CVE-2019-11477: Linux kernel TCP SACK mechanism remote Dos early warning analysis-vulnerability warning-the black bar safety net

2019-06-1900:00:00

佚名

www.myhack58.com

654

EPSS

0.974

Percentile

99.9%

JSON

0x00 vulnerability description
2019 6 May 18, RedHat official website released a report: security researchers in the Linux kernel handles the TCP SACK data packet module found three vulnerabilities, the CVE number for CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479, wherein the CVE-2019-11477 vulnerability can reduce the system operating efficiency, and may be sent to remote attacker for denial of service attacks, the extent of the impact is serious.
360CERT it is determined that the vulnerability affects a wide, serious harm, the recommendations of the majority of users timely updated.
Vulnerability details
SACK(Selective ACK)is a TCP option, it makes the recipient tell the sender which packet segment is lost, which packets the segment retransmission, and which message segments have been received in advance and other information. Based on this information, TCP can only retransmit what really lost packet segment. Note that only received out of sequence packet only when the might send SACK, the TCP ACK or the establishment in the cumulative acknowledgment based on.
The Linux SKB can accommodate up to 17 fragment:
linux/include/linux/skbuff. h
define MAX_SKB_FRAGS (65536/PAGE_SIZE + 1) => 17
Each segment in the x86（PowerPC on of 64KB of data can accommodate a maximum of 32KB, when the data packet will be sent when it is placed in the send queue, which detailed information stored in the control buffer structure:
linux/include/linux/skbuff. h
struct tcp_skb_cb {
__u32 seq; /* Starting sequence number /
__u32 end_seq; / SEQ + FIN + SYN + datalen /
__u32 tcp_tw_isn;
struct {
u16 tcp_gso_segs;
u16 tcp_gso_size;
};
__u8 tcp_flags; /2 TCP header flags. (tcp[13]) */
…
}
tcp_gso_segs for recording the number of data packets, the type is u16, the record up to 65526 one. But the SACK mechanism allows TCP retransmission to merge multiple SKB queue, which fills 17 fragments to maximum capacity, 17 321024 /8 = 69632, causing tcp_gso_segs an integer overflow, which triggers a BUG_ON（）call, causing the kernel to crash.
static bool tcp_shifted_skb (struct sock *sk, …, unsigned int pcount, …)
{
…
tcp_skb_pcount_add(prev, pcount);
BUG_ON(tcp_skb_pcount(skb) SACK panic
tcp_skb_pcount_add(skb, -pcount);
…
}
An attacker can send a series of particular SACK packet, trigger the kernel module integer overflow vulnerability, leading to a remote denial of service attack.