[kernel] r12483 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Sat Dec  6 17:28:47 2008
New Revision: 12483

Log:
Fix DoS when calling svc_listen twice on the same socket while reading
/proc/net/atm/*vc (CVE-2008-5079)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/12

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Sat Dec  6 17:28:47 2008
@@ -6,8 +6,10 @@
   [ dann frazier ]
   * Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)
   * Fix race conditions between inotify removal and umount (CVE-2008-5182)
+  * Fix DoS when calling svc_listen twice on the same socket while reading
+    /proc/net/atm/*vc (CVE-2008-5079)
 
- -- dann frazier <dannf at debian.org>  Mon, 01 Dec 2008 23:32:05 -0700
+ -- dann frazier <dannf at debian.org>  Fri, 05 Dec 2008 23:12:07 -0700
 
 linux-2.6 (2.6.26-11) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch	Sat Dec  6 17:28:47 2008
@@ -0,0 +1,37 @@
+commit 17b24b3c97498935a2ef9777370b1151dfed3f6f
+Author: Chas Williams <chas at cmf.nrl.navy.mil>
+Date:   Thu Dec 4 14:58:13 2008 -0800
+
+    ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
+    
+    As reported by Hugo Dias that it is possible to cause a local denial
+    of service attack by calling the svc_listen function twice on the same
+    socket and reading /proc/net/atm/*vc
+    
+    Signed-off-by: Chas Williams <chas at cmf.nrl.navy.mil>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/atm/svc.c b/net/atm/svc.c
+index de1e4f2..8fb54dc 100644
+--- a/net/atm/svc.c
++++ b/net/atm/svc.c
+@@ -293,7 +293,10 @@ static int svc_listen(struct socket *sock,int backlog)
+ 		error = -EINVAL;
+ 		goto out;
+ 	}
+-	vcc_insert_socket(sk);
++	if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
++		error = -EADDRINUSE;
++		goto out;
++        }
+ 	set_bit(ATM_VF_WAITING, &vcc->flags);
+ 	prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
+ 	sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
+@@ -307,6 +310,7 @@ static int svc_listen(struct socket *sock,int backlog)
+ 		goto out;
+ 	}
+ 	set_bit(ATM_VF_LISTEN,&vcc->flags);
++	vcc_insert_socket(sk);
+ 	sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
+ 	error = -sk->sk_err;
+ out:

Modified: dists/sid/linux-2.6/debian/patches/series/12
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/12	(original)
+++ dists/sid/linux-2.6/debian/patches/series/12	Sat Dec  6 17:28:47 2008
@@ -1,2 +1,3 @@
 + bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
 + bugfix/all/inotify-watch-removal-umount-races.patch
++ bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch