• Al Viro's avatar
    [PATCH] CVE-2005-2709 sysctl unregistration oops · e4e04112
    Al Viro authored
    You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
    wait for interface to go away, try to grab as much memory as possible in
    hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
    function. Then do read from file you've opened and if you are lucky,
    you'll get it called as ->proc_handler() in kernel mode.
    
    So this is at least an Oops and possibly more.  It does depend on an
    interface going away though, so less of a security risk than it would
    otherwise be.
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    e4e04112
sysctl.c 56.7 KB