Date: Fri, 17 Oct 2014 17:02:50 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Connected UDP sockets and kernel queuing (CVE-2014-6512) I noticed a potential issue with connected UDP sockets and the kernel kernel per-socket packet queue, potentially leading to IP spoofing vulnerabilities in the sense that the application thinks the packet came from host A, but it really came from host B: <https://bugzilla.redhat.com/show_bug.cgi?id=1071210> OpenJDK is particularly exposed because DatagramSocket.disconnect() calls connect(2) with AF_UNSPEC (or a NULL socket address on some systems) to disconnect sockets, which is a rarely used feature of the BSD sockets API. OpenJDK ensures that these disconnected sockets remain bound to a port, so it was possible to enqueue packets whose source address will not be checked, without even having a tight race to win. We thought briefly about fixing this in the kernel, but thought better of it because of backwards compatibility concerns (and we would have to patch OpenJDK nevertheless). The OpenJDK fix simply checks the source address of incoming packets. Oracle's fix has an optimization that drops this additional filter after the maximum amount of pending packets has been consumed from the socket; my patch moved the filter to native code instead and applied it to every packet on a connected socket. I think both approaches are valid. I'm sharing this with a wider audience because in theory, other UDP-based services could be affected, although I didn't spot any when I looked at this prior to disclosure. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ