ACK: [Precise][CVE-2015-5364] udp: fix behavior of wrong checksums
Brad Figg
brad.figg at canonical.com
Tue Jul 7 17:21:00 UTC 2015
On Mon, Jul 06, 2015 at 10:51:26AM -0700, Kamal Mostafa wrote:
> From: Eric Dumazet <edumazet at google.com>
>
> commit beb39db59d14990e401e235faf66a6b9b31240b0 upstream.
>
> We have two problems in UDP stack related to bogus checksums :
>
> 1) We return -EAGAIN to application even if receive queue is not empty.
> This breaks applications using edge trigger epoll()
>
> 2) Under UDP flood, we can loop forever without yielding to other
> processes, potentially hanging the host, especially on non SMP.
>
> This patch is an attempt to make things better.
>
> We might in the future add extra support for rt applications
> wanting to better control time spent doing a recv() in a hostile
> environment. For example we could validate checksums before queuing
> packets in socket receive queue.
>
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Cc: Willem de Bruijn <willemb at google.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> CVE-2015-5364
> Signed-off-by: Kamal Mostafa <kamal at canonical.com>
> ---
> net/ipv4/udp.c | 6 ++----
> net/ipv6/udp.c | 6 ++----
> 2 files changed, 4 insertions(+), 8 deletions(-)
>
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index 8c2e259..5e92043 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -1248,10 +1248,8 @@ csum_copy_err:
> UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
> unlock_sock_fast(sk, slow);
>
> - if (noblock)
> - return -EAGAIN;
> -
> - /* starting over for a new packet */
> + /* starting over for a new packet, but check if we need to yield */
> + cond_resched();
> msg->msg_flags &= ~MSG_TRUNC;
> goto try_again;
> }
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index d131a95..dc08afd 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -451,10 +451,8 @@ csum_copy_err:
> }
> unlock_sock_fast(sk, slow);
>
> - if (noblock)
> - return -EAGAIN;
> -
> - /* starting over for a new packet */
> + /* starting over for a new packet, but check if we need to yield */
> + cond_resched();
> msg->msg_flags &= ~MSG_TRUNC;
> goto try_again;
> }
> --
> 1.9.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Looks like a clean cherry-pick.
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list