[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49388C8A.4070208@synchlabs.com>
Date: Fri, 05 Dec 2008 02:06:02 +0000
From: Hugo Dias <hdias@...chlabs.com>
To: bugtraq@...urityfocus.com, vuln@...unia.com, ssynchron@...il.com
Subject: CVE-2008-5079: multiple listen()s on same socket corrupts the vcc
table
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table
Release Date: 2008/12/05
I. Impact
Local Denial of Service on Linux kernel 2.6.x
II. Description
A vulnerabilty exists in Linux Kernel which can be exploited
by malicious users to cause a Denial of Service.
It seems that calling the svc_listen function in 'net/atm/svc.c'
twice on same socket, will create unassigned PVC/SVC entries,
despite returning EUNATCH.
This entries are visible using proc filesystem.
#cat /proc/net/atm/vc
Address Itf ...
c7f34400 Unassigned ...
c7f34400 Unassigned ...
c7f34400 Unassigned ...
.......
The code in 'net/atm/proc.c', responsible for displaying this info,
can't handle the unassigned entries. Kernel will freeze with
infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc' :
net/atm/proc.c:
074 static inline int compare_family(struct sock *sk, int family)
073 {
074 return !family || (sk->sk_family == family);
075 }
091 try_again:
092 for (; sk; sk = sk_next(sk)) {
093 l -= compare_family(sk, family); <<<<<<<<<
094 if (l < 0)
095 goto out;
096 }
IV. Patch
http://marc.info/?l=linux-netdev&m=122841256115780&w=2
V. Credit
Hugo Dias - hdias [at] synchlabs [dot] com
VI. History
2008/11/14 - Vulnerability Discovered
2008/11/28 - Reported to vendor
2008/12/05 - Vendor Released Patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10-svn4870 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM
lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d
=9Qis
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists