diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2005-11-04 05:18:40 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-11-08 20:57:30 -0500 |
| commit | 330d57fb98a916fa8e1363846540dd420e99499a (patch) | |
| tree | 841d5e5eeda46fd95ac03c36964919818a9bc3a6 /include/linux/proc_fs.h | |
| parent | 8546df6f357dadf1989ad8da9309c9524fd56cdf (diff) | |
[PATCH] Fix sysctl unregistration oops (CVE-2005-2709)
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'include/linux/proc_fs.h')
| -rw-r--r-- | include/linux/proc_fs.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 65ceeaa30652..74488e49166d 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h | |||
| @@ -66,6 +66,7 @@ struct proc_dir_entry { | |||
| 66 | write_proc_t *write_proc; | 66 | write_proc_t *write_proc; |
| 67 | atomic_t count; /* use count */ | 67 | atomic_t count; /* use count */ |
| 68 | int deleted; /* delete flag */ | 68 | int deleted; /* delete flag */ |
| 69 | void *set; | ||
| 69 | }; | 70 | }; |
| 70 | 71 | ||
| 71 | struct kcore_list { | 72 | struct kcore_list { |