Bug 657303 - (CVE-2010-4251, CVE-2010-4805) CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 657305 657306 657308 657309 694317 694396
  Show dependency treegraph
Reported: 2010-11-25 07:38 EST by Eugene Teo (Security Response)
Modified: 2015-08-19 05:00 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-29 09:27:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-11-25 07:38:42 EST
"The root cause for this problem is, when the receiver is doing __release_sock() (i.e. after userspace recv, kernel udp_recvmsg->skb_free_datagram_locked->release_sock), it moves skbs from backlog to sk_receive_queue with the softirq enabled. In the above case, multiple busy senders will almost make it an endless loop. The skbs in the backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is potentially affected. The patch adds limit for socket backlog so that the backlog size cannot be expanded endlessly."

Upstream commits:
Comment 3 Eugene Teo (Security Response) 2010-11-28 22:07:30 EST

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG as they have already backported the fixes for this issue. Future kernel updates in Red Hat Enterprise Linux 6 may address this flaw. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
Comment 6 errata-xmlrpc 2011-03-01 15:29:39 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0303 https://rhn.redhat.com/errata/RHSA-2011-0303.html
Comment 7 Eugene Teo (Security Response) 2011-04-06 19:53:01 EDT
We need c07224005dd3fe746246acadc9be652a588a4d7f for a typo correction too.
Comment 10 errata-xmlrpc 2011-05-19 07:58:29 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html
Comment 12 Eugene Teo (Security Response) 2011-05-31 02:01:51 EDT
A CVE was assigned to this for commit c377411f which we have already backported as part of a collection of fixes for CVE-2010-4251.

Name: CVE-2010-4805
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4805
Assigned: 20110526
Reference: MLIST:[netdev] 20100302 [PATCH 1/8] net: add limit for socket backlog
Reference: URL:http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread
Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c377411f2494a931ff7facdbb3a6839b1266bcf6
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=657303
Reference: BID:46637
Reference: URL:http://www.securityfocus.com/bid/46637

The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.
Comment 14 errata-xmlrpc 2011-06-21 19:53:01 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html

Note You need to log in before you can comment on or make changes to this bug.