diff options
Diffstat (limited to 'sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch')
| -rw-r--r-- | sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..c0ed4454afd3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From f461686078d2f472572e083400419a6af0938ad8 Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 110/113] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d4ef5bf94168..34d0d5438108 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 3e5f4f2e705e..791329c77dea 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ef4bdb038a4b..86967b09a8e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6195,7 +6196,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.30.0 + |