Bug 132293 (CVE-2005-2709)

Summary: VUL-0: CVE-2005-2709: kernel: sysctl unregistration oops
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-2709: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch

Description Ludwig Nussel 2005-11-04 10:47:12 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Fri, 4 Nov 2005 10:18:40 +0000 (GMT)
From: Mark J Cox <mjc@redhat.com>
To: security@kernel.org
Cc: vendor-sec@lst.de, aviro@redhat.com
Subject: [vendor-sec] CVE-2005-2709 sysctl unregistration oops

Al Viro discovered an exploitable hole in sysctl unregistration affecting 
2.4 and 2.6 kernels.

"You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then 
wait for interface to go away, try to grab as much memory as possible in 
hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your 
function. Then do read from file you've opened and if you are lucky, 
you'll get it called as ->proc_handler() in kernel mode."

So this is at least an Oops and possibly more.  It does depend on an 
interface going away though, so less of a security risk than it would 
otherwise be.

Proposed patch from Al Viro attached, suggest the usual day or two embargo 
for discussion here, so say public 20051108:1400UTC

Thanks, Mark
-- 
Mark J Cox / Red Hat Security Response Team
Comment 1 Ludwig Nussel 2005-11-04 10:48:13 UTC 
Created attachment 56472 [details]
patch
Comment 2 Marcus Meissner 2005-11-11 15:58:58 UTC 
dont know if it was applied yet, guess not...

should be public now.
Comment 3 Olaf Kirch 2005-11-15 15:53:30 UTC 
I don't think we want this patch in a security update, because it
changes the procfs inode and hence the kernel ABI.
Comment 4 Marcus Meissner 2005-11-17 12:09:08 UTC 
i have to agree.

hmm, how do we approach this?

or do we want to fix this at all?
Comment 5 Olaf Kirch 2005-11-22 08:42:56 UTC 
I think this is a clear wontfix.
How many users can trigger a module unload?
Comment 6 Marcus Meissner 2005-11-22 09:35:32 UTC 
I can only think of myself pulling out the WLAN card... 
But then I am the console user and can damage the machine in other ways.

Lets rest this issue with being fixed in STABLE and upcoming products.
Comment 7 Thomas Biege 2009-10-13 21:46:15 UTC 
CVE-2005-2709: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)