[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] linux procfs vulnerablity
From: Karl Janmar <karl () utopiafoundation ! org>
Date: 2005-12-23 15:03:31
Message-ID: 43AC11C3.30109 () utopiafoundation ! org
[Download RAW message or body]
Hi,
I have found one flaw in Linux procfs code that make the kernel disclose memory.
In the linux version 2.6.14.3,
fs/proc/proc_misc.c:74
snip:
...
if (len <= off+count) *eof = 1;
*start = page + off;
...
off is a off_t and count is a int.
This flaw is not limited to procfs but is spread to other places:
./arch/ia64/kernel/palinfo.c: if (len <= off+count) *eof = 1;
./arch/ia64/kernel/salinfo.c: if (len <= off+count) *eof = 1;
./arch/ppc64/kernel/rtc.c: if (len <= off+count) *eof = 1;
./drivers/char/ds1286.c: if (len <= off+count) *eof = 1;
./drivers/char/efirtc.c: if (len <= off+count) *eof = 1;
./drivers/char/genrtc.c: if (len <= off+count) *eof = 1;
./drivers/char/ip27-rtc.c: if (len <= off+count) *eof = 1;
./drivers/input/misc/hp_sdc_rtc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/net/wireless/atmel.c: if (len <= off+count) *eof = 1;
./drivers/telephony/ixj.c: if (len <= off+count) *eof = 1;
./fs/proc/proc_misc.c: if (len <= off+count) *eof = 1;
However I think the procfs is the most important.
I would like to greet dim,cmn and je.
--
Karl Janmar
karl@utopiafoundation.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic