[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] linux procfs vulnerablity
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] linux procfs vulnerablity
- From: Karl Janmar <karl@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Dec 2005 22:03:31 +0700
Hi,
I have found one flaw in Linux procfs code that make the kernel disclose memory.
In the linux version 2.6.14.3,
fs/proc/proc_misc.c:74
snip:
...
if (len <= off+count) *eof = 1;
*start = page + off;
...
off is a off_t and count is a int.
This flaw is not limited to procfs but is spread to other places:
./arch/ia64/kernel/palinfo.c: if (len <= off+count) *eof = 1;
./arch/ia64/kernel/salinfo.c: if (len <= off+count) *eof = 1;
./arch/ppc64/kernel/rtc.c: if (len <= off+count) *eof = 1;
./drivers/char/ds1286.c: if (len <= off+count) *eof = 1;
./drivers/char/efirtc.c: if (len <= off+count) *eof = 1;
./drivers/char/genrtc.c: if (len <= off+count) *eof = 1;
./drivers/char/ip27-rtc.c: if (len <= off+count) *eof = 1;
./drivers/input/misc/hp_sdc_rtc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/net/wireless/atmel.c: if (len <= off+count) *eof = 1;
./drivers/telephony/ixj.c: if (len <= off+count) *eof = 1;
./fs/proc/proc_misc.c: if (len <= off+count) *eof = 1;
However I think the procfs is the most important.
I would like to greet dim,cmn and je.
--
Karl Janmar
karl@xxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/