Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 330d57fb98a916fa8e1363846540dd420e99499a
commit330d57fb98a916fa8e1363846540dd420e99499a[log] [tgz]
authorAl Viro <viro@zeniv.linux.org.uk>Fri Nov 04 10:18:40 2005 +0000
committerLinus Torvalds <torvalds@g5.osdl.org>Tue Nov 08 17:57:30 2005 -0800
tree841d5e5eeda46fd95ac03c36964919818a9bc3a6
parent8546df6f357dadf1989ad8da9309c9524fd56cdf [diff]
[PATCH] Fix sysctl unregistration oops (CVE-2005-2709)

You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
function.  Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.

So this is at least an Oops and possibly more.  It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
4 files changed
tree: 841d5e5eeda46fd95ac03c36964919818a9bc3a6
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. fs/
  7. include/
  8. init/
  9. ipc/
  10. kernel/
  11. lib/
  12. mm/
  13. net/
  14. scripts/
  15. security/
  16. sound/
  17. usr/
  18. .gitignore
  19. COPYING
  20. CREDITS
  21. Kbuild
  22. MAINTAINERS
  23. Makefile
  24. README
  25. REPORTING-BUGS