RE: [PATCH] Remove hardcoded static string length

From: David Laight
Date: Mon May 29 2023 - 09:32:18 EST

From: Jeffrey E Altman
> Sent: 27 May 2023 16:09
> On 5/25/2023 11:37 AM, Kenny Ho wrote:
> > On Thu, May 25, 2023 at 11:04 AM David Laight<David.Laight@xxxxxxxxxx> wrote:
> >>> "The standard formulation seems to be: <project> <version> built
> >>> <yyyy>-<mm>-<dd>"
> >> Which I don't recall the string actually matching?
> >> Also the people who like reproducible builds don't like __DATE__.
> > That's correct, it was not matching even when it was introduced. I am
> > simply taking that as people caring about the content and not simply
> > making rxrpc_version_string == UTS_RELEASE. The current format is:
> >
> > "linux-" UTS_RELEASE " AF_RXRPC"
> >
> > Kenny
> The RX_PACKET_TYPE_VERSION query is issued by the "rxdebug <host> <port>
> -version" command which prints the received string to stdout.   It has
> also been used some implementations to record the version of the peer.
> Although it is required that a response to the RX_PACKET_TYPE_VERSION
> query be issued, there is no requirement that the returned string
> contain anything beyond a single NUL octet.

Does that mean that the zero-padding/truncation to 65 bytes is bogus?
Additionally is the response supposed to the '\0' terminated?
The existing code doesn't guarantee that at all.

> Although it is convenient to be able to remotely identify the version of
> an Rx implementation, there are good reasons why this information should
> not be exposed to an anonymous requester:
> 1. Linux AF_RXRPC is part of the kernel.  As such, returning
> UTS_RELEASE identifies to potential attackers the explicit kernel
> version, architecture and perhaps distro.  As this query can be
> issued anonymously, this provides an information disclosure that can
> be used to target known vulnerabilities in the kernel.

I guess it could even be used as a probe to find more/interesting
systems to attack once inside the firewall.

> 2. The RX_PACKET_TYPE_VERSION reply is larger than the query by the
> number of octets in the version data.  As the query is received via
> udp with no reachability test, it means that the
> RX_PACKET_TYPE_VERSION query/response can be used to perform an 3.3x
> amplification attack: 28 octets in and potentially 93 octets out.
> With my security hat on I would suggest that either AF_RXRPC return a
> single NUL octet or the c-string "AF_RXRPC" and nothing more.

Is there any point including "AF_RXRPC"?
It is almost certainly implied by the message format.

Or the exact text from the standard - which might be:
"version string - to be supplied by O.E.M."
(I've seen hardware versions with strings like the above that
exactly match the datasheet....)

Limiting the version to (eg) 6.2 would give a hint to the
capabilities/bugs without giving away all the relative addresses
in something like a RHEL kernel.


Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)