This bug was fixed in the package linux - 3.13.0-166.216 --------------- linux (3.13.0-166.216) trusty; urgency=medium
* linux: 3.13.0-166.216 -proposed tracker (LP: #1814645) * linux-buildinfo: pull out ABI information into its own package (LP: #1806380) - [Packaging] limit preparation to linux-libc-dev in headers - [Packaging] commonise debhelper invocation - [Packaging] ABI -- accumulate abi information at the end of the build - [Packaging] buildinfo -- add basic build information - [Packaging] buildinfo -- add firmware information to the flavour ABI - [Packaging] buildinfo -- add compiler information to the flavour ABI - [Packaging] buildinfo -- add buildinfo support to getabis - [Config] buildinfo -- add retpoline version markers - [Packaging] getabis -- handle all known package combinations - [Packaging] getabis -- support parsing a simple version - [Packaging] autoreconstruct -- base tag is always primary mainline version * signing: only install a signed kernel (LP: #1764794) - [Debian] usbip tools packaging - [Debian] Don't fail if a symlink already exists - [Debian] perf -- build in the context of the full generated local headers - [Debian] basic hook support - [Debian] follow rename of DEB_BUILD_PROFILES - [Debian] standardise on stage1 for the bootstrap stage in line with debian - [Debian] set do_*_tools after stage1 or bootstrap is determined - [Debian] initscripts need installing when making the package - [Packaging] reconstruct -- automatically reconstruct against base tag - [Debian] add feature interlock with mainline builds - [Debian] Remove generated intermediate files on clean - [Packaging] prevent linux-*-tools-common from being produced from non linux packages - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean: - [Debian] Update to new signing key type and location - [Packaging] autoreconstruct -- generate extend-diff-ignore for links - [Packaging] reconstruct -- update when inserting final changes - [Packaging] update to Debian like control scripts - [Packaging] switch to triggers for postinst.d postrm.d handling - [Packaging] signing -- switch to raw-signing tarballs - [Packaging] signing -- switch to linux-image as signed when available - [Packaging] printenv -- add signing options - [Packaging] fix invocation of header postinst hooks - [Packaging] signing -- add support for signing Opal kernel binaries - [Debian] Use src_pkg_name when constructing udeb control files - [Debian] Dynamically determine linux udebs package name - [Packaging] handle both linux-lts* and linux-hwe* as backports - [Config] linux-source-* is in the primary linux namespace - [Packaging] lookup the upstream tag - [Packaging] switch up to debhelper 9 - [Packaging] autopkgtest -- disable d-i when dropping flavours - [debian] support for ship_extras_package=false - [Debian] do_common_tools should always be on - [debian] do not force do_tools_common - [Packaging] skip cloud tools packaging when not building package - [debian] prep linux-libc-dev only if do_libc_dev_package=true * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * kernel oops in bcache module (LP: #1793901) - SAUCE: bcache: never writeback a discard operation * iptables connlimit allows more connections than the limit when using multiple CPUs (LP: #1811094) - netfilter: connlimit: improve packet-to-closed-connection logic - netfilter: nf_conncount: fix garbage collection confirm race - netfilter: nf_conncount: don't skip eviction when age is negative * CVE-2019-6133 - fork: record start_time late * test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS (LP: #1813001) - procfs: make /proc/*/{stack, syscall, personality} 0400 -- Kleber Sacilotto de Souza <kleber.so...@canonical.com> Thu, 07 Feb 2019 11:31:21 +0000 ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Bug description: [Impact] * The iptables connection count/limit rules can be breached with multithreaded network driver/server/client (common) due to a race in the conncount/connlimit code. * For example: # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP * The fix is a backport from an upstream commit that resolves the problem (plus dependencies for a cleaner backport) that address the race condition: commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"). [Test Case] * Server-side: (relevant kernel side) (limit TCP port 7777 to only 2000 connections) # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP # ulimit -SHn 65000 # increase number of open files # ruby server.rb # multi-threaded server * Client-side: # ulimit -SHn 65000 # ruby client.rb <server ip> <port> <target # connections> <# threads> <test output> * Results with Original kernel: (client achieves target of 6000 connections > limit of 2000 connections) # ruby client.rb 10.230.56.100 7777 6000 3 1 2 3 <...> 6000 Target reached. Thread finishing 6001 Target reached. Thread finishing 6002 Target reached. Thread finishing Threads done. 6002 connections press enter to exit * Results with Modified kernel: (client is limited to 2000 connections, and times out afterward) # ruby client.rb 10.230.56.100 7777 6000 3 1 2 3 <...> 2000 <... blocks for a few minutes ...> failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777 failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777 failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777 Threads done. 2000 connections press enter to exit * Test cases possibly available upon request, depending on original author's permission. [Regression Potential] * The patchset has been reviewed by a netfilter maintainer [1] in stable mailing list, and was considered OK for 4.14, and that's essentially the same backport for 4.15 and 4.4. * The changes are limited to netfilter connlimit/conncount (names change between older/newer kernel versions). [Other Info] * The backport for 4.14 [2] is applied as of 4.14.92. [1] https://www.spinics.net/lists/stable/msg276883.html [2] https://www.spinics.net/lists/stable/msg276910.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp