group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1811094@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Mar 2019 18:24:27 -0000
Reply-to: Bug 1811094 <1811094@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package linux - 3.13.0-166.216

---------------
linux (3.13.0-166.216) trusty; urgency=medium

  * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645)

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version
    - [Packaging] autoreconstruct -- base tag is always primary mainline version

  * signing: only install a signed kernel (LP: #1764794)
    - [Debian] usbip tools packaging
    - [Debian] Don't fail if a symlink already exists
    - [Debian] perf -- build in the context of the full generated local headers
    - [Debian] basic hook support
    - [Debian] follow rename of DEB_BUILD_PROFILES
    - [Debian] standardise on stage1 for the bootstrap stage in line with debian
    - [Debian] set do_*_tools after stage1 or bootstrap is determined
    - [Debian] initscripts need installing when making the package
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Debian] add feature interlock with mainline builds
    - [Debian] Remove generated intermediate files on clean
    - [Packaging] prevent linux-*-tools-common from being produced from non linux
      packages
    - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
    - [Debian] Update to new signing key type and location
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
    - [Packaging] reconstruct -- update when inserting final changes
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] skip cloud tools packaging when not building package
    - [debian] prep linux-libc-dev only if do_libc_dev_package=true

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * iptables connlimit allows more connections than the limit when using
    multiple CPUs (LP: #1811094)
    - netfilter: connlimit: improve packet-to-closed-connection logic
    - netfilter: nf_conncount: fix garbage collection confirm race
    - netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2019-6133
    - fork: record start_time late

  * test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS
    (LP: #1813001)
    - procfs: make /proc/*/{stack, syscall, personality} 0400

 -- Kleber Sacilotto de Souza <kleber.souza@xxxxxxxxxxxxx>  Thu, 07 Feb
2019 11:31:21 +0000

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
       -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
       -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port 7777 to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
       -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
       -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb      # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb <server ip> <port> <target # connections> <# threads>
     <test output>

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 10.230.56.100 7777 6000 3
     1
     2
     3
     <...>
     6000
     Target reached. Thread finishing
     6001
     Target reached. Thread finishing
     6002
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 10.230.56.100 7777 6000 3
     1
     2
     3
     <...>
     2000
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777
     failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777
     failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.

  [1] https://www.spinics.net/lists/stable/msg276883.html
  [2] https://www.spinics.net/lists/stable/msg276910.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions