]> git.karo-electronics.de Git - karo-tx-linux.git/commit
projects / karo-tx-linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 741b225) | patch
[PATCH] CVE-2005-2709 sysctl unregistration oops
authorAl Viro <viro@zeniv.linux.org.uk>
Tue, 8 Nov 2005 15:03:46 +0000 (15:03 +0000)
committerGreg Kroah-Hartman <gregkh@suse.de>
Tue, 8 Nov 2005 19:14:00 +0000 (11:14 -0800)
commite4e0411221c7d4f2bd82fa5e21745f927a1bff28
treeb6c907ab12c026c8612e2313e91aa529cc7703eftree | snapshot
parent741b2252a5e14d6c60a913c77a6099abe73a854acommit | diff
[PATCH] CVE-2005-2709 sysctl unregistration oops

You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.

So this is at least an Oops and possibly more.  It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
arch/s390/appldata/appldata_base.c diff | blob | history
include/linux/proc_fs.h diff | blob | history
include/linux/sysctl.h diff | blob | history
kernel/sysctl.c diff | blob | history
Linux kernel for KaRo TX COM modules