RE: [PATCH] Remove hardcoded static string length

From: David Laight
Date: Mon May 29 2023 - 09:32:18 EST

Next message: Bryan O'Donoghue: "Re: [PATCH 4/6] arm64: dts: qcom: msm8916/39: Clean up MDSS labels"
Previous message: Ard Biesheuvel: "Re: [PATCH] arm64: acpi: Export symbol for acpi_os_ioremap"
In reply to: Jeffrey E Altman: "Re: [PATCH] Remove hardcoded static string length"
Next in thread: Jeffrey E Altman: "Re: [PATCH] Remove hardcoded static string length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeffrey E Altman
> Sent: 27 May 2023 16:09
>
> On 5/25/2023 11:37 AM, Kenny Ho wrote:
> > On Thu, May 25, 2023 at 11:04 AM David Laight<David.Laight@xxxxxxxxxx> wrote:
> >>> "The standard formulation seems to be: <project> <version> built
> >>> <yyyy>-<mm>-<dd>"
> >> Which I don't recall the string actually matching?
> >> Also the people who like reproducible builds don't like __DATE__.
> > That's correct, it was not matching even when it was introduced. I am
> > simply taking that as people caring about the content and not simply
> > making rxrpc_version_string == UTS_RELEASE. The current format is:
> >
> > "linux-" UTS_RELEASE " AF_RXRPC"
> >
> > Kenny
>
> The RX_PACKET_TYPE_VERSION query is issued by the "rxdebug <host> <port>
> -version" command which prints the received string to stdout. It has
> also been used some implementations to record the version of the peer.
> Although it is required that a response to the RX_PACKET_TYPE_VERSION
> query be issued, there is no requirement that the returned string
> contain anything beyond a single NUL octet.

Does that mean that the zero-padding/truncation to 65 bytes is bogus?
Additionally is the response supposed to the '\0' terminated?
The existing code doesn't guarantee that at all.

> Although it is convenient to be able to remotely identify the version of
> an Rx implementation, there are good reasons why this information should
> not be exposed to an anonymous requester:
>
> 1. Linux AF_RXRPC is part of the kernel. As such, returning
> UTS_RELEASE identifies to potential attackers the explicit kernel
> version, architecture and perhaps distro. As this query can be
> issued anonymously, this provides an information disclosure that can
> be used to target known vulnerabilities in the kernel.

I guess it could even be used as a probe to find more/interesting
systems to attack once inside the firewall.

> 2. The RX_PACKET_TYPE_VERSION reply is larger than the query by the
> number of octets in the version data. As the query is received via
> udp with no reachability test, it means that the
> RX_PACKET_TYPE_VERSION query/response can be used to perform an 3.3x
> amplification attack: 28 octets in and potentially 93 octets out.
>
> With my security hat on I would suggest that either AF_RXRPC return a
> single NUL octet or the c-string "AF_RXRPC" and nothing more.

Is there any point including "AF_RXRPC"?
It is almost certainly implied by the message format.

Or the exact text from the standard - which might be:
"version string - to be supplied by O.E.M."
(I've seen hardware versions with strings like the above that
exactly match the datasheet....)

Limiting the version to (eg) 6.2 would give a hint to the
capabilities/bugs without giving away all the relative addresses
in something like a RHEL kernel.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: Bryan O'Donoghue: "Re: [PATCH 4/6] arm64: dts: qcom: msm8916/39: Clean up MDSS labels"
Previous message: Ard Biesheuvel: "Re: [PATCH] arm64: acpi: Export symbol for acpi_os_ioremap"
In reply to: Jeffrey E Altman: "Re: [PATCH] Remove hardcoded static string length"
Next in thread: Jeffrey E Altman: "Re: [PATCH] Remove hardcoded static string length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]