[PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP
From: ye.xingchen
Date: Mon May 20 2024 - 04:54:07 EST
From: YeXingchen <ye.xingchen@xxxxxxxxxx>
The CVE-1999-0524 vulnerability is associated with ICMP
timestamp messages, which can be exploited to conduct
a denial-of-service (DoS) attack. In the Vulnerability
Priority Rating (VPR) system, this vulnerability was
rated as a medium risk in May of this year.
Link:https://www.tenable.com/plugins/nessus/10113
To protect embedded systems that cannot run firewalls
from attacks exploiting the CVE-1999-0524 vulnerability,
the icmp_timestamp_ignore_all sysctl is offered as
an easy solution, which allows all ICMP timestamp
messages to be ignored, effectively bypassing the
potential exploitation through the CVE-1999-0524
vulnerability. It enables these resource-constrained
systems to disregard all ICMP timestamp messages,
preventing potential DoS attacks, making it an ideal
lightweight solution for such environments.
Signed-off-by: YeXingchen <ye.xingchen@xxxxxxxxxx>
Reviewed-by: xu xin <xu.xin16@xxxxxxxxxx>
Reviewed-by: zhang yunkai <zhang.yunkai@xxxxxxxxxx>
Reviewed-by: Fan Yu <fan.yu9@xxxxxxxxxx>
CC: he peilin <he.peilin@xxxxxxxxxx>
Cc: Yang Yang <yang.yang29@xxxxxxxxxx>
Cc: Yang Guang <yang.guang5@xxxxxxxxxx>
---
v1->v2
fixes according to
https://lore.kernel.org/all/20240517172639229ec5bN7VBV7SGEHkSK5K6f@xxxxxxxxxx/
1.fix the compile warning
2.change description.
Documentation/networking/ip-sysctl.rst | 6 ++++++
.../networking/net_cachelines/netns_ipv4_sysctl.rst | 1 +
include/net/netns/ipv4.h | 1 +
include/uapi/linux/sysctl.h | 1 +
net/ipv4/icmp.c | 10 ++++++++++
net/ipv4/sysctl_net_ipv4.c | 9 +++++++++
6 files changed, 28 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index bd50df6a5a42..41eb3de61659 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -1441,6 +1441,12 @@ icmp_ratelimit - INTEGER
Default: 1000
+icmp_timestamp_ignore_all - BOOLEAN
+ If set non-zero, then the kernel will ignore all ICMP TIMESTAMP
+ requests sent to it.
+
+ Default: 0
+
icmp_msgs_per_sec - INTEGER
Limit maximal number of ICMP packets sent per second from this host.
Only messages whose type matches icmp_ratemask (see below) are
diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
index 9b87089a84c6..ed72f67c8f72 100644
--- a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
+++ b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
@@ -38,6 +38,7 @@ u8 sysctl_icmp_ignore_bogus_error_responses
u8 sysctl_icmp_errors_use_inbound_ifaddr
int sysctl_icmp_ratelimit
int sysctl_icmp_ratemask
+u8 sysctl_icmp_timestamp_ignore_all
u32 ip_rt_min_pmtu - -
int ip_rt_mtu_expires - -
int ip_rt_min_advmss - -
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index c356c458b340..7364c469e7eb 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -113,6 +113,7 @@ struct netns_ipv4 {
u8 sysctl_icmp_echo_ignore_broadcasts;
u8 sysctl_icmp_ignore_bogus_error_responses;
u8 sysctl_icmp_errors_use_inbound_ifaddr;
+ u8 sysctl_icmp_timestamp_ignore_all;
int sysctl_icmp_ratelimit;
int sysctl_icmp_ratemask;
diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
index 8981f00204db..ef8640947f4e 100644
--- a/include/uapi/linux/sysctl.h
+++ b/include/uapi/linux/sysctl.h
@@ -426,6 +426,7 @@ enum
NET_TCP_ALLOWED_CONG_CONTROL=123,
NET_TCP_MAX_SSTHRESH=124,
NET_TCP_FRTO_RESPONSE=125,
+ NET_IPV4_ICMP_TIMESTAMP_IGNORE_ALL = 126,
};
enum {
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index ab6d0d98dbc3..2047ca62b44e 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1152,6 +1152,13 @@ EXPORT_SYMBOL_GPL(icmp_build_probe);
static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
{
struct icmp_bxm icmp_param;
+ struct net *net;
+
+ net = dev_net(skb_dst(skb)->dev);
+
+ if (READ_ONCE(net->ipv4.sysctl_icmp_timestamp_ignore_all))
+ return SKB_NOT_DROPPED_YET;
+
/*
* Too short.
*/
@@ -1469,6 +1476,9 @@ static int __net_init icmp_sk_init(struct net *net)
net->ipv4.sysctl_icmp_echo_enable_probe = 0;
net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
+ /* Control parameters for TIMESTAMP replies. */
+ net->ipv4.sysctl_icmp_timestamp_ignore_all = 0;
+
/* Control parameter - ignore bogus broadcast responses? */
net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 162a0a3b6ba5..b002426c3d9c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -651,6 +651,15 @@ static struct ctl_table ipv4_net_table[] = {
.mode = 0644,
.proc_handler = ipv4_ping_group_range,
},
+ {
+ .procname = "icmp_timestamp_ignore_all",
+ .data = &init_net.ipv4.sysctl_icmp_timestamp_ignore_all,
+ .maxlen = sizeof(u8),
+ .mode = 0644,
+ .proc_handler = proc_dou8vec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE
+ },
#ifdef CONFIG_NET_L3_MASTER_DEV
{
.procname = "raw_l3mdev_accept",
--
2.25.1