Full Disclosure mailing list archives
linux procfs vulnerablity
From: Karl Janmar <karl () utopiafoundation org>
Date: Fri, 23 Dec 2005 22:03:31 +0700
Hi, I have found one flaw in Linux procfs code that make the kernel disclose memory. In the linux version 2.6.14.3, fs/proc/proc_misc.c:74 snip: ... if (len <= off+count) *eof = 1; *start = page + off; ... off is a off_t and count is a int. This flaw is not limited to procfs but is spread to other places: ./arch/ia64/kernel/palinfo.c: if (len <= off+count) *eof = 1; ./arch/ia64/kernel/salinfo.c: if (len <= off+count) *eof = 1; ./arch/ppc64/kernel/rtc.c: if (len <= off+count) *eof = 1; ./drivers/char/ds1286.c: if (len <= off+count) *eof = 1; ./drivers/char/efirtc.c: if (len <= off+count) *eof = 1; ./drivers/char/genrtc.c: if (len <= off+count) *eof = 1; ./drivers/char/ip27-rtc.c: if (len <= off+count) *eof = 1; ./drivers/input/misc/hp_sdc_rtc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/net/wireless/atmel.c: if (len <= off+count) *eof = 1; ./drivers/telephony/ixj.c: if (len <= off+count) *eof = 1; ./fs/proc/proc_misc.c: if (len <= off+count) *eof = 1; However I think the procfs is the most important. I would like to greet dim,cmn and je. -- Karl Janmar karl () utopiafoundation org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- linux procfs vulnerablity Karl Janmar (Dec 23)
- Re: linux procfs vulnerablity coderman (Dec 23)
- Re: linux procfs vulnerablity Karl Janmar (Dec 24)
- Re: linux procfs vulnerablity GroundZero Security (Dec 24)
- Re: linux procfs vulnerablity Karl Janmar (Dec 24)
- Re: linux procfs vulnerablity coderman (Dec 23)