[PATCH] Fix sysctl unregistration oops (CVE-2005-2709)
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode. So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Al Viro
Linus Torvalds
parent
8546df6f35
commit
330d57fb98
4 changed files with 116 additions and 31 deletions
|
|
@ -66,6 +66,7 @@ struct proc_dir_entry {
|
|||
write_proc_t *write_proc;
|
||||
atomic_t count; /* use count */
|
||||
int deleted; /* delete flag */
|
||||
void *set;
|
||||
};
|
||||
|
||||
struct kcore_list {
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@
|
|||
#include <linux/compiler.h>
|
||||
|
||||
struct file;
|
||||
struct completion;
|
||||
|
||||
#define CTL_MAXNAME 10 /* how many path components do we allow in a
|
||||
call to sysctl? In other words, what is
|
||||
|
|
@ -925,6 +926,8 @@ struct ctl_table_header
|
|||
{
|
||||
ctl_table *ctl_table;
|
||||
struct list_head ctl_entry;
|
||||
int used;
|
||||
struct completion *unregistering;
|
||||
};
|
||||
|
||||
struct ctl_table_header * register_sysctl_table(ctl_table * table,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue