[antirez]

Reading the original link, it looks like the kernel corruption only happens when an user space application uses the recvfrom() syscall using the MSG_PEEK option. MSG_PEEK is only used AFAIK only in specific applications that need to "peek" at the message without consuming it. This is not a very common use case, but some research should be done to understand if there is some popular application using it.

[pjc50]

If I've understood this correctly, it turns it into a local privilege escalation opportunity: run a vulnerable application as the user, use the exploit to get code execution in the kernel.

[antirez]

Yes that's my understanding as well, user space code using a given syscall with given parameters triggers the kernel exploit.

[zzzcpan]

Yeah, but there is still a little bit of explicit usage of recvfrom() with MSG_PEEK

https://codesearch.debian.net/search?q=recvfrom+.*+MSG_PEEK

And probably more implicit

https://codesearch.debian.net/search?q=recv+.*+MSG_PEEK

[ryan-c]

The use in wget seems a little scary.

[CodeWriter23]

I believe you've misread the article, first line:

> udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic....

[squarefoot]

> MSG_PEEK is only used AFAIK only in specific applications that need to "peek" at the message without consuming it

I never used the MSG_PEEK flag, but over 15 years ago (maybe it wasnt implemented yet?) I accomplished a similar task by using the SO_REUSEADDR and SO_REUSEPORT flags which worked nicely on Windows too. The goal was to have several UDP "agents" listening on the same port on the same machine (which would normally raise an EADDRINUSE error), all of them examining a packet and acting upon a header contained in that packet. All them would receive a copy of the packet on their respective socket (that was the flags purpose), so that they could filter it and act only if the header contained data relative to that agent. This allowed a very modular approach where once the protocol was defined I could compile only the agent I needed without touching the others.