CVE-2016-10229

Source
Severity Critical
Remote Yes
Type Arbitrary code execution
Description
A security has been in found in udp.c in the Linux kernel before 4.5, which allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during the execution of a recv() system call with the MSG_PEEK flag set.
Group Package Affected Fixed Severity Status Ticket
AVG-240 linux 4.4.5-1 4.5-1 Critical Fixed
References
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191
Notes
Looks like the issue was introduced by 89c22d8, but was prevented in mainline because since 3.19 skb_copy_and_csum_datagram_iovec() is not used in this path anymore, and skb_copy_and_csum_datagram_msg() prevents the problem. However it looks like 89c22d8 was backported to older "stable" kernels without the move to skb_copy_and_csum_datagram_msg() , making them vulnerables.