[PATCH] Fix sysctl unregistration oops (CVE-2005-2709)
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/arch/s390/appldata/appldata_base.c b/arch/s390/appldata/appldata_base.c
index c9f2f60..dee6ab54 100644
--- a/arch/s390/appldata/appldata_base.c
+++ b/arch/s390/appldata/appldata_base.c
@@ -592,12 +592,15 @@
*/
void appldata_unregister_ops(struct appldata_ops *ops)
{
+ void *table;
spin_lock(&appldata_ops_lock);
- unregister_sysctl_table(ops->sysctl_header);
list_del(&ops->list);
- kfree(ops->ctl_table);
+ /* at that point any incoming access will fail */
+ table = ops->ctl_table;
ops->ctl_table = NULL;
spin_unlock(&appldata_ops_lock);
+ unregister_sysctl_table(ops->sysctl_header);
+ kfree(table);
P_INFO("%s-ops unregistered!\n", ops->name);
}
/********************** module-ops management <END> **************************/
