CVE-2024-47678

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> icmp: change the order of rate limits<br /> <br /> ICMP messages are ratelimited :<br /> <br /> After the blamed commits, the two rate limiters are applied in this order:<br /> <br /> 1) host wide ratelimit (icmp_global_allow())<br /> <br /> 2) Per destination ratelimit (inetpeer based)<br /> <br /> In order to avoid side-channels attacks, we need to apply<br /> the per destination check first.<br /> <br /> This patch makes the following change :<br /> <br /> 1) icmp_global_allow() checks if the host wide limit is reached.<br /> But credits are not yet consumed. This is deferred to 3)<br /> <br /> 2) The per destination limit is checked/updated.<br /> This might add a new node in inetpeer tree.<br /> <br /> 3) icmp_global_consume() consumes tokens if prior operations succeeded.<br /> <br /> This means that host wide ratelimit is still effective<br /> in keeping inetpeer tree small even under DDOS.<br /> <br /> As a bonus, I removed icmp_global.lock as the fast path<br /> can use a lock-free operation.