CVE-2012-3412
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Fedora) |
Fix Released
|
High
|
|||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.
In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset).
Upstream patch:
http://
References:
http://
CVE References
tags: | added: kernel-cve-tracking-bug |
visibility: | private → public |
Changed in linux (Ubuntu): | |
status: | New → Confirmed |
Changed in linux (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in linux (Fedora): | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.
In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset).
Upstream patch: www.spinics. net/lists/ netdev/ msg206332. html
http://
References: seclists. org/oss- sec/2012/ q3/171
http://
Acknowledgements:
Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting this issue.