From nobody Thu Feb 13 16:46:13 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yv1KL10VZz5myXL; Thu, 13 Feb 2025 16:46:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yv1KK5wxyz3N8p; Thu, 13 Feb 2025 16:46:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739465173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=waQWO4d1DASHj+yesRgLyXi5c7ekakTEGYxux4aN2PQ=; b=p8MaAoV4YOZnBQLc2hxLZchHkUk8EFmk48oDU5cZAyWbUZXPEu4Ayth+V2/nU7HQ7+EB9j v2WJn61lFwcN1Fla8u0kspv+6D6h/UDWMXLvwKX+510EK17pBlpTIblbWBBJqB2mIkpOIS l1U/YqQDtwBn7fWLbmJcdEwXsfSjB1pEDYrJjbbSVqkjHZ/tyPoQCZK72ifilEV54V0KuK CwGFmJHBqZ1ITzk8TAHje7B7B/cc3YmRiqu+MqI315TOrPDdrb8rg1icZUhtsKmxnJrjMR zGCYVLVlo4u2hhzbcForv+OK6eoqBSTSIz3vJntof2fPIdaUXtPgo6GOqoe5Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739465173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=waQWO4d1DASHj+yesRgLyXi5c7ekakTEGYxux4aN2PQ=; b=p/5Fvr32k+UGxCk0owxY5bD5ps9bDOHDR85pPDPMIC1Pp4GptLtLiDHHjJQ2UC90zFK4Q4 y5slt93HvHabL2tN/RiS9AYwZye+tqn21Hz7j50tXY7bq6xn7FCZ+6H0tZvSxwAe+viXvS ND+gcGsZfHDqgeTh8EYcAXzgdIQossRh9hCjIryqPuquwzzEqVTMCQuB1AbNAiMGfrQy7b StvSiEJOMKK+6YVTJGZj/piJB1+Zu0yhsNRQGQ9Al+n+mEcbdesDWPrv8E43G5uuOBIiGd MPTwsYe6qh7++7i9sqfyiAGXB6CM+0kF/BMevn+eVgHzSPtyGAwd3FHgKEOCOw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739465173; a=rsa-sha256; cv=none; b=jAfb3EkrELhiCAT/6CVW/eKTHHsw5FWDNug0TQXKcRke6tq267UU2RLpHq9d91XviSJJls hFHzBzZYeSJiT8Mzj1FBh6pz4pma3KxDGYof+rndWBsIKuFBXfFZGl7tpkkut+r775wEXZ ViBaABc/eTlSzEYeYDhTnQHIRWtyld7OyaB5nrd/VBpiWuML51twP7MXrGOAwIFTFlolKL t7bnJma30rl1teCAlNymgMn1ufS7rV/OKBM0p8jkyxqZ1VQomGvn/uuXi8q5hn1o/dX3bJ s6/IKhxdbo/zVJRO5Pcrr9rTxY3Yyfu2OrZCA+pGsKoM8R3sBCQEk670Sl/n8Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Yv1KK5XKrzsyY; Thu, 13 Feb 2025 16:46:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51DGkDt1041579; Thu, 13 Feb 2025 16:46:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51DGkDoM041576; Thu, 13 Feb 2025 16:46:13 GMT (envelope-from git) Date: Thu, 13 Feb 2025 16:46:13 GMT Message-Id: <202502131646.51DGkDoM041576@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Michael Tuexen Subject: git: 1ed60133f6d6 - releng/13.5 - icmp: improve ICMP limit jitter List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.5 X-Git-Reftype: branch X-Git-Commit: 1ed60133f6d6d38b69f09a2524410df5b80e3775 Auto-Submitted: auto-generated The branch releng/13.5 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=1ed60133f6d6d38b69f09a2524410df5b80e3775 commit 1ed60133f6d6d38b69f09a2524410df5b80e3775 Author: Gleb Smirnoff AuthorDate: 2024-03-24 16:13:23 +0000 Commit: Michael Tuexen CommitDate: 2025-02-13 13:59:46 +0000 icmp: improve ICMP limit jitter Instead of fixing up invalid values set by a user in badport_bandlim() which is a fast path function, provide a sysctl handler sysctl_icmplim_and_jitter(), that will check that jitter is less than the limit. Provide jitter initilization function icmplim_new_jitter() used at boot, in the sysctl handler and when we actually hit the limit. This also fixes no jitter on a fresh booted system until first limit hit. Instead of CVE number provide link the the actual paper that explains what and why we are doing here. The CVE number isn't very informative, it will just tell you what RedHat version you need to upgrade to. Reviewed by: kp, tuexen, zlei Differential Revision: https://reviews.freebsd.org/D44478 Approved by: re (cperciva) (cherry picked from commit ac44739fd834f51cacb26485a4140fd482e20150) (cherry picked from commit 18058544c65b83fffca9556d6d082e823585ef3d) --- sys/netinet/ip_icmp.c | 81 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 22 deletions(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 199b76aa9ad6..0d671033b67c 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -81,19 +81,22 @@ * routines to turnaround packets back to the originator, and * host table maintenance routines. */ -VNET_DEFINE_STATIC(int, icmplim) = 200; +static int sysctl_icmplim_and_jitter(SYSCTL_HANDLER_ARGS); +VNET_DEFINE_STATIC(u_int, icmplim) = 200; #define V_icmplim VNET(icmplim) -SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_VNET | CTLFLAG_RW, - &VNET_NAME(icmplim), 0, - "Maximum number of ICMP responses per second"); +SYSCTL_PROC(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLTYPE_UINT | + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmplim), 0, + &sysctl_icmplim_and_jitter, "IU", + "Maximum number of ICMP responses per second"); VNET_DEFINE_STATIC(int, icmplim_curr_jitter) = 0; #define V_icmplim_curr_jitter VNET(icmplim_curr_jitter) -VNET_DEFINE_STATIC(int, icmplim_jitter) = 16; +VNET_DEFINE_STATIC(u_int, icmplim_jitter) = 16; #define V_icmplim_jitter VNET(icmplim_jitter) -SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_jitter, CTLFLAG_VNET | CTLFLAG_RW, - &VNET_NAME(icmplim_jitter), 0, - "Random icmplim jitter adjustment limit"); +SYSCTL_PROC(_net_inet_icmp, OID_AUTO, icmplim_jitter, CTLTYPE_UINT | + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmplim_jitter), 0, + &sysctl_icmplim_and_jitter, "IU", + "Random icmplim jitter adjustment limit"); VNET_DEFINE_STATIC(int, icmplim_output) = 1; #define V_icmplim_output VNET(icmplim_output) @@ -1098,6 +1101,52 @@ static const char *icmp_rate_descrs[BANDLIM_MAX] = { [BANDLIM_SCTP_OOTB] = "sctp ootb", }; +static void +icmplim_new_jitter(void) +{ + /* + * Adjust limit +/- to jitter the measurement to deny a side-channel + * port scan as in https://dl.acm.org/doi/10.1145/3372297.3417280 + */ + if (V_icmplim_jitter > 0) + V_icmplim_curr_jitter = + arc4random_uniform(V_icmplim_jitter * 2 + 1) - + V_icmplim_jitter; +} + +static int +sysctl_icmplim_and_jitter(SYSCTL_HANDLER_ARGS) +{ + uint32_t new; + int error; + bool lim; + + MPASS(oidp->oid_arg1 == &VNET_NAME(icmplim) || + oidp->oid_arg1 == &VNET_NAME(icmplim_jitter)); + + lim = (oidp->oid_arg1 == &VNET_NAME(icmplim)); + new = lim ? V_icmplim : V_icmplim_jitter; + error = sysctl_handle_int(oidp, &new, 0, req); + if (error == 0 && req->newptr) { + if (lim) { + if (new <= V_icmplim_jitter) + error = EINVAL; + else + V_icmplim = new; + } else { + if (new >= V_icmplim) + error = EINVAL; + else { + V_icmplim_jitter = new; + icmplim_new_jitter(); + } + } + } + MPASS(V_icmplim + V_icmplim_curr_jitter > 0); + + return (error); +} + static void icmp_bandlimit_init(void) { @@ -1106,6 +1155,7 @@ icmp_bandlimit_init(void) V_icmp_rates[i].cr_rate = counter_u64_alloc(M_WAITOK); V_icmp_rates[i].cr_ticks = ticks; } + icmplim_new_jitter(); } VNET_SYSINIT(icmp_bandlimit, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY, icmp_bandlimit_init, NULL); @@ -1133,9 +1183,6 @@ badport_bandlim(int which) KASSERT(which >= 0 && which < BANDLIM_MAX, ("%s: which %d", __func__, which)); - if ((V_icmplim + V_icmplim_curr_jitter) <= 0) - V_icmplim_curr_jitter = -V_icmplim + 1; - pps = counter_ratecheck(&V_icmp_rates[which], V_icmplim + V_icmplim_curr_jitter); if (pps > 0) { @@ -1144,17 +1191,7 @@ badport_bandlim(int which) "Limiting %s response from %jd to %d packets/sec\n", icmp_rate_descrs[which], (intmax_t )pps, V_icmplim + V_icmplim_curr_jitter); - /* - * Adjust limit +/- to jitter the measurement to deny a - * side-channel port scan as in CVE-2020-25705 - */ - if (V_icmplim_jitter > 0) { - int32_t inc = - arc4random_uniform(V_icmplim_jitter * 2 +1) - - V_icmplim_jitter; - - V_icmplim_curr_jitter = inc; - } + icmplim_new_jitter(); } if (pps == -1) return (-1);