Bug 657303 - (CVE-2010-4251, CVE-2010-4805) CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20101125,reported=20101125,sou...
: Security
Depends On: 657305 657306 657308 657309 694317 694396
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-25 07:38 EST by Eugene Teo (Security Response)
Modified: 2015-08-19 05:00 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 09:27:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-11-25 07:38:42 EST
http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread
"The root cause for this problem is, when the receiver is doing __release_sock() (i.e. after userspace recv, kernel udp_recvmsg->skb_free_datagram_locked->release_sock), it moves skbs from backlog to sk_receive_queue with the softirq enabled. In the above case, multiple busy senders will almost make it an endless loop. The skbs in the backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is potentially affected. The patch adds limit for socket backlog so that the backlog size cannot be expanded endlessly."

Upstream commits:
http://git.kernel.org/linus/2499849ee8f513e795b9f2c19a42d6356e4943a4
http://git.kernel.org/linus/53eecb1be5ae499d399d2923933937a9ea1a284f
http://git.kernel.org/linus/50b1a782f845140f4138f14a1ce8a4a6dd0cc82f
http://git.kernel.org/linus/79545b681961d7001c1f4c3eb9ffb87bed4485db
http://git.kernel.org/linus/55349790d7cbf0d381873a7ece1dcafcffd4aaa9
http://git.kernel.org/linus/6b03a53a5ab7ccf2d5d69f96cf1c739c4d2a8fb9
http://git.kernel.org/linus/8eae939f1400326b06d0c9afe53d2a484a326871
http://git.kernel.org/linus/a3a858ff18a72a8d388e31ab0d98f7e944841a62
http://git.kernel.org/linus/c377411f2494a931ff7facdbb3a6839b1266bcf6
Comment 3 Eugene Teo (Security Response) 2010-11-28 22:07:30 EST
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG as they have already backported the fixes for this issue. Future kernel updates in Red Hat Enterprise Linux 6 may address this flaw. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
Comment 6 errata-xmlrpc 2011-03-01 15:29:39 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0303 https://rhn.redhat.com/errata/RHSA-2011-0303.html
Comment 7 Eugene Teo (Security Response) 2011-04-06 19:53:01 EDT
We need c07224005dd3fe746246acadc9be652a588a4d7f for a typo correction too.
Comment 10 errata-xmlrpc 2011-05-19 07:58:29 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html
Comment 12 Eugene Teo (Security Response) 2011-05-31 02:01:51 EDT
A CVE was assigned to this for commit c377411f which we have already backported as part of a collection of fixes for CVE-2010-4251.

======================================================
Name: CVE-2010-4805
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4805
Assigned: 20110526
Reference: MLIST:[netdev] 20100302 [PATCH 1/8] net: add limit for socket backlog
Reference: URL:http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread
Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c377411f2494a931ff7facdbb3a6839b1266bcf6
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=657303
Reference: BID:46637
Reference: URL:http://www.securityfocus.com/bid/46637

The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.
Comment 14 errata-xmlrpc 2011-06-21 19:53:01 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html

Note You need to log in before you can comment on or make changes to this bug.