**** Cyborg Central ****

Old Androids Never Die, They Just Have A Few Screws Loose


July 6, 2019

I really hate it when someone describes a security mitigation as a "fix," like there's some easily quantifiable problem, a hole that you can just shove your thumb into until it's patched, without actually investigating the issue any further.

The Insights blog talks about CVE-2019-11479, an "attack" caused by someone setting an unreasonably low TCP transmission size, which forces TCP to break packets up into ridiculously-small blocks to send them, wasting memory. I have a real problem with this statement though:

Additionally, a third SACK related issue, CVE-2019-11479, does not have a Livepatch fix available because it is not technically feasible to apply the changes via Livepatch.

No, it's not that it wasn't "technically feasible," it's that there was a more correct mitigation for the issue, and the "fix" from upstream was a stupid one that I disagree with. The 48-byte minimum in the kernel is a TECHNICAL limitation, the absolute minimum that could ever be used, and not meant to enforce "reasonableness" - which is what the patch modified it to be. I can easily think of situations where a low TSS makes sense, especially with limited-bandwith devices like long-distance radios for instance.

Furthermore, there was already an easy "fix" available, that required no patching whatsoever. The correct solution for unreasonably-low TSS is to have the firewall - preferably, the firewall on your internet connections - enforce your minimum reasonable TSS by dropping packets that are under that size. If you want a 300-byte minimum, for instance, you should configure that restriction. This number is sure to vary from place to place and there's no common definition of "reasonable" that is actually reasonable.

Further, the patch caused breakage in other places, most significantly Steam - which couldn't connect all of a sudden after the "fix" was put in. :|

Anyway, it makes me mad when people act like something was too hard to fix when they don't know shit about the problem, and just gloss over it like that.

Categorized as: Linux

Leave a Reply

Your email address will not be published. Required fields are marked *