| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43AC11C3.30109@utopiafoundation.org> Date: Fri Dec 23 16:02:27 2005 From: karl at utopiafoundation.org (Karl Janmar) Subject: linux procfs vulnerablity Hi, I have found one flaw in Linux procfs code that make the kernel disclose memory. In the linux version 2.6.14.3, fs/proc/proc_misc.c:74 snip: ... if (len <= off+count) *eof = 1; *start = page + off; ... off is a off_t and count is a int. This flaw is not limited to procfs but is spread to other places: ./arch/ia64/kernel/palinfo.c: if (len <= off+count) *eof = 1; ./arch/ia64/kernel/salinfo.c: if (len <= off+count) *eof = 1; ./arch/ppc64/kernel/rtc.c: if (len <= off+count) *eof = 1; ./drivers/char/ds1286.c: if (len <= off+count) *eof = 1; ./drivers/char/efirtc.c: if (len <= off+count) *eof = 1; ./drivers/char/genrtc.c: if (len <= off+count) *eof = 1; ./drivers/char/ip27-rtc.c: if (len <= off+count) *eof = 1; ./drivers/input/misc/hp_sdc_rtc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/net/wireless/atmel.c: if (len <= off+count) *eof = 1; ./drivers/telephony/ixj.c: if (len <= off+count) *eof = 1; ./fs/proc/proc_misc.c: if (len <= off+count) *eof = 1; However I think the procfs is the most important. I would like to greet dim,cmn and je. -- Karl Janmar karl@...piafoundation.org
Powered by blists - more mailing lists