Early Access — Mondoo Vulnerability Intelligence is currently in preview.
In the Linux kernel, the following vulnerability has been resolved:
icmp: change the order of rate limits
ICMP messages are ratelimited :
After the blamed commits, the two rate limiters are applied in this order:
host wide ratelimit (icmp_global_allow())
Per destination ratelimit (inetpeer based)
In order to avoid side-channels attacks, we need to apply the per destination check first.
This patch makes the following change :
icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3)
The per destination limit is checked/updated. This might add a new node in inetpeer tree.
icmp_global_consume() consumes tokens if prior operations succeeded.
This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS.
As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation.
Exploitability
AV:LAC:LPR:LUI:NScope
S:UImpact
C:HI:NA:N5.5/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N