CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table Dec 05 2008 02:06AM
Hugo Dias (hdias synchlabs com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table

Release Date: 2008/12/05

I. Impact

Local Denial of Service on Linux kernel 2.6.x

II. Description

A vulnerabilty exists in Linux Kernel which can be exploited
by malicious users to cause a Denial of Service.

It seems that calling the svc_listen function in 'net/atm/svc.c'
twice on same socket, will create unassigned PVC/SVC entries,
despite returning EUNATCH.

This entries are visible using proc filesystem.

#cat /proc/net/atm/vc

Address Itf ...
c7f34400 Unassigned ...
c7f34400 Unassigned ...
c7f34400 Unassigned ...
.......

The code in 'net/atm/proc.c', responsible for displaying this info,
can't handle the unassigned entries. Kernel will freeze with
infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc' :

net/atm/proc.c:

074 static inline int compare_family(struct sock *sk, int family)
073 {
074 return !family || (sk->sk_family == family);
075 }

091 try_again:
092 for (; sk; sk = sk_next(sk)) {
093 l -= compare_family(sk, family); <<<<<<<<<
094 if (l < 0)
095 goto out;
096 }

IV. Patch

http://marc.info/?l=linux-netdev&m=122841256115780&w=2

V. Credit

Hugo Dias - hdias [at] synchlabs [dot] com

VI. History

2008/11/14 - Vulnerability Discovered
2008/11/28 - Reported to vendor
2008/12/05 - Vendor Released Patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10-svn4870 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM
lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d
=9Qis
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus