https://bugzilla.kernel.org/show_bug.cgi?id=99461

Dan Searle dan.searle at censornet.com
Tue Aug 18 15:40:11 UTC 2015 

Hi,



Can you handle the Launchpad bug entry?



There are steps to re-create on the main kernel.org bug thread: https://bugzilla.redhat.com/show_bug.cgi?id=1205258



Quote from https://bugzilla.redhat.com/show_bug.cgi?id=1205258:



Description of problem:



Kernel goes into a busy loop when it waits for more data in a recv(MSG_PEEK|MSG_WAITALL) call.



E.g.



------

#include <stdlib.h>

#include <netinet/ip.h>



int main(void)

{

                struct sockaddr_in           addr = {

                                .sin_family          = AF_INET,

                                .sin_port              = htons(1234),

                                .sin_addr             = { INADDR_ANY }

                };

                int                                           conn;

                char                                       buf[16];



                int                                           s = socket(AF_INET, SOCK_STREAM, 0);



                bind(s, (void *)&addr, sizeof addr);

                listen(s, 1);



                conn = accept(s, NULL, 0);



                recv(conn, buf, sizeof buf, MSG_PEEK|MSG_WAITALL);

}

----

$ gcc x.c

$ a.out &



$ nc 127.0.0.1 1234

1234<enter>



--> 'a.out' consumes 100% CPU





'a.out' stays alive and consumes CPU when the 'nc' connection is closed unclean (e.g. no TCP FIN/RST).  This can be used for DDOS attacks.





Version-Release number of selected component (if applicable):



kernel-3.10.0-123.20.1.el7.x86_64



How reproducible:



100%



Dan Searle

Development Direcor

CensorNet - Complete cloud security - anyone, anywhere, any app, any device

E: dan.searle at censornet.com W: www.censornet.com

CensorNet Ltd | Network House|6th Floor | Basing View | Basingstoke | Hants | RG21 4HG | United Kingdom



> -----Original Message-----

> From: Joseph Salisbury [mailto:joseph.salisbury at canonical.com]

> Sent: 18 August 2015 16:24

> To: Dan Searle <dan.searle at censornet.com>; kernel-

> team at lists.ubuntu.com

> Subject: Re: https://bugzilla.kernel.org/show_bug.cgi?id=99461

>

> On 08/18/2015 09:52 AM, Dan Searle wrote:

> >

> > Hi,

> >

> >

> >

> > I tried sending this to the kernel-bugs Ubuntu list, but the message

> > was rejected for reasons I can't understand, I hope this is the

> > correct place to send this information.

> >

> >

> >

> > See: https://bugzilla.redhat.com/show_bug.cgi?id=1205258

> > <https://bugzilla.redhat.com/show_bug.cgi?id=1205258>

> >

> > See Also: https://bugzilla.kernel.org/show_bug.cgi?id=99461

> > <https://bugzilla.kernel.org/show_bug.cgi?id=99461>

> >

> >

> >

> > It's a bug effecting recv() system calls using flags MSG_PEEK |

> > MSG_WAITALL effecting Ubuntu kernels which has been fixed in kernel

> > version "kernel-3.10.0-306.el7".

> >

> >

> >

> > I'm wondering when this fix will be taken up and included in the

> > Ubuntu 14.04 LTS kernel packages?

> >

> >

> >

> > Regards, Dan.

> >

> >

> >

> >

> >

> > Dan Searle

> >

> > Development Direcor

> >

> > *CensorNet - Complete cloud security - anyone, anywhere, any app, any

> > device*

> >

> > E: dan.searle at censornet.com<mailto:dan.searle at censornet.com> <mailto:dan.searle at censornet.com>

> > W: _www.censornet.com <http://www.censornet.com/>_

> >

> > CensorNet Ltd | Network House|6th Floor | Basing View | Basingstoke |

> > Hants | RG21 4HG | United Kingdom

> >

> >

> >

> > CensorNet Ltd is a registered company in England & Wales No. 05518629

> > VAT registration number 901-2048-78

> >

> > Any views expressed in this email communication are those of the

> > individual sender, except where the sender specifically states them to

> > be the views of a member of CensorNet Ltd. CensorNet Ltd does not

> > represent, warrant or guarantee that the integrity of this

> > communication has been maintained nor that the communication is free

> > of errors or interference.

> >

> >

> >

> Hi Dan,

>

> The fix in mainline is:

>

> commit dfbafc995304ebb9a9b03f65083e6e9cea143b20

> Author: Sabrina Dubroca <sd at queasysnail.net<mailto:sd at queasysnail.net>>

> Date:   Fri Jul 24 18:19:25 2015 +0200

>

>     tcp: fix recv with flags MSG_WAITALL | MSG_PEEK

>

>

>

> Can you create a Launchpad bug for this, Dan?  That is how we can track

> the fix making it into pre v3.10 Ubuntu kernels.  If not, I can create

> the bug.  Also, do you have a way to reproduce this bug, or can you list

> the steps?  If so, I can build a test kernel with a cherry pick of this

> commit, so it can be tested before sending a SRU request.

>

> Thanks,

>

> Joe

>



CensorNet Ltd is a registered company in England & Wales No. 05518629 VAT registration number 901-2048-78

Any views expressed in this email communication are those of the individual sender, except where the sender specifically states them to be the views of a member of CensorNet Ltd. CensorNet Ltd does not represent, warrant or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors or interference.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20150818/ece27162/attachment.html>

More information about the kernel-team mailing list