From owner-svn-doc-head@freebsd.org Tue Jul 21 23:51:23 2015 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9070F9A70A5; Tue, 21 Jul 2015 23:51:23 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 779461FAE; Tue, 21 Jul 2015 23:51:23 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6LNpNnD022873; Tue, 21 Jul 2015 23:51:23 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6LNpLLd022867; Tue, 21 Jul 2015 23:51:21 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201507212351.t6LNpLLd022867@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 21 Jul 2015 23:51:21 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47036 - in head/share: security/advisories security/patches/SA-15:13 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2015 23:51:23 -0000 Author: delphij Date: Tue Jul 21 23:51:20 2015 New Revision: 47036 URL: https://svnweb.freebsd.org/changeset/doc/47036 Log: Add SA-15:13.tcp. Added: head/share/security/advisories/FreeBSD-SA-15:13.tcp.asc (contents, props changed) head/share/security/patches/SA-15:13/ head/share/security/patches/SA-15:13/tcp-9.patch (contents, props changed) head/share/security/patches/SA-15:13/tcp-9.patch.asc (contents, props changed) head/share/security/patches/SA-15:13/tcp.patch (contents, props changed) head/share/security/patches/SA-15:13/tcp.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:13.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:13.tcp.asc Tue Jul 21 23:51:20 2015 (r47036) @@ -0,0 +1,165 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:13.tcp Security Advisory + The FreeBSD Project + +Topic: Resource exhaustion due to sessions stuck in LAST_ACK state + +Category: core +Module: inet +Announced: 2015-07-21 +Credits: Lawrence Stewart (Netflix, Inc.), + Jonathan Looney (Juniper SIRT) +Affects: All supported versions of FreeBSD. +Corrected: 2015-07-21 23:42:17 UTC (stable/10, 10.2-PRERELEASE) + 2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA1-p1) + 2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA2-p1) + 2015-07-21 23:42:56 UTC (releng/10.1, 10.1-RELEASE-p15) + 2015-07-21 23:42:20 UTC (stable/9, 9.3-STABLE) + 2015-07-21 23:42:56 UTC (releng/9.3, 9.3-RELEASE-p20) + 2015-07-21 23:42:20 UTC (stable/8, 8.4-STABLE) + 2015-07-21 23:42:56 UTC (releng/8.4, 8.4-RELEASE-p34) +CVE Name: CVE-2015-5358 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite +provides a connection-oriented, reliable, sequence-preserving data +stream service. + +A socket enters the LAST_ACK state when the local process closes its socket +after a FIN has already been received from the remote peer. The socket +will remain in the LAST_ACK state until the kernel has transmitted a FIN to +the remote peer and the kernel has received an acknowledgement of that FIN +from the remote peer, or all retransmits of the FIN have failed and the +connection times out. + +II. Problem Description + +TCP connections transitioning to the LAST_ACK state can become permanently +stuck due to mishandling of protocol state in certain situations, which in +turn can lead to accumulated consumption and eventual exhaustion of system +resources, such as mbufs and sockets. + +III. Impact + +An attacker who can repeatedly establish TCP connections to a victim system +(for instance, a Web server) could create many TCP connections that are +stuck in LAST_ACK state and cause resource exhaustion, resulting in a +denial of service condition. This may also happen in normal operation +where no intentional attack is conducted, but an attacker who can send +specifically crafted packets can trigger this more reliably. + +IV. Workaround + +No workaround is available, but systems that do not provide TCP based +service to untrusted networks are not vulnerable. + +Note that the tcpdrop(8) utility can be used to purge connections which +have become wedged. For example, the following command can be used to +generate commands that would drop all connections whose last rcvtime is +more than 100s: + + netstat -nxp tcp | \ + awk '{ if (int($NF) > 100) print "tcpdrop " $4 " " $5 }' + +The system administrator can then run the generated script as a temporary +measure. Please refer to the tcpdump(8) manual page for additional +information. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.1] +# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch +# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch.asc +# gpg --verify tcp.patch.asc + +[FreeBSD 9.x and 8.x] +# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch +# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch.asc +# gpg --verify tcp-9.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r285779 +releng/8.4/ r285780 +stable/9/ r285779 +releng/9.3/ r285780 +stable/10/ r285778 +releng/10.1/ r285780 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVrtnrAAoJEO1n7NZdz2rnchoQAMUV9fuXsBvQgvugFVpoe4HP +t7tTIzKKmvC3SVOQfPF6jQllVL9qbRJK9zVdFcGX0Iy07/QPKMIRIFXqiYmRwyXt +YEuZtZMHEo6w5YS/gEwSndGRFduFAfhaNZndycjA3O5nxR16cvqScDUAv0nErQGD +jJzhjbwdrT4fLg06PgLOdNwQKOPhdM1k4ZOdg7WUYDi2iQUmYpD2SOzRAx/SoDK7 +N0qd7Cy7mZBLbmm1zbCGDPhvNVYCKQjPjhiZ1GhfzUQ2n9bBOGLf2K1d/N0cttFH +/MfJoi2yRlU3iJE2DOJeD0/m4sJLmTL/7sqYEP9W2939oVH0Bku/KoJG4I4rZLDl +6yoKTxtyJGxbw8N2M/ObFpCQwn56Vjf2oo1LhIdBb+T48OwSwxuwrtw4VnlUnVLo +oJ5UA1VnazoyU6AwADpHkGPEPvRF1SUXfOuIOoHiZZ6O3eHdoeD3e2HqLQhoYVCj +PMEi/k45jPnWWhwV76I65Ig02YRgzhMTSunjXLQhi44Eeavf1SxHTJpSHuVjg3zu +MDDW55yB+wJvoetwCg3IkFPfmFBmto679xywDCKVd9VYeKoFsiVE4F/APqf6hN7o +qO8etL5oXnwjNsm9Tf8vImoWrBw2gRYkSieG+Vsx4r2r5JNHKRg1AVmRdihI1ATb +canMZYhLMD6A1x5T54Ya +=UPeI +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:13/tcp-9.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:13/tcp-9.patch Tue Jul 21 23:51:20 2015 (r47036) @@ -0,0 +1,31 @@ +Index: sys/netinet/tcp_output.c +=================================================================== +--- sys/netinet/tcp_output.c (revision 285435) ++++ sys/netinet/tcp_output.c (working copy) +@@ -397,7 +397,7 @@ after_sack_rexmit: + flags &= ~TH_FIN; + } + +- if (len < 0) { ++ if (len <= 0) { + /* + * If FIN has been sent but not acked, + * but we haven't been called to retransmit, +@@ -407,9 +407,16 @@ after_sack_rexmit: + * to (closed) window, and set the persist timer + * if it isn't already going. If the window didn't + * close completely, just wait for an ACK. ++ * ++ * We also do a general check here to ensure that ++ * we will set the persist timer when we have data ++ * to send, but a 0-byte window. This makes sure ++ * the persist timer is set even if the packet ++ * hits one of the "goto send" lines below. + */ + len = 0; +- if (sendwin == 0) { ++ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) && ++ (off < (int) so->so_snd.sb_cc)) { + tcp_timer_activate(tp, TT_REXMT, 0); + tp->t_rxtshift = 0; + tp->snd_nxt = tp->snd_una; Added: head/share/security/patches/SA-15:13/tcp-9.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:13/tcp-9.patch.asc Tue Jul 21 23:51:20 2015 (r47036) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAABCgAGBQJVrtn5AAoJEO1n7NZdz2rnZNAP/isVEBX+KzcSl9/mQffRZXz2 ++dujbMeZn0eVBF2e8y+DaWWkaBPTjwKZBfAuaM+VAKaQ/Gb4wM5d5vaDlPS1c+qw +ZsFDs7glL+szJY7OdodBRGnkAP4+aXcJhd5pLjqBQ37ZwaahpYXR6VD40WBrk9Xg +b3IhftGkhkjCJhEeZ9ct/K8CqN31XSRwD2SX7aHkLODLEC5kOIoV5cxv5F4BgN+B +gSbryW6ZcxExP0KABTthHamF24G9n1GTeEAZuGXJvOjJBu3co8XCHQp5ELbuP/lN +UVeTwiyEgq7XiacwfLPCSKTfhEvymq3PlJHMzXq3AiTwbvP3xGaCoxxOMI/SUsBh +JNs0Fi3ZfiPn8WAJTnf0E/xqEq6qkLTjMOYX9vXDC1HQElwCPv4SpMJ0pkvP7Hl4 +68EV+Ohrp4jGOYtUol7JardMHtnUUd4rs3TkutKcgy7I49/4FKQ8UFyf13DCxA01 +X0oxTdYoY9HwoRdIkJj+mcKiAFXAfrwoDWaZj6L6dZwXWg12N3c5f1i6vokczmaq +lK28ui8u4LtUgfoU+FfXzwPT5zfQXG5JGr4ehwOCN1MvGJSbMMMmII3RgfrXAb/H +/W+su8oCHCuHV2vRRClGKL80oVgt63LfHqUFY8QyQnmDqe+VOHsHiQQ5IGXHxJU3 +AiZDOe38k8NCOFahQtio +=CFEV +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:13/tcp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:13/tcp.patch Tue Jul 21 23:51:20 2015 (r47036) @@ -0,0 +1,31 @@ +Index: sys/netinet/tcp_output.c +=================================================================== +--- sys/netinet/tcp_output.c (revision 285435) ++++ sys/netinet/tcp_output.c (working copy) +@@ -400,7 +400,7 @@ after_sack_rexmit: + flags &= ~TH_FIN; + } + +- if (len < 0) { ++ if (len <= 0) { + /* + * If FIN has been sent but not acked, + * but we haven't been called to retransmit, +@@ -410,9 +410,16 @@ after_sack_rexmit: + * to (closed) window, and set the persist timer + * if it isn't already going. If the window didn't + * close completely, just wait for an ACK. ++ * ++ * We also do a general check here to ensure that ++ * we will set the persist timer when we have data ++ * to send, but a 0-byte window. This makes sure ++ * the persist timer is set even if the packet ++ * hits one of the "goto send" lines below. + */ + len = 0; +- if (sendwin == 0) { ++ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) && ++ (off < (int) so->so_snd.sb_cc)) { + tcp_timer_activate(tp, TT_REXMT, 0); + tp->t_rxtshift = 0; + tp->snd_nxt = tp->snd_una; Added: head/share/security/patches/SA-15:13/tcp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:13/tcp.patch.asc Tue Jul 21 23:51:20 2015 (r47036) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAABCgAGBQJVrtn8AAoJEO1n7NZdz2rnTxgP/RaL03Wk7bJDuusYOT5i/QYz +t09p23Xf1dTayN/6CJQj9knt9Dp7CnX7Yjev/R+MEWOvEbYg4hP5iqpPRK4pIpAZ +yfq6jO5w1Fis5GA8sYW6MEgQd9LOCeqTLHL/rJjiqwpMR0KwV82gNvKu4vwAfBqO +sZZ3tNutRS0Kx22dt4rHXnZz08ldPvRF697XTJ858BSZcpqKVouUAM/7MrJ+HQCL +51v4mLX5ewhuJ/Z1/sMPIfbQ4j1JceIG11xAeNkDwaC4MXkKrHkZK0PuLIBwyPKK +nezCQ9UveoMSkVhelgkeb+QVTDwwiVBFCMBOD4acs7aswRNwNJO3faMmlf2oGFbG +64tbIIH3AKKa7Q6Qd/agfoxFzSSdMGK0MuHauJOsiacPQqa5pO3wKoeFSobEQSQO +XY2n+t763PpDdDmqjroqOcEemsN5cMbr8B3fil5e1sihN1df/Jkw4Ifz6s4R0SYI +wo2mCurcygiUVoWuitNsPlDrPPh0EAwxcjmSOLgxsVukZKQRXgm3vx1zfyuyN3z/ +KZQERfspSRakM9nVuk7usJr2J4RwPJrEtYhu8hjlPVmZEAaQSCJYtmwj3LYiyUc0 +4Pq1tSqlfz5Oba13Q2W+09FuctLiobXhCftsYeodOfuofWLqQmi3B4A4nz3jBUI7 +zQj83z7/kojfqRNHhYNf +=WBT+ +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Jul 21 17:55:37 2015 (r47035) +++ head/share/xml/advisories.xml Tue Jul 21 23:51:20 2015 (r47036) @@ -11,6 +11,14 @@ 7 + 21 + + + FreeBSD-SA-15:13.tcp + + + + 9