Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201103151427.39405.ludwig.nussel@suse.de>
Date: Tue, 15 Mar 2011 14:27:38 +0100
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: 2 acpid flaws

Hi,

Looks like this implicit CVE request got lost:
http://www.openwall.com/lists/oss-security/2011/01/19/4

The first issue deserves a CVE I guess as unprivileged users could
block acpid.

cu
Ludwig

Vasiliy Kulikov wrote:
> I. Blocking write.
> 
> I.1. Description.
> 
> acpid informs unprivileged processes about acpi events via UNIX socket.
> This socket is in blocking mode.  If unprivileged process stops reading
> data from the socket then, in some time, the socket queue fills up
> leading to hanging privileged acpid daemon.  The daemon hangs until the
> socket peer process reads some portion of the queued data or the peer
> process exits/is killed.
> [...]
> II. Incorrect accept(2) error handling.
> 
> II.1. Description.
> 
> acpid doesn't gracefully handle client disconnection before the call to
> accept(2).  If client calls close(2) between acpid calls poll(2) and
> accept(2), acpid would hang in accept(2) until new client connects to
> /var/run/acpid.socket.
> 
> This is only theoretical flaw as with current Linux kernel
> implementation accept(2) would return new socket handler even if the
> peer is closed.  However this behavior is implementation specific and
> may be changed in future versions of kernels (or custom versions).

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.