multiple listen()s on same socket corrupts the vcc table

Credit: Hugo Dias
Risk: Low
Local: Yes
Remote: No
CWE: CWE-399

CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table Release Date: 2008/12/05 I. Impact Local Denial of Service on Linux kernel 2.6.x II. Description A vulnerabilty exists in Linux Kernel which can be exploited by malicious users to cause a Denial of Service. It seems that calling the svc_listen function in 'net/atm/svc.c' twice on same socket, will create unassigned PVC/SVC entries, despite returning EUNATCH. This entries are visible using proc filesystem. #cat /proc/net/atm/vc Address Itf ... c7f34400 Unassigned ... c7f34400 Unassigned ... c7f34400 Unassigned ... ....... The code in 'net/atm/proc.c', responsible for displaying this info, can't handle the unassigned entries. Kernel will freeze with infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc' : net/atm/proc.c: 074 static inline int compare_family(struct sock *sk, int family) 073 { 074 return !family || (sk->sk_family == family); 075 } 091 try_again: 092 for (; sk; sk = sk_next(sk)) { 093 l -= compare_family(sk, family); <<<<<<<<< 094 if (l < 0) 095 goto out; 096 } IV. Patch V. Credit Hugo Dias - hdias [at] synchlabs [dot] com VI. History 2008/11/14 - Vulnerability Discovered 2008/11/28 - Reported to vendor 2008/12/05 - Vendor Released Patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10-svn4870 (MingW32) Comment: Using GnuPG with Mozilla - iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d =9Qis -----END PGP SIGNATURE-----


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top