Bug 657303 (CVE-2010-4251, CVE-2010-4805) - CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
Summary: CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4251, CVE-2010-4805
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20101125,reported=20101125,sou...
Depends On: 657305 657306 657308 657309 694317 694396
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-25 12:38 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 18:41 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-29 13:27:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0303 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2011-03-01 20:29:26 UTC
Red Hat Product Errata RHSA-2011:0542 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update 2011-05-19 11:58:07 UTC
Red Hat Product Errata RHSA-2011:0883 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-06-21 23:52:55 UTC

Description Eugene Teo (Security Response) 2010-11-25 12:38:42 UTC
http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread
"The root cause for this problem is, when the receiver is doing __release_sock() (i.e. after userspace recv, kernel udp_recvmsg->skb_free_datagram_locked->release_sock), it moves skbs from backlog to sk_receive_queue with the softirq enabled. In the above case, multiple busy senders will almost make it an endless loop. The skbs in the backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is potentially affected. The patch adds limit for socket backlog so that the backlog size cannot be expanded endlessly."

Upstream commits:
http://git.kernel.org/linus/2499849ee8f513e795b9f2c19a42d6356e4943a4
http://git.kernel.org/linus/53eecb1be5ae499d399d2923933937a9ea1a284f
http://git.kernel.org/linus/50b1a782f845140f4138f14a1ce8a4a6dd0cc82f
http://git.kernel.org/linus/79545b681961d7001c1f4c3eb9ffb87bed4485db
http://git.kernel.org/linus/55349790d7cbf0d381873a7ece1dcafcffd4aaa9
http://git.kernel.org/linus/6b03a53a5ab7ccf2d5d69f96cf1c739c4d2a8fb9
http://git.kernel.org/linus/8eae939f1400326b06d0c9afe53d2a484a326871
http://git.kernel.org/linus/a3a858ff18a72a8d388e31ab0d98f7e944841a62
http://git.kernel.org/linus/c377411f2494a931ff7facdbb3a6839b1266bcf6

Comment 3 Eugene Teo (Security Response) 2010-11-29 03:07:30 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG as they have already backported the fixes for this issue. Future kernel updates in Red Hat Enterprise Linux 6 may address this flaw. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.

Comment 6 errata-xmlrpc 2011-03-01 20:29:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0303 https://rhn.redhat.com/errata/RHSA-2011-0303.html

Comment 7 Eugene Teo (Security Response) 2011-04-06 23:53:01 UTC
We need c07224005dd3fe746246acadc9be652a588a4d7f for a typo correction too.

Comment 10 errata-xmlrpc 2011-05-19 11:58:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html

Comment 12 Eugene Teo (Security Response) 2011-05-31 06:01:51 UTC
A CVE was assigned to this for commit c377411f which we have already backported as part of a collection of fixes for CVE-2010-4251.

======================================================
Name: CVE-2010-4805
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4805
Assigned: 20110526
Reference: MLIST:[netdev] 20100302 [PATCH 1/8] net: add limit for socket backlog
Reference: URL:http://kerneltrap.org/mailarchive/linux-netdev/2010/3/3/6271093/thread
Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c377411f2494a931ff7facdbb3a6839b1266bcf6
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=657303
Reference: BID:46637
Reference: URL:http://www.securityfocus.com/bid/46637

The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.

Comment 14 errata-xmlrpc 2011-06-21 23:53:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html


Note You need to log in before you can comment on or make changes to this bug.