From: Eugene Teo <eteo@redhat.com>
Date: Fri, 5 Dec 2008 14:11:50 +0800
Subject: [net] atm: prevent local denial of service
Message-id: 4938C626.2060102@redhat.com
O-Subject: [RHEL5.3 patch] BZ#473701 CVE-2008-5079 Linux Kernel 'atm module' Local Denial of Service
Bugzilla: 473701
RH-Acked-by: Anton Arapov <aarapov@redhat.com>
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
CVE: CVE-2008-5079
RH-Acked-by: David Miller <davem@redhat.com>

This is for bz#473701.

As reported by Hugo Dias that it is possible to cause a local denial of
service attack by calling the svc_listen function twice on the same
socket and reading /proc/net/atm/*vc.

Backport of:
http://marc.info/?l=linux-netdev&m=122841256115780&w=2
http://marc.info/?l=linux-netdev&m=122843162615569&w=2

Brew build:
https://brewweb.devel.redhat.com/taskinfo?taskID=1598155

Test status:
Booted on i686. Tested with reproducer.

Signed-off-by: Eugene Teo <eteo@redhat.com>
CC: Anton Arapov <aarapov@redhat.com>

diff --git a/net/atm/svc.c b/net/atm/svc.c
index 3a180cf..d77cfa1 100644
--- a/net/atm/svc.c
+++ b/net/atm/svc.c
@@ -302,7 +302,10 @@ static int svc_listen(struct socket *sock,int backlog)
 		error = -EINVAL;
 		goto out;
 	}
-	vcc_insert_socket(sk);
+	if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
+		error = -EADDRINUSE;
+		goto out;
+	}
 	set_bit(ATM_VF_WAITING, &vcc->flags);
 	prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
 	sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
@@ -316,6 +319,7 @@ static int svc_listen(struct socket *sock,int backlog)
 		goto out;
 	}
 	set_bit(ATM_VF_LISTEN,&vcc->flags);
+	vcc_insert_socket(sk);
 	sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
 	error = -sk->sk_err;
 out: