Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

linux procfs vulnerablity

From: Karl Janmar <karl () utopiafoundation org>
Date: Fri, 23 Dec 2005 22:03:31 +0700
Hi,

I have found one flaw in Linux procfs code that make the kernel disclose memory.

In the linux version 2.6.14.3,
fs/proc/proc_misc.c:74
snip:
...
if (len <= off+count) *eof = 1;
*start = page + off;
...
off is a off_t and count is a int.


This flaw is not limited to procfs but is spread to other places:
./arch/ia64/kernel/palinfo.c:   if (len <= off+count) *eof = 1;
./arch/ia64/kernel/salinfo.c:   if (len <= off+count) *eof = 1;
./arch/ppc64/kernel/rtc.c:        if (len <= off+count) *eof = 1;
./drivers/char/ds1286.c:        if (len <= off+count) *eof = 1;
./drivers/char/efirtc.c:        if (len <= off+count) *eof = 1;
./drivers/char/genrtc.c:        if (len <= off+count) *eof = 1;
./drivers/char/ip27-rtc.c:        if (len <= off+count) *eof = 1;
./drivers/input/misc/hp_sdc_rtc.c:        if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c:       if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c:       if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c:       if (len <= off+count) *eof = 1;
./drivers/net/wireless/atmel.c:        if (len <= off+count) *eof = 1;
./drivers/telephony/ixj.c:        if (len <= off+count) *eof = 1;
./fs/proc/proc_misc.c:  if (len <= off+count) *eof = 1;

However I think the procfs is the most important.

I would like to greet dim,cmn and je.

--
Karl Janmar
karl () utopiafoundation org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: