[PATCH] Fix sysctl unregistration oops (CVE-2005-2709)

You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode. So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2025-07-22 23:04:43 +00:00 · 2005-11-04 10:18:40 +00:00 · 2005-11-04 10:18:40 +00:00 · 330d57fb98
commit 330d57fb98
parent 8546df6f35
4 changed files with 116 additions and 31 deletions
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@ -66,6 +66,7 @@ struct proc_dir_entry {
 	write_proc_t *write_proc;
 	atomic_t count;		/* use count */
 	int deleted;		/* delete flag */
+	void *set;
 };

 struct kcore_list {