{"id":"CVE-2024-47678","summary":"icmp: change the order of rate limits","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n   But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n   This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation.","modified":"2026-04-16T04:33:09.315814119Z","published":"2024-10-21T11:53:21.814Z","related":["SUSE-SU-2025:0117-1","SUSE-SU-2025:0153-1","SUSE-SU-2025:0154-1","SUSE-SU-2025:0201-1","SUSE-SU-2025:0201-2","SUSE-SU-2025:0229-1","SUSE-SU-2025:0236-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1293-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47678.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19"},{"type":"WEB","url":"https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47678.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47678"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4cdf507d54525842dfd9f6313fdafba039084046"},{"fixed":"997ba8889611891f91e8ad83583466aeab6239a3"},{"fixed":"662ec52260cc07b9ae53ecd3925183c29d34288b"},{"fixed":"a7722921adb046e3836eb84372241f32584bdb07"},{"fixed":"483397b4ba280813e4a9c161a0a85172ddb43d19"},{"fixed":"8c2bd38b95f75f3d2a08c93e35303e26d480d24e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47678.json"}}],"schema_version":"1.7.5"}