Hello,
Linux kernel built with the Networking support(CONFIG_NET) is vulnerable to a
crash, while resetting a socket timer. It could occur while doing a
setsockopt(SO_KEEPALIVE) call.
A privileged user/process able to create RAW socket could use this flaw to
crash the system kernel resulting in DoS.
Upstream fix:
- -------------
-> https://git.kernel.org/linus/3e10986d1d698140747fcfc2761ec9cb64c1d582
diff --git a/net/core/sock.c b/net/core/sock.c
index 3057920..a6000fb 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -691,7 +691,8 @@ set_rcvbuf:
case SO_KEEPALIVE:
#ifdef CONFIG_INET
- if (sk->sk_protocol == IPPROTO_TCP)
+ if (sk->sk_protocol == IPPROTO_TCP &&
+ sk->sk_type == SOCK_STREAM)
tcp_set_keepalive(sk, valbool);
#endif
sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool);
generated by cgit v0.10.1 at 2014-09-15 11:41:53 (GMT)
Reference:
- ----------
-> https://bugzilla.redhat.com/show_bug.cgi?id=1141742
Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F