Re: 2 acpid flaws

[Ludwig Nussel <ludwig.nussel () suse de>]

Hi,

Looks like this implicit CVE request got lost:
http://www.openwall.com/lists/oss-security/2011/01/19/4

The first issue deserves a CVE I guess as unprivileged users could
block acpid.

cu
Ludwig

Vasiliy Kulikov wrote:
> I. Blocking write.
>
> I.1. Description.
>
> acpid informs unprivileged processes about acpi events via UNIX socket.
> This socket is in blocking mode.  If unprivileged process stops reading
> data from the socket then, in some time, the socket queue fills up
> leading to hanging privileged acpid daemon.  The daemon hangs until the
> socket peer process reads some portion of the queued data or the peer
> process exits/is killed.
> [...]
> II. Incorrect accept(2) error handling.
>
> II.1. Description.
>
> acpid doesn't gracefully handle client disconnection before the call to
> accept(2).  If client calls close(2) between acpid calls poll(2) and
> accept(2), acpid would hang in accept(2) until new client connects to
> /var/run/acpid.socket.
>
> This is only theoretical flaw as with current Linux kernel
> implementation accept(2) would return new socket handler even if the
> peer is closed.  However this behavior is implementation specific and
> may be changed in future versions of kernels (or custom versions).

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)