Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mitigate CVE-2018-5391 by sysctl #1948

Merged
merged 1 commit into from
Aug 19, 2018

Conversation

qiluo-msft
Copy link
Collaborator

@qiluo-msft qiluo-msft commented Aug 18, 2018

Mitigation suggested by https://security-tracker.debian.org/tracker/CVE-2018-5391 for Debian Jessie
Tested in DUT:

admin@sonic:~$ cat /proc/sys/net/ipv4/ipfrag_low_thresh
196608
admin@sonic:~$ cat /proc/sys/net/ipv4/ipfrag_high_thresh
262144

Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
@@ -272,6 +272,7 @@ check system $HOST
EOF

## Config sysctl
## TODO: ipfrag* are for mitigating CVE-2018-5391, remove after kernel upgraded
Copy link
Contributor

@jleveque jleveque Aug 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest moving TODO line directly above the lines it refers to. #WontFix

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is technical difficulty to move because the block after "sudo augtool --autosave" is one huge command. Let me know if you have better idea.


In reply to: 211062664 [](ancestors = 211062664)

@qiluo-msft
Copy link
Collaborator Author

qiluo-msft commented Aug 18, 2018

This PR is against 201803 branch, which has Debian Jessie kernel.
The build check failures are due to recent job changes for Debian Stretch. Fixed.

@lguohan lguohan merged commit 275b583 into sonic-net:201803 Aug 19, 2018
@qiluo-msft qiluo-msft deleted the qiluo/CVE-2018-5391 branch August 20, 2018 01:04
vivekrnv added a commit to vivekrnv/sonic-buildimage that referenced this pull request Dec 6, 2021
3fa0854 [CLI][show bgp] On chassis don't show internal BGP sessions by default (sonic-net#1927)
6de91af [Auto-Techsupport] Issues related to Multiple Cores crashing handled (sonic-net#1948)
656ade1 SFP-Refactor: Vendor revision is not displayed properly (sonic-net#1950)
67466cb [port] Fix port speed set (sonic-net#1952)
5172972 Fix invalid output of syslog IPv6 servers (sonic-net#1933)
290ff5f Routed subinterface enhancements (sonic-net#1821)
1ea88e2 Enhance sfputil for CMIS QSFP (sonic-net#1949)

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
qiluo-msft added a commit that referenced this pull request Dec 20, 2021
#### Why I did it
Including below commits:
```
fe00bbf 2021-12-17 | Revert "[sonic-package-manager] support sonic-cli-gen and packages with YANG model (#1650)" (#1972) [Prince George]
5fe6d92 2021-12-16 | [warm/fast-reboot] Fix kexec portion to support platforms based on Device Tree (#1966) [dflynn-Nokia]
74d2a09 2021-12-17 | [portstat] check TX/RX utilization calculation correctness (#1840) [Andriy Yurkiv]
e44c3f6 2021-12-16 | [generic-config-updater] Improving CreateOnly validator and marking /LOOPBACK_INTERFACE/LOOPBACK#/vrf_name as create-only (#1969) [Mohamed Ghoneim]
0067cc4 2021-12-15 | [build] adapt for upstream target path change (#1971) [Qi Luo]
96143ee 2021-12-09 | preserve old order for config reload (#1964) [arlakshm]
f08c81d 2021-12-10 | [vxlan] remove unnecessary whitespace for show commands (#1792) [Gord Chen]
14889ce 2021-12-09 | [soft-reboot] Add support for platforms based on Device Tree (#1963) [dflynn-Nokia]
7ceccd7 2021-12-08 | [generic-config-updater] Adding non-strict mode (#1929) [Mohamed Ghoneim]
2e462ef 2021-12-07 | [sfputil] Firmware download/upgrade CLI support for QSFP-DD (#1947) [Prince George]
7c34b79 2021-12-07 | [config] Add portchannel support  for static route  (#1857) [Dmytro]
54cc370 2021-12-06 | [doc] Refine doc on show loopback/mgmt ports (#1958) [Qi Luo]
3714f63 2021-12-06 | [port2alias]: Fix to get right number of return values (#1906) [SuvarnaMeenakshi]
3fa0854 2021-12-06 | [CLI][show bgp] On chassis don't show internal BGP sessions by default (#1927) [Mahesh Maddikayala]
6de91af 2021-12-06 | [Auto-Techsupport] Issues related to Multiple Cores crashing handled (#1948) [Vivek Reddy]
656ade1 2021-12-06 | SFP-Refactor: Vendor revision is not displayed properly (#1950) [Aravind Mani]
67466cb 2021-12-05 | [port] Fix port speed set (#1952) [Mykola Gerasymenko]
5172972 2021-12-04 | Fix invalid output of syslog IPv6 servers (#1933) [jingwenxie]
290ff5f 2021-12-03 | Routed subinterface enhancements (#1821) [Preetham]
1ea88e2 2021-12-01 | Enhance sfputil for CMIS QSFP (#1949) [andywongarista]
4e132c1 2021-11-30 | [debug dump] Refactoring Modules and Unit Tests (#1943) [Vivek Reddy]
b550c44 2021-11-30 | Add command reference for trap flow counters (#1876) [Junchao-Mellanox]
67a267b 2021-11-30 | [Reclaim buffer] [Mellanox] Db migrator support reclaiming reserved buffer for unused ports (#1822) [Stephen Sun]
30e4654 2021-11-25 | Add show command for BFD sessions (#1942) [Shi Su]
e63f47e 2021-11-25 | [warm-reboot] Fix failures of warm reboot on disconnect of ssh session (#1529) [maksymbelei95]
c05845d 2021-11-25 | Add trap flow counter support (#1868) [Junchao-Mellanox]
ef82f00 2021-11-24 | [load_minigraph] Delay pfcwd start until the buffer templates are rendered (#1937) [Neetha John]
f5e5a56 2021-11-24 | [sonic-package-manager] support sonic-cli-gen and packages with YANG model (#1650) [Stepan Blyshchak]
64777a4 2021-11-23 | generic_config_updater: Filename changed & VLAN validator added (#1919) [Renuka Manavalan]
1f8f6ab 2021-11-23 | [config reload] Update command reference (#1941) [Sudharsan Dhamal Gopalarathnam]
```
judyjoseph added a commit that referenced this pull request Jan 9, 2022
4236bc4 [config reload] Fixing config reload when timer based delayed services are disabled (#1967)
d2514e4 [GCU] Different apply-patch runs should produce same sorted steps (#1988)
2878adb [GCU] Using simulated config instead of target config when validating replace operation in NoDependencyMoveValidator (#1987)
fb8ca98 [GCU] Loading yang-models only once (#1981)
f88ee92 [GCU] Copying config_db before callding sonic_yang.loadData (#1983)
9ed0e91 [GCU] Implementing DryRun by printing patch-sorter steps/imitating config_db (#1973)
b36b5e3 [GCU] Moving PatchSorter unit-test to json file to make it easier to read/maintain (#1977)
c0fa28b [generic-config-updater] Improving CreateOnly validator and marking /LOOPBACK_INTERFACE/LOOPBACK#/vrf_name as create-only (#1969)
0559d04 [generic-config-updater] Adding non-strict mode (#1929)
b07f477 [debug dump util] FDB debug dump util changes (#1968)
6d8757a [warm/fast-reboot] Fix kexec portion to support platforms based on Device Tree (#1966)
cc1409e [Auto Techsupport] Event driven Techsupport Bug Fixes (#1986)
6c48bd5 Fix wrong help message for cable length setting (#1978)
c0bbbe3 [breakout] Fix the check  when port is not present in BREAKOUT_CFG table (#1765)
5bb8cad [doc][DPB] Update DPB related interface breakout command Info (#1438)
e6fd990 [config] Fix 'config reload -l' command to get filename by default (#1611)
bd8f7bb Update swss_ready check to check per namespace swss service (#1974)
5439f94 [soft-reboot] Add support for platforms based on Device Tree (#1963)
7c5810a [config] Add portchannel support  for static route  (#1857)
7cb6a1b preserve old order for config reload (#1964)
20bddbd [Auto-Techsupport] Issues related to Multiple Cores crashing handled (#1948)
taras-keryk pushed a commit to taras-keryk/sonic-buildimage that referenced this pull request Apr 28, 2022
…onic-net#1948)

#### What I did

**Issues seen when multiple cores are crashed in very quick succession:**
1) The **rate_limit_interval** is not honored. Because, i previously was finding out the last created tech-support using the glob pattern `sonic_dump_*tar*`, which  will not include the dumps which are being currently run. These existing dump will not have .tar.gz extension. Thus, modified the `get_ts_dumps` to search based on the TS_ROOT i.e `sonic_dump_*`
2) **show auto-tech support history** is not showing all the created dumps. I've previously used to take the diff of tech support dumps before and after running the invocation and used to assign the diff as the corresponding techsupport for this core. This approach is prone to race condition as we can have multiple dumps in the diff found in the interval. 
Avoided this by parsing the stdout returned by `show techsupport` invocation

#### How to verify it

1) Unit Tests
2) Generate core-dumps in very quick succession. Use the default rate limit interval. Should only see one entry in tech-support history
3) Set global rate limit interval to 0. Generate cores in quick succession. Should see a few entries in the history.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants