Skip to content

Commit

Permalink
HBSD: Provide workarounds for ICMP and IPv4 frag bugs
Browse files Browse the repository at this point in the history 
FreeBSD is vulnerable to the XNU ICMP bug due to  the
net.inet.icmp.quotelen sysctl node being increased from 8 to 548. The
author of the referenced report below suggests decreasing the ICMP quote
length back down to 8 until a real fix is provided.

In the same report, the author hints at an IPv4 reassembly issue and
suggests setting the net.inet.ip.maxfragsperpacket sysctl node to 0.
Perform this workaround as well.

This commit is only temporaryd until we at HardenedBSD get the time to
investigate and provide a real fix. Once a fix is provided, this commit
may be able to be reverted.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by:	SoldierX
Reported-by:	https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/
MFC-to:		12-STABLE
MFC-to:		11-STABLE
  • Loading branch information
@lattera
lattera committed Nov 8, 2018
1 parent b425aa6 commit d60f241
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
5 changes: 5 additions & 0 deletions sys/netinet/ip_icmp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
__FBSDID("$FreeBSD$");

#include "opt_inet.h"
#include "opt_pax.h"

#include <sys/param.h>
#include <sys/systm.h>
Expand Down Expand Up @@ -139,8 +140,12 @@ VNET_DEFINE_STATIC(int, icmp_rfi) = 0;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, reply_from_interface, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(icmp_rfi), 0,
"ICMP reply from incoming interface for non-local packets");
#ifdef PAX_HARDENING
VNET_DEFINE_STATIC(int, icmp_quotelen) = 8;
#else
/* Router requirements RFC 1812 section 4.3.2.3 requires 576 - 28. */
VNET_DEFINE_STATIC(int, icmp_quotelen) = 548;
#endif /* PAX_HARDENING */
#define V_icmp_quotelen VNET(icmp_quotelen)
SYSCTL_INT(_net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(icmp_quotelen), 0,
Expand Down
5 changes: 5 additions & 0 deletions sys/netinet/ip_reass.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");

#include "opt_pax.h"
#include "opt_rss.h"

#include <sys/param.h>
Expand Down Expand Up @@ -526,7 +527,11 @@ ipreass_init(void)
V_ipq[i].count = 0;
}
V_ipq_hashseed = arc4random();
#ifdef PAX_HARDENING
V_maxfragsperpacket = 0;
#else
V_maxfragsperpacket = 16;
#endif
V_ipq_zone = uma_zcreate("ipq", sizeof(struct ipq), NULL, NULL, NULL,
NULL, UMA_ALIGN_PTR, 0);
max = IP_MAXFRAGPACKETS;
Expand Down

4 comments on commit d60f241

@lattera
Copy link
Member Author

@lattera lattera commented on d60f241 Nov 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@opntr ACK/NACK on MFC

@opntr-auto
Copy link

@opntr-auto opntr-auto commented on d60f241 Nov 8, 2018 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lattera
Copy link
Member Author

@lattera lattera commented on d60f241 Nov 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Details in the referenced reddit article: https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/

More details in the FreeBSD commit: https://reviews.freebsd.org/rS340260

In the patch review (https://reviews.freebsd.org/D17909), FreeBSD mentioned concern regarding fragility of their fix. They suggest a full audit. I suggest we both bring in FreeBSD's current fix along with this workaround until that full audit is performed and non-fragile fixes are committed.

@opntr-auto
Copy link

@opntr-auto opntr-auto commented on d60f241 Nov 8, 2018 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.