Bug 529626 (CVE-2009-3621)
| Summary: | CVE-2009-3621 kernel: AF_UNIX: Fix deadlock on connecting to shutdown socket | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | amwang, bhu, davej, dhoward, jkacur, jolsa, jpirko, jskrabal, kmcmartin, kyle, lgoncalv, ltroan, lwang, pmatouse, tcallawa, vgoyal, williams | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 531633 (view as bug list) | Environment: | |||||
| Last Closed: | 2012-03-28 08:56:03 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 529627, 529628, 529629, 529630, 529631, 531633, 537300 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Reproduced this issue on rhel-5 and fedora-11. Thanks Eugene, I just committed the fix Dave Miller acked to the 3 current Fedora branches. regards, Kyle upstream commit: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=77238f2b942b38ab4e7f3aced44084493e4a8675 Created attachment 365339 [details]
reproducer
$ gcc rep.c -o rep
$ for i in {1..XX} ; do ./rep & done # substitute XX for a number of cpus
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html kernel-2.6.30.9-96.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.9-96.fc11 kernel-2.6.27.38-170.2.113.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.38-170.2.113.fc10 kernel-2.6.30.9-96.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. kernel-2.6.27.38-170.2.113.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1671 https://rhn.redhat.com/errata/RHSA-2009-1671.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1670 https://rhn.redhat.com/errata/RHSA-2009-1670.html |
Quoting from the patch submitted: "...a deadlock bug in UNIX domain socket, which makes able to DoS attack against the local machine by non-root users. ... Why this happens: Error checks between unix_socket_connect() and unix_wait_for_peer() are inconsistent. The former calls the latter to wait until the backlog is processed. Despite the latter returns without doing anything when the socket is shutdown, the former doesn't check the shutdown state and just retries calling the latter forever." How to reproduce: 1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct namespace(*), and shutdown(2) it. 2. Repeat connect(2)ing to the listening socket from the other sockets until the connection backlog is full-filled. 3. connect(2) takes the CPU forever. If every core is taken, the system hangs. Reproducer: http://patchwork.kernel.org/patch/54678/ You will need to add in the missing header files: #include <string.h> #include <stdio.h> #include <sys/un.h> #include <sys/types.h> #include <sys/socket.h>