:9b46:: with SMTP id r67-v6mr11152660pfd.105.1536913060332; Fri, 14 Sep 2018 01:17:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536913060; cv=none; d=google.com; s=arc-20160816; b=FkTlrAcyWwwuBiUZk9DY5IqIVmOOdHbSNZfd0zzLKDoC77OMs/CnKZiMCX+BuK8Q4n izdvwvMT4VCIP6UZCiRoMnUUeQ2EqSJMIBFkYgpVF3xjPjod7XyM2GK9E9M+jNNN420d DhXIftjP7VK/nTUg1+T5i4bePYldRjjtDpl9lLYn6X5zJnMKISUl4ymKjEwi4vedHIc2 E39vLYiTx4ayspxSO5y8HQG3vl6tWuxj9il+/eAu9Fh8rDDJhWyCE14RoKn8kp1eIFyn Dt1jNuXIqkijd58T/nIwrcKwFA4aiNUyGA2PLIz0NJjKZPcRkcvz1McMP09e4CsLQu0E GmEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:to:from; bh=eHdqw+j/DDlcFZAXrzWaQQ2sIRG8st/OXYHAFJMYpXA=; b=w4O75Z5BeDKtBo8FJ57W0K2c8EPaQS9/4I7+28wxWNCeYnBNbl0dUHkMnn/Dm7zBPC jacoxxggtVl+vcJXJTHWqXQOuc5KOkxhiuST6uZ1J7icf9en1yElZnIrLAWlRyVCkw5w JsVBstyQr4r5Q6GHjzJoGDfOutU8wDaHKdN8ovy9k1X53rxKbMbJr7OPh8uWDflZAZMv oU8TaySxW2uhsyRwBEAolrwMEgkBtx6N6XGbx56and6+zIHyUdHP4qrRk/l4yAzrhCjG ASHEzfhcT2oEzAohL5Zme5GeoJL3z8NSFSPV/m8k2ssPeiObXVXXY5ueNTS4RWwdGj2Z aT4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d38-v6si6290516pla.422.2018.09.14.01.17.24; Fri, 14 Sep 2018 01:17:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727754AbeINN1w (ORCPT + 99 others); Fri, 14 Sep 2018 09:27:52 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:12130 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726905AbeINN1w (ORCPT ); Fri, 14 Sep 2018 09:27:52 -0400 Received: from DGGEMS410-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 972032C74FFF0; Fri, 14 Sep 2018 16:14:29 +0800 (CST) Received: from localhost.localdomain.localdomain (10.175.113.25) by DGGEMS410-HUB.china.huawei.com (10.3.19.210) with Microsoft SMTP Server id 14.3.399.0; Fri, 14 Sep 2018 16:14:21 +0800 From: Mao Wenan To: , , , , , , , Subject: [PATCH stable 4.4 V2 0/6] fix SegmentSmack in stable branch (CVE-2018-5390) Date: Fri, 14 Sep 2018 16:24:04 +0800 Message-ID: <1536913450-12380-1-git-send-email-maowenan@huawei.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.175.113.25] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are five patches to fix CVE-2018-5390 in latest mainline branch, but only two patches exist in stable 4.4 and 3.18: dc6ae4d tcp: detect malicious patterns in tcp_collapse_ofo_queue() 5fbec48 tcp: avoid collapses in tcp_prune_queue() if possible I have tested with stable 4.4 kernel, and found the cpu usage was very high. So I think only two patches can't fix the CVE-2018-5390. test results: with fix patch: 78.2% ksoftirqd withoutfix patch: 90% ksoftirqd Then I try to imitate 72cd43ba(tcp: free batches of packets in tcp_prune_ofo_queue()) to drop at least 12.5 % of sk_rcvbuf to avoid malicious attacks with simple queue instead of RB tree. The result is not very well. After analysing the codes of stable 4.4, and debuging the system, shows that search of ofo_queue(tcp ofo using a simple queue) cost more cycles. So I try to backport "tcp: use an RB tree for ooo receive queue" using RB tree instead of simple queue, then backport Eric Dumazet 5 fixed patches in mainline, good news is that ksoftirqd is turn to about 20%, which is the same with mainline now. Stable 4.4 have already back port two patches, f4a3313d(tcp: avoid collapses in tcp_prune_queue() if possible) 3d4bf93a(tcp: detect malicious patterns in tcp_collapse_ofo_queue()) If we want to change simple queue to RB tree to finally resolve, we should apply previous patch 9f5afeae(tcp: use an RB tree for ooo receive queue.) firstly, but 9f5afeae have many conflicts with 3d4bf93a and f4a3313d, which are part of patch series from Eric in mainline to fix CVE-2018-5390, so I need revert part of patches in stable 4.4 firstly, then apply 9f5afeae, and reapply five patches from Eric. V1->V2: 1) Don't revert 3d4bf93a and f4a3313d firstly, all of 6 patches based on 4.4.155. 2) Add one bug fix patch for RB tree:76f0dcbb5ae1a7c3dbeec13dd98233b8e6b0b32a tcp: fix a stale ooo_last_skb Eric Dumazet (5): tcp: increment sk_drops for dropped rx packets tcp: fix a stale ooo_last_skb after a replace tcp: free batches of packets in tcp_prune_ofo_queue() tcp: call tcp_drop() from tcp_data_queue_ofo() tcp: add tcp_ooo_try_coalesce() helper Yaogong Wang (1): tcp: use an RB tree for ooo receive queue include/linux/skbuff.h | 8 + include/linux/tcp.h | 7 +- include/net/sock.h | 7 + include/net/tcp.h | 2 +- net/core/skbuff.c | 19 +++ net/ipv4/tcp.c | 4 +- net/ipv4/tcp_input.c | 417 +++++++++++++++++++++++++++++------------------ net/ipv4/tcp_ipv4.c | 3 +- net/ipv4/tcp_minisocks.c | 1 - net/ipv6/tcp_ipv6.c | 1 + 10 files changed, 297 insertions(+), 172 deletions(-) -- 1.8.3.1