From nobody Wed Oct 18 03:40:39 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S9GpH4rrVz4xRFQ for ; Wed, 18 Oct 2023 03:40:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S9GpG6wHnz4f4q for ; Wed, 18 Oct 2023 03:40:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697600439; a=rsa-sha256; cv=none; b=glH9R6mjv85949xlEVPPEVsb5rYFXgxz2cR3PsvvIYoY8V6Kt5wl+DKw1mZYhiutt4VRb1 wXZOH5mLOBK7fhndR5nCMwK9TmfqCBtGzHZ1Gl/kvnEzhCRTXIcSowT4flI0nYhsrZpdA6 3+9jVzy/5Ne9mt8KmGSjDPSK6AnFH99Bm9u3C2AaRfaOvKeoUCsmlF1y9BCUtww1pZy1Qv RfcMA/3NiQGZsPyFPcEifWur//2hEdk1xneNUCq2zVQ1bYP8n8+HYn4xcmaM6dE2btygNS Th+QsgoSCgs+7l2XP3oadaK2/74t6dPemtEyeOcN6XjwIB6WnCoPGSHkT1yBIQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697600439; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wK59fZ1QCx5sOxjxDoX4Z18Urx/2piIFwR+YHGyRjRQ=; b=jH5KO2VJcEBSsvG0F3e767SYaynx9zQdnLy3z5SWpnjO03efOfEo1EgnD/oc0zAniK1tGM ik62vDm+s+1R6FmrwcgfispI6WtKXweuGghji8JQb7frLaHCNRGEzExoAJplLne3CZZaLl eAsrZAzMfGUK6xdnyPp5NhoOTUmP4rygqjxKrwGVjXoNUCm70nGspxDj0oxUEnOByux+2n aSw0ej5cLjFszbeEU/LC3K/S9TcwMeP7dtw8L2afvoaDKZwge3k8XZvy78N5FjULyOVHBG FNXfyl2xpS/mJz6gWemMVFAnELEVG5+ZiGluZU+PlBuOUbabMdw86KaILFDH9g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S9GpG60WTzrNL for ; Wed, 18 Oct 2023 03:40:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 39I3ecvV054769 for ; Wed, 18 Oct 2023 03:40:38 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 39I3ecpC054768 for bugs@FreeBSD.org; Wed, 18 Oct 2023 03:40:38 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274550] Reporting side channels in TCP/UDP/ICMP implementation Date: Wed, 18 Oct 2023 03:40:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: fqy5067@psu.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274550 Bug ID: 274550 Summary: Reporting side channels in TCP/UDP/ICMP implementation Product: Base System Version: 13.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: fqy5067@psu.edu We are writing to report several potential side-channel vulnerabilities in FreeBSD kernel version 13.2. Each potential vulnerability is identified by a static code analysis tool that we have developed to detect potential side channels in TCP and UDP protocols. In the settings, we have marked port num= ber (TCP, UDP), sequence number (TCP) and acknowledge number (TCP) as sensitive information.=20 Each identified branch below might leak sensitive information (as in the settings mentioned above) to an off-path attacker. **While the reported branches have information leakage from the prospective of static analysis, = it is still unsure whether it is possible to construct an attack.** For each branch in the program, we provide what information is leaked (WHAT) and how= an attacker can reveal the information (HOW), and a description of a potential packet that could trigger the branch condition (INPUT): 1. (patched) /sys/netinet/udp_usrreq.c: L614, in udp_input() INPUT: UDP pkt with guessed port number WHAT: whether the guessed port number is correct HOW: ICMP pkt vs NULL 2. /sys/netinet/tcp_input.c: L3299, in tcp_do_segment() INPUT: ACK pkt to a connection in LAST-ACK WHAT: whether the guessed sequence number is in-window HOW: TCP pkt vs NULL 3. /sys/netinet/tcp_input.c: L2583, in tcp_do_segment() INPUT: ACK pkt to a connection in LAST-ACK WHAT: whether the guessed acknowledge number is in-window HOW: TCP pkt vs NULL 4. /sys/netinet/tcp_input.c: L1937, in tcp_do_segment() INPUT: ATK pkt to an ESTABLISHED connection WHAT: whether the guessed sequence number is in-window HOW: Immediate ACK vs Delayed ACK 5. /sys/netinet/tcp_input.c: L1870, in tcp_do_segment() INPUT: ATK pkt to an ESTABLISHED connection WHAT: whether the guessed acknowledge number is in-window HOW: TCP pkt vs NULL 6. /sys/netinet/tcp_input.c: L2470, in tcp_do_segment() INPUT: ACK pkt to a connection in LAST-ACK when V_tcp_do_rfc3042 is ena= bled WHAT: whether the guessed acknowledge number is in-window HOW: TCP pkt vs NULL 7. /sys/netinet/tcp_input.c: L3328, in tcp_do_segment() INPUT: ACK pkt to a connection in SYN-RCVD WHAT: whether the guessed port has an active connection HOW: TCP RST pkt vs NULL 8. /sys/netinet/ip_icmp.c: L1149, in badport_bandlim() INPUT: pkt that triggers any of the limits (TCP bad port, UDP bad port, etc.) WHAT: whether the guessed port has an active connection HOW: triggered response (TCP/ICMP) pkt vs NULL 9. /sys/netinet/tcp_input.c: L2161, in tcp_do_segment() INPUT: RST pkt to a non LISTEN/SYN-SENT connection WHAT: whether the guessed sequence number is smaller than expected HOW: Challenge ACK vs NULL 10. /sys/netinet/tcp_input.c: L2795, in tcp_do_segment() INPUT: ACK pkt to an ESTABLISHED connection WHAT: whether the guessed acknowledge number is in-window HOW: TCP pkt vs NULL (1)(8) may result in leakage of UDP connection identifiers. (2)-(10) may re= sult in leakage of TCP connection identifiers.=20 We are reporting these findings for ethical reasons, and would like to hear your opinion on the above vulnerabilities, if any. Please let us know if you need more information. --=20 You are receiving this mail because: You are the assignee for the bug.=