Add SA-15:13.tcp.

svn path=/head/; revision=47036

share/security/advisories/FreeBSD-SA-15:13.tcp.asc

@@ -0,0 +1,165 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:13.tcp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Resource exhaustion due to sessions stuck in LAST_ACK state
+
+Category:       core
+Module:         inet
+Announced:      2015-07-21
+Credits:        Lawrence Stewart (Netflix, Inc.),
+                Jonathan Looney (Juniper SIRT)
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-07-21 23:42:17 UTC (stable/10, 10.2-PRERELEASE)
+                2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA1-p1)
+                2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA2-p1)
+                2015-07-21 23:42:56 UTC (releng/10.1, 10.1-RELEASE-p15)
+                2015-07-21 23:42:20 UTC (stable/9, 9.3-STABLE)
+                2015-07-21 23:42:56 UTC (releng/9.3, 9.3-RELEASE-p20)
+                2015-07-21 23:42:20 UTC (stable/8, 8.4-STABLE)
+                2015-07-21 23:42:56 UTC (releng/8.4, 8.4-RELEASE-p34)
+CVE Name:       CVE-2015-5358
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
+provides a connection-oriented, reliable, sequence-preserving data
+stream service.
+
+A socket enters the LAST_ACK state when the local process closes its socket
+after a FIN has already been received from the remote peer.  The socket
+will remain in the LAST_ACK state until the kernel has transmitted a FIN to
+the remote peer and the kernel has received an acknowledgement of that FIN
+from the remote peer, or all retransmits of the FIN have failed and the
+connection times out.
+
+II.  Problem Description
+
+TCP connections transitioning to the LAST_ACK state can become permanently
+stuck due to mishandling of protocol state in certain situations, which in
+turn can lead to accumulated consumption and eventual exhaustion of system
+resources, such as mbufs and sockets.
+
+III. Impact
+
+An attacker who can repeatedly establish TCP connections to a victim system
+(for instance, a Web server) could create many TCP connections that are
+stuck in LAST_ACK state and cause resource exhaustion, resulting in a
+denial of service condition.  This may also happen in normal operation
+where no intentional attack is conducted, but an attacker who can send
+specifically crafted packets can trigger this more reliably.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not provide TCP based
+service to untrusted networks are not vulnerable.
+
+Note that the tcpdrop(8) utility can be used to purge connections which
+have become wedged.  For example, the following command can be used to
+generate commands that would drop all connections whose last rcvtime is
+more than 100s:
+
+	netstat -nxp tcp | \
+	awk '{ if (int($NF) > 100) print "tcpdrop " $4 " " $5 }'
+
+The system administrator can then run the generated script as a temporary
+measure.  Please refer to the tcpdump(8) manual page for additional
+information.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch.asc
+# gpg --verify tcp.patch.asc
+
+[FreeBSD 9.x and 8.x]
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch.asc
+# gpg --verify tcp-9.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r285779
+releng/8.4/                                                       r285780
+stable/9/                                                         r285779
+releng/9.3/                                                       r285780
+stable/10/                                                        r285778
+releng/10.1/                                                      r285780
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5358>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:13.tcp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVrtnrAAoJEO1n7NZdz2rnchoQAMUV9fuXsBvQgvugFVpoe4HP
+t7tTIzKKmvC3SVOQfPF6jQllVL9qbRJK9zVdFcGX0Iy07/QPKMIRIFXqiYmRwyXt
+YEuZtZMHEo6w5YS/gEwSndGRFduFAfhaNZndycjA3O5nxR16cvqScDUAv0nErQGD
+jJzhjbwdrT4fLg06PgLOdNwQKOPhdM1k4ZOdg7WUYDi2iQUmYpD2SOzRAx/SoDK7
+N0qd7Cy7mZBLbmm1zbCGDPhvNVYCKQjPjhiZ1GhfzUQ2n9bBOGLf2K1d/N0cttFH
+/MfJoi2yRlU3iJE2DOJeD0/m4sJLmTL/7sqYEP9W2939oVH0Bku/KoJG4I4rZLDl
+6yoKTxtyJGxbw8N2M/ObFpCQwn56Vjf2oo1LhIdBb+T48OwSwxuwrtw4VnlUnVLo
+oJ5UA1VnazoyU6AwADpHkGPEPvRF1SUXfOuIOoHiZZ6O3eHdoeD3e2HqLQhoYVCj
+PMEi/k45jPnWWhwV76I65Ig02YRgzhMTSunjXLQhi44Eeavf1SxHTJpSHuVjg3zu
+MDDW55yB+wJvoetwCg3IkFPfmFBmto679xywDCKVd9VYeKoFsiVE4F/APqf6hN7o
+qO8etL5oXnwjNsm9Tf8vImoWrBw2gRYkSieG+Vsx4r2r5JNHKRg1AVmRdihI1ATb
+canMZYhLMD6A1x5T54Ya
+=UPeI
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:13/tcp-9.patch

@@ -0,0 +1,31 @@
+Index: sys/netinet/tcp_output.c
+===================================================================
+--- sys/netinet/tcp_output.c	(revision 285435)
++++ sys/netinet/tcp_output.c	(working copy)
+@@ -397,7 +397,7 @@ after_sack_rexmit:
+ 		flags &= ~TH_FIN;
+ 	}
+ 
+-	if (len < 0) {
++	if (len <= 0) {
+ 		/*
+ 		 * If FIN has been sent but not acked,
+ 		 * but we haven't been called to retransmit,
+@@ -407,9 +407,16 @@ after_sack_rexmit:
+ 		 * to (closed) window, and set the persist timer
+ 		 * if it isn't already going.  If the window didn't
+ 		 * close completely, just wait for an ACK.
++		 *
++		 * We also do a general check here to ensure that
++		 * we will set the persist timer when we have data
++		 * to send, but a 0-byte window. This makes sure
++		 * the persist timer is set even if the packet
++		 * hits one of the "goto send" lines below.
+ 		 */
+ 		len = 0;
+-		if (sendwin == 0) {
++		if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
++			(off < (int) so->so_snd.sb_cc)) {
+ 			tcp_timer_activate(tp, TT_REXMT, 0);
+ 			tp->t_rxtshift = 0;
+ 			tp->snd_nxt = tp->snd_una;

share/security/patches/SA-15:13/tcp-9.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVrtn5AAoJEO1n7NZdz2rnZNAP/isVEBX+KzcSl9/mQffRZXz2
++dujbMeZn0eVBF2e8y+DaWWkaBPTjwKZBfAuaM+VAKaQ/Gb4wM5d5vaDlPS1c+qw
+ZsFDs7glL+szJY7OdodBRGnkAP4+aXcJhd5pLjqBQ37ZwaahpYXR6VD40WBrk9Xg
+b3IhftGkhkjCJhEeZ9ct/K8CqN31XSRwD2SX7aHkLODLEC5kOIoV5cxv5F4BgN+B
+gSbryW6ZcxExP0KABTthHamF24G9n1GTeEAZuGXJvOjJBu3co8XCHQp5ELbuP/lN
+UVeTwiyEgq7XiacwfLPCSKTfhEvymq3PlJHMzXq3AiTwbvP3xGaCoxxOMI/SUsBh
+JNs0Fi3ZfiPn8WAJTnf0E/xqEq6qkLTjMOYX9vXDC1HQElwCPv4SpMJ0pkvP7Hl4
+68EV+Ohrp4jGOYtUol7JardMHtnUUd4rs3TkutKcgy7I49/4FKQ8UFyf13DCxA01
+X0oxTdYoY9HwoRdIkJj+mcKiAFXAfrwoDWaZj6L6dZwXWg12N3c5f1i6vokczmaq
+lK28ui8u4LtUgfoU+FfXzwPT5zfQXG5JGr4ehwOCN1MvGJSbMMMmII3RgfrXAb/H
+/W+su8oCHCuHV2vRRClGKL80oVgt63LfHqUFY8QyQnmDqe+VOHsHiQQ5IGXHxJU3
+AiZDOe38k8NCOFahQtio
+=CFEV
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:13/tcp.patch

@@ -0,0 +1,31 @@
+Index: sys/netinet/tcp_output.c
+===================================================================
+--- sys/netinet/tcp_output.c	(revision 285435)
++++ sys/netinet/tcp_output.c	(working copy)
+@@ -400,7 +400,7 @@ after_sack_rexmit:
+ 		flags &= ~TH_FIN;
+ 	}
+ 
+-	if (len < 0) {
++	if (len <= 0) {
+ 		/*
+ 		 * If FIN has been sent but not acked,
+ 		 * but we haven't been called to retransmit,
+@@ -410,9 +410,16 @@ after_sack_rexmit:
+ 		 * to (closed) window, and set the persist timer
+ 		 * if it isn't already going.  If the window didn't
+ 		 * close completely, just wait for an ACK.
++		 *
++		 * We also do a general check here to ensure that
++		 * we will set the persist timer when we have data
++		 * to send, but a 0-byte window. This makes sure
++		 * the persist timer is set even if the packet
++		 * hits one of the "goto send" lines below.
+ 		 */
+ 		len = 0;
+-		if (sendwin == 0) {
++		if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
++			(off < (int) so->so_snd.sb_cc)) {
+ 			tcp_timer_activate(tp, TT_REXMT, 0);
+ 			tp->t_rxtshift = 0;
+ 			tp->snd_nxt = tp->snd_una;

share/security/patches/SA-15:13/tcp.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVrtn8AAoJEO1n7NZdz2rnTxgP/RaL03Wk7bJDuusYOT5i/QYz
+t09p23Xf1dTayN/6CJQj9knt9Dp7CnX7Yjev/R+MEWOvEbYg4hP5iqpPRK4pIpAZ
+yfq6jO5w1Fis5GA8sYW6MEgQd9LOCeqTLHL/rJjiqwpMR0KwV82gNvKu4vwAfBqO
+sZZ3tNutRS0Kx22dt4rHXnZz08ldPvRF697XTJ858BSZcpqKVouUAM/7MrJ+HQCL
+51v4mLX5ewhuJ/Z1/sMPIfbQ4j1JceIG11xAeNkDwaC4MXkKrHkZK0PuLIBwyPKK
+nezCQ9UveoMSkVhelgkeb+QVTDwwiVBFCMBOD4acs7aswRNwNJO3faMmlf2oGFbG
+64tbIIH3AKKa7Q6Qd/agfoxFzSSdMGK0MuHauJOsiacPQqa5pO3wKoeFSobEQSQO
+XY2n+t763PpDdDmqjroqOcEemsN5cMbr8B3fil5e1sihN1df/Jkw4Ifz6s4R0SYI
+wo2mCurcygiUVoWuitNsPlDrPPh0EAwxcjmSOLgxsVukZKQRXgm3vx1zfyuyN3z/
+KZQERfspSRakM9nVuk7usJr2J4RwPJrEtYhu8hjlPVmZEAaQSCJYtmwj3LYiyUc0
+4Pq1tSqlfz5Oba13Q2W+09FuctLiobXhCftsYeodOfuofWLqQmi3B4A4nz3jBUI7
+zQj83z7/kojfqRNHhYNf
+=WBT+
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,14 @@
     <month>
       <name>7</name>
 
+      <day>
+        <name>21</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:13.tcp</name>
+        </advisory>
+      </day>
+
       <day>
         <name>9</name>