multiple listen()s on same socket corrupts the vcc table

2008.12.10
Credit: Hugo Dias
Risk: Low
Local: Yes
Remote: No
CWE: CWE-399


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table Release Date: 2008/12/05 I. Impact Local Denial of Service on Linux kernel 2.6.x II. Description A vulnerabilty exists in Linux Kernel which can be exploited by malicious users to cause a Denial of Service. It seems that calling the svc_listen function in 'net/atm/svc.c' twice on same socket, will create unassigned PVC/SVC entries, despite returning EUNATCH. This entries are visible using proc filesystem. #cat /proc/net/atm/vc Address Itf ... c7f34400 Unassigned ... c7f34400 Unassigned ... c7f34400 Unassigned ... ....... The code in 'net/atm/proc.c', responsible for displaying this info, can't handle the unassigned entries. Kernel will freeze with infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc' : net/atm/proc.c: 074 static inline int compare_family(struct sock *sk, int family) 073 { 074 return !family || (sk->sk_family == family); 075 } 091 try_again: 092 for (; sk; sk = sk_next(sk)) { 093 l -= compare_family(sk, family); <<<<<<<<< 094 if (l < 0) 095 goto out; 096 } IV. Patch http://marc.info/?l=linux-netdev&m=122841256115780&w=2 V. Credit Hugo Dias - hdias [at] synchlabs [dot] com VI. History 2008/11/14 - Vulnerability Discovered 2008/11/28 - Reported to vendor 2008/12/05 - Vendor Released Patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10-svn4870 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d =9Qis -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/archive/1/archive/1/498943/100/0/threaded
http://marc.info/?l=linux-netdev&amp;m=122841256115780&amp;w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top