SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel svc_listen() Bug Lets Local Users Deny Service
SecurityTracker Alert ID:  1021360
SecurityTracker URL:  http://securitytracker.com/id/1021360
CVE Reference:   CVE-2008-5079   (Links to External Site)
Date:  Dec 8 2008
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.6.x
Description:   A vulnerability was reported in the Linux Kernel. A local user can cause denial of service conditions.

A local user can invoke the svc_listen() function more than once on the same socket and then read /proc/net/atm/*vc to cause the kernel to enter an infinite loop.

The vulnerability resides in 'net/atm/svc.c'.

The vendor was notified on November 28, 2008.

Hugo Dias reported this vulnerability.

Impact:   A local user can cause the kernel to enter an infinite loop.
Solution:   The vendor has issued a source code fix.
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 20 2009 (Red Hat Issues Fix) Linux Kernel svc_listen() Bug Lets Local Users Deny Service
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Feb 4 2009 (Red Hat Issues Fix) Linux Kernel svc_listen() Bug Lets Local Users Deny Service
Red Hat has released a fix for Red Hat Enterprise MRG 1.1.
Feb 25 2009 (Red Hat Issues Fix) Linux Kernel svc_listen() Bug Lets Local Users Deny Service
Red Hat has released a fix for Red Hat Enterprise Linux 5.2 Extended Update Support.



 Source Message Contents

Subject:  CVE-2008-5079: multiple listen()s on same socket corrupts the vcc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table

Release Date: 2008/12/05

I. Impact

Local Denial of Service on Linux kernel 2.6.x


II. Description

A vulnerabilty exists in Linux Kernel which can be exploited
by malicious users to cause a Denial of Service.

It seems that calling the svc_listen function in 'net/atm/svc.c'
twice on same socket, will create unassigned PVC/SVC entries,
despite returning EUNATCH.

This entries are visible using proc filesystem.

#cat /proc/net/atm/vc

Address  Itf ...
c7f34400 Unassigned   ...
c7f34400 Unassigned   ...
c7f34400 Unassigned   ...
.......

The code in 'net/atm/proc.c', responsible for displaying this info,
can't handle the unassigned entries. Kernel will freeze with
infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc'  :


net/atm/proc.c:

074 static inline int compare_family(struct sock *sk, int family)
073 {
074         return !family || (sk->sk_family == family);
075 }

091 try_again:
092         for (; sk; sk = sk_next(sk)) {
093                 l -= compare_family(sk, family); <<<<<<<<<
094                 if (l < 0)											
095                         goto out;	
096         }


IV. Patch

http://marc.info/?l=linux-netdev&m=122841256115780&w=2

V. Credit

Hugo Dias - hdias [at] synchlabs [dot] com


VI. History

2008/11/14 - Vulnerability Discovered
2008/11/28 - Reported to vendor
2008/12/05 - Vendor Released Patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10-svn4870 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM
lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d
=9Qis
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC