|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] linux procfs vulnerablity
From: Karl Janmar (karl
utopiafoundation.org)
Date: Fri Dec 23 2005 - 09:03:31 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I have found one flaw in Linux procfs code that make the kernel disclose memory.
In the linux version 2.6.14.3,
fs/proc/proc_misc.c:74
snip:
...
if (len <= off+count) *eof = 1;
*start = page + off;
...
off is a off_t and count is a int.
This flaw is not limited to procfs but is spread to other places:
./arch/ia64/kernel/palinfo.c: if (len <= off+count) *eof = 1;
./arch/ia64/kernel/salinfo.c: if (len <= off+count) *eof = 1;
./arch/ppc64/kernel/rtc.c: if (len <= off+count) *eof = 1;
./drivers/char/ds1286.c: if (len <= off+count) *eof = 1;
./drivers/char/efirtc.c: if (len <= off+count) *eof = 1;
./drivers/char/genrtc.c: if (len <= off+count) *eof = 1;
./drivers/char/ip27-rtc.c: if (len <= off+count) *eof = 1;
./drivers/input/misc/hp_sdc_rtc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1;
./drivers/net/wireless/atmel.c: if (len <= off+count) *eof = 1;
./drivers/telephony/ixj.c: if (len <= off+count) *eof = 1;
./fs/proc/proc_misc.c: if (len <= off+count) *eof = 1;
However I think the procfs is the most important.
I would like to greet dim,cmn and je.
--
Karl Janmar
karlutopiafoundation.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]