CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table Release Date: 2008/12/05 I. Impact Local Denial of Service on Linux kernel 2.6.x II. Description A vulnerabilty exists in Linux Kernel which can be exploited by malicious users to cause a Denial of Service. It seems that calling the svc_listen function in 'net/atm/svc.c' twice on same socket, will create unassigned PVC/SVC entries, despite returning EUNATCH. This entries are visible using proc filesystem. #cat /proc/net/atm/vc Address Itf ... c7f34400 Unassigned ... c7f34400 Unassigned ... c7f34400 Unassigned ... ....... The code in 'net/atm/proc.c', responsible for displaying this info, can't handle the unassigned entries. Kernel will freeze with infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc' : net/atm/proc.c: 074 static inline int compare_family(struct sock *sk, int family) 073 { 074 return !family || (sk->sk_family == family); 075 } 091 try_again: 092 for (; sk; sk = sk_next(sk)) { 093 l -= compare_family(sk, family); <<<<<<<<< 094 if (l < 0) 095 goto out; 096 } IV. Patch http://marc.info/?l=linux-netdev&m=122841256115780&w=2 V. Credit Hugo Dias - hdias [at] synchlabs [dot] com VI. History 2008/11/14 - Vulnerability Discovered 2008/11/28 - Reported to vendor 2008/12/05 - Vendor Released Patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10-svn4870 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d =9Qis -----END PGP SIGNATURE-----