Bug 657303 (CVE-2010-4251, CVE-2010-4805) - CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
Summary: CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
Alias: CVE-2010-4251, CVE-2010-4805
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 657305 657306 657308 657309 694317 694396
TreeView+ depends on / blocked
Reported: 2010-11-25 12:38 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 16:59 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-29 13:27:17 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0303 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2011-03-01 20:29:26 UTC
Red Hat Product Errata RHSA-2011:0542 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update 2011-05-19 11:58:07 UTC
Red Hat Product Errata RHSA-2011:0883 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-06-21 23:52:55 UTC

Description Eugene Teo (Security Response) 2010-11-25 12:38:42 UTC
"The root cause for this problem is, when the receiver is doing __release_sock() (i.e. after userspace recv, kernel udp_recvmsg->skb_free_datagram_locked->release_sock), it moves skbs from backlog to sk_receive_queue with the softirq enabled. In the above case, multiple busy senders will almost make it an endless loop. The skbs in the backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is potentially affected. The patch adds limit for socket backlog so that the backlog size cannot be expanded endlessly."

Upstream commits:

Comment 3 Eugene Teo (Security Response) 2010-11-29 03:07:30 UTC

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG as they have already backported the fixes for this issue. Future kernel updates in Red Hat Enterprise Linux 6 may address this flaw. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.

Comment 6 errata-xmlrpc 2011-03-01 20:29:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0303 https://rhn.redhat.com/errata/RHSA-2011-0303.html

Comment 7 Eugene Teo (Security Response) 2011-04-06 23:53:01 UTC
We need c07224005dd3fe746246acadc9be652a588a4d7f for a typo correction too.

Comment 10 errata-xmlrpc 2011-05-19 11:58:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html

Comment 12 Eugene Teo (Security Response) 2011-05-31 06:01:51 UTC
A CVE was assigned to this for commit c377411f which we have already backported as part of a collection of fixes for CVE-2010-4251.

Name: CVE-2010-4805
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4805
Assigned: 20110526
Reference: MLIST:[netdev] 20100302 [PATCH 1/8] net: add limit for socket backlog
Reference: URL:http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread
Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c377411f2494a931ff7facdbb3a6839b1266bcf6
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=657303
Reference: BID:46637
Reference: URL:http://www.securityfocus.com/bid/46637

The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.

Comment 14 errata-xmlrpc 2011-06-21 23:53:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html

Note You need to log in before you can comment on or make changes to this bug.