ACK: [Precise][CVE-2015-5364] udp: fix behavior of wrong checksums

Brad Figg brad.figg at canonical.com
Tue Jul 7 17:21:00 UTC 2015 

On Mon, Jul 06, 2015 at 10:51:26AM -0700, Kamal Mostafa wrote:
> From: Eric Dumazet <edumazet at google.com>
> 
> commit beb39db59d14990e401e235faf66a6b9b31240b0 upstream.
> 
> We have two problems in UDP stack related to bogus checksums :
> 
> 1) We return -EAGAIN to application even if receive queue is not empty.
>    This breaks applications using edge trigger epoll()
> 
> 2) Under UDP flood, we can loop forever without yielding to other
>    processes, potentially hanging the host, especially on non SMP.
> 
> This patch is an attempt to make things better.
> 
> We might in the future add extra support for rt applications
> wanting to better control time spent doing a recv() in a hostile
> environment. For example we could validate checksums before queuing
> packets in socket receive queue.
> 
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Cc: Willem de Bruijn <willemb at google.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> CVE-2015-5364
> Signed-off-by: Kamal Mostafa <kamal at canonical.com>
> ---
>  net/ipv4/udp.c | 6 ++----
>  net/ipv6/udp.c | 6 ++----
>  2 files changed, 4 insertions(+), 8 deletions(-)
> 
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index 8c2e259..5e92043 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -1248,10 +1248,8 @@ csum_copy_err:
>  		UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
>  	unlock_sock_fast(sk, slow);
>  
> -	if (noblock)
> -		return -EAGAIN;
> -
> -	/* starting over for a new packet */
> +	/* starting over for a new packet, but check if we need to yield */
> +	cond_resched();
>  	msg->msg_flags &= ~MSG_TRUNC;
>  	goto try_again;
>  }
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index d131a95..dc08afd 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -451,10 +451,8 @@ csum_copy_err:
>  	}
>  	unlock_sock_fast(sk, slow);
>  
> -	if (noblock)
> -		return -EAGAIN;
> -
> -	/* starting over for a new packet */
> +	/* starting over for a new packet, but check if we need to yield */
> +	cond_resched();
>  	msg->msg_flags &= ~MSG_TRUNC;
>  	goto try_again;
>  }
> -- 
> 1.9.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Looks like a clean cherry-pick.

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list