CVE-2024-41007: When use TCP_USER_TIMEOUT in Linux. It may hit Kernel design weakness! (16th July 2024)

Preface: What is jiffies in the Linux kernel? A jiffy is a kernel unit of time declared in <linux/jiffies[.]h> . To understand jiffies, we need to introduce a new constant, HZ, which is the number of times jiffies is incremented in one second. Each increment is called a tick.

Background: tcp_user_timeout – Controls the number of milliseconds that transmitted data may remain unacknowledged before a connection is forcibly closed. Default is 0 which means it is disabled.

Vulnerability details: Avoid too many retransmit packets. If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has ‘expired’.

Solution: The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account. Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits. Also worth noting that before commit e89688e3e978 (“net: tcp: fix unexcepted socket die when snd_wnd is 0”), the issue would last 2 minutes instead of 4.

Speculation: CVE does not describe a Common Weakness Enumeration. But believe that the minimal impact would be a denial of service. But it may more serious!

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41007

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.