Severity |
|
Remote |
|
Type |
+ |
Arbitrary code execution |
|
Description |
+ |
A security has been in found in udp.c in the Linux kernel before 4.5, which allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during the execution of a recv() system call with the MSG_PEEK flag set. |
|
References |
+ |
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191 |
|
Notes |
+ |
Looks like the issue was introduced by 89c22d8, but was prevented in mainline because since 3.19 skb_copy_and_csum_datagram_iovec() is not used in this path anymore, and skb_copy_and_csum_datagram_msg() prevents the problem. However it looks like 89c22d8 was backported to older "stable" kernels without the move to skb_copy_and_csum_datagram_msg() , making them vulnerables. |
|