CVE-2010-4249

Priority
Medium
Description
The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel
before 2.6.37-rc3-next-20101125 does not properly select times for garbage
collection of inflight sockets, which allows local users to cause a denial
of service (system hang) via crafted use of the socketpair and sendmsg
system calls for SOCK_SEQPACKET sockets.
Ubuntu-Description
Vegard Nossum discovered that memory garbage collection was not handled
correctly for active sockets. A local attacker could exploit this to
allocate all available kernel memory, leading to a denial of service.
References
Bugs
Notes
 mdeslaur> PoC: http://www.exploit-db.com/exploits/15622/
 jdstrand> dapper_linux-source-2.6.15 was marked as pending, but not included
  in 2.6.15-57.94, marking back to 'needed'
Assigned-to
bradf
Package
Upstream:released (2.6.37~rc4)
Patches:
Dapper:http://chinstrap.ubuntu.com/~bradf/CVEs/CVE-2010-4249/patches/dapper/linux/0001-af_unix-limit-unix_tot_inflight.txt
Package
Upstream:released (2.6.37~rc4)
Package
Upstream:released (2.6.37~rc4)
Package
Upstream:released (2.6.37~rc4)
Package
Upstream:released (2.6.37~rc4)
Package
Source: linux (LP Ubuntu Debian)
Upstream:released (2.6.37~rc4)
Patches:
Upstream:http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=9915672d41273f5b77f1b3c29b391ffb7732b84b
Hardy:http://chinstrap.ubuntu.com/~bradf/CVEs/CVE-2010-4249/patches/hardy/linux/0001-af_unix-limit-unix_tot_inflight.txt
Karmic:http://chinstrap.ubuntu.com/~bradf/CVEs/CVE-2010-4249/patches/karmic/linux/0001-af_unix-limit-unix_tot_inflight.txt
Lucid:http://chinstrap.ubuntu.com/~bradf/CVEs/CVE-2010-4249/patches/lucid/linux/0001-af_unix-limit-unix_tot_inflight.txt
Maverick:http://chinstrap.ubuntu.com/~bradf/CVEs/CVE-2010-4249/patches/maverick/linux/0001-af_unix-limit-unix_tot_inflight.txt
Package
Upstream:released (2.6.37~rc4)
Package
Upstream:released (2.6.37~rc4)
More Information

Updated: 2018-06-26 04:38:35 UTC (commit 7799c934cca373482531a7b00e4dfe82302ceae5)