[kernel] r12483 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Dec 6 17:28:48 UTC 2008
Author: dannf
Date: Sat Dec 6 17:28:47 2008
New Revision: 12483
Log:
Fix DoS when calling svc_listen twice on the same socket while reading
/proc/net/atm/*vc (CVE-2008-5079)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/12
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Sat Dec 6 17:28:47 2008
@@ -6,8 +6,10 @@
[ dann frazier ]
* Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)
* Fix race conditions between inotify removal and umount (CVE-2008-5182)
+ * Fix DoS when calling svc_listen twice on the same socket while reading
+ /proc/net/atm/*vc (CVE-2008-5079)
- -- dann frazier <dannf at debian.org> Mon, 01 Dec 2008 23:32:05 -0700
+ -- dann frazier <dannf at debian.org> Fri, 05 Dec 2008 23:12:07 -0700
linux-2.6 (2.6.26-11) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch Sat Dec 6 17:28:47 2008
@@ -0,0 +1,37 @@
+commit 17b24b3c97498935a2ef9777370b1151dfed3f6f
+Author: Chas Williams <chas at cmf.nrl.navy.mil>
+Date: Thu Dec 4 14:58:13 2008 -0800
+
+ ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
+
+ As reported by Hugo Dias that it is possible to cause a local denial
+ of service attack by calling the svc_listen function twice on the same
+ socket and reading /proc/net/atm/*vc
+
+ Signed-off-by: Chas Williams <chas at cmf.nrl.navy.mil>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/atm/svc.c b/net/atm/svc.c
+index de1e4f2..8fb54dc 100644
+--- a/net/atm/svc.c
++++ b/net/atm/svc.c
+@@ -293,7 +293,10 @@ static int svc_listen(struct socket *sock,int backlog)
+ error = -EINVAL;
+ goto out;
+ }
+- vcc_insert_socket(sk);
++ if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
++ error = -EADDRINUSE;
++ goto out;
++ }
+ set_bit(ATM_VF_WAITING, &vcc->flags);
+ prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
+ sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
+@@ -307,6 +310,7 @@ static int svc_listen(struct socket *sock,int backlog)
+ goto out;
+ }
+ set_bit(ATM_VF_LISTEN,&vcc->flags);
++ vcc_insert_socket(sk);
+ sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
+ error = -sk->sk_err;
+ out:
Modified: dists/sid/linux-2.6/debian/patches/series/12
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/12 (original)
+++ dists/sid/linux-2.6/debian/patches/series/12 Sat Dec 6 17:28:47 2008
@@ -1,2 +1,3 @@
+ bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
+ bugfix/all/inotify-watch-removal-umount-races.patch
++ bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
More information about the Kernel-svn-changes
mailing list