Bugtraq mailing list archives

Re: Linux kernel sysctl() vulnerability

From: Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>
Date: Sat, 10 Feb 2001 10:28:01 +0100

Chris Evans <chris () SCARY BEASTS ORG> writes:

There exists a Linux system call sysctl() which is used to query and
modify runtime system settings. Unprivileged users are permitted to query
the value of many of these settings.


It appears that all current Linux kernel version (2.2.x and 2.4.x) are
vulnerable.  Right?

Was it really necessary to release this stuff just before the weekend?

The following trivial patch should fix this issue. (I wonder how you
can audit code for such vulnerabilities.  It's probably much easier to
rewrite it in Ada. ;-)

--- sysctl.c    2001/02/10 09:42:12     1.1
+++ sysctl.c    2001/02/10 09:42:26
@@ -1123,7 +1123,7 @@
                  void *oldval, size_t *oldlenp,
                  void *newval, size_t newlen, void **context)
 {
-       int l, len;
+       unsigned l, len;

        if (!table->data || !table->maxlen)
                return -ENOTDIR;

--
Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Current thread:

Linux kernel sysctl() vulnerability Chris Evans (Feb 10)
- Re: Linux kernel sysctl() vulnerability Florian Weimer (Feb 10)
  - Re: Linux kernel sysctl() vulnerability Ryan W. Maple (Feb 10)
  - Re: Linux kernel sysctl() vulnerability Aleksander Kamil Modzelewski (Feb 10)
  - Re: Linux kernel sysctl() vulnerability Greg KH (Feb 10)
    - Re: Linux kernel sysctl() vulnerability Joost Pol2 (Feb 12)
  - Re: Linux kernel sysctl() vulnerability Stephen White (Feb 12)