diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2005-11-08 15:03:46 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2005-11-08 11:14:00 -0800 |
commit | e4e0411221c7d4f2bd82fa5e21745f927a1bff28 (patch) | |
tree | b6c907ab12c026c8612e2313e91aa529cc7703ef /include/linux/sysctl.h | |
parent | 741b2252a5e14d6c60a913c77a6099abe73a854a (diff) |
[PATCH] CVE-2005-2709 sysctl unregistration oops
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/linux/sysctl.h')
-rw-r--r-- | include/linux/sysctl.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index fc8e367f671e..fc131d6602b9 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -24,6 +24,7 @@ #include <linux/compiler.h> struct file; +struct completion; #define CTL_MAXNAME 10 /* how many path components do we allow in a call to sysctl? In other words, what is @@ -925,6 +926,8 @@ struct ctl_table_header { ctl_table *ctl_table; struct list_head ctl_entry; + int used; + struct completion *unregistering; }; struct ctl_table_header * register_sysctl_table(ctl_table * table, |