]> git.karo-electronics.de Git - karo-tx-linux.git/commit
projects / karo-tx-linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 20b233a) | patch
[PATCH] CVE-2005-2709 sysctl unregistration oops
authorAl Viro <viro@zeniv.linux.org.uk>
Tue, 8 Nov 2005 15:03:46 +0000 (15:03 +0000)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 15 Dec 2005 18:33:17 +0000 (10:33 -0800)
commite545fd941928c6ff87571e6742f81d7659c0578d
tree8a43989c94b2d3aad0ac611f24d3b8f0e0700859tree | snapshot
parent20b233a95e9d0a146a1c160d0874545323336a50commit | diff
[PATCH] CVE-2005-2709 sysctl unregistration oops

You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.

So this is at least an Oops and possibly more.  It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
arch/s390/appldata/appldata_base.c diff | blob | history
include/linux/proc_fs.h diff | blob | history
include/linux/sysctl.h diff | blob | history
kernel/sysctl.c diff | blob | history
Linux kernel for KaRo TX COM modules