blob: 12eb1c7e1e240cbe158911b69bb35cd0992eb5c6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Candidate: CVE-2005-2709
References:
CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=blob_plain;h=5dbbdc13a7bdbc132de44bc00e13079afaf033d0;f=2.6.14.1/cve-2005-2709-sysctl-unregistration-oops.patch
Description:
From: Al Viro <viro@zeniv.linux.org.uk>
.
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
Notes:
CVE is reserved, so we can't take the description from there yet
.
dannf> arch/s390/appldata/appldata_base.c doesn't exist in 2.4, so I dropped
dannf> that hunk in my backport
.
**THIS IS AN ABI CHANGE**
Bug:
upstream: released (2.6.14.1), released (2.4.33-pre1)
linux-2.6: released (2.6.14-3)
2.6.8-sarge-security: released (2.6.8-16sarge2) [sysctl-unregistration-oops.dpatch]
2.4.27-sarge-security: released (2.4.27-10sarge2) [196_sysctl-unregistration-oops.patch]
2.4.19-woody-security:
2.4.18-woody-security:
2.4.17-woody-security:
2.4.16-woody-security:
2.4.17-woody-security-hppa:
2.4.17-woody-security-ia64:
2.4.18-woody-security-hppa:
|