Bugzilla – Bug 132293
VUL-0: CVE-2005-2709: kernel: sysctl unregistration oops
Last modified: 2021-12-08 15:16:21 UTC
We received the following report via vendor-sec. This issue is not public yet, please keep any information about it inside SUSE. Date: Fri, 4 Nov 2005 10:18:40 +0000 (GMT) From: Mark J Cox <mjc@redhat.com> To: security@kernel.org Cc: vendor-sec@lst.de, aviro@redhat.com Subject: [vendor-sec] CVE-2005-2709 sysctl unregistration oops Al Viro discovered an exploitable hole in sysctl unregistration affecting 2.4 and 2.6 kernels. "You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode." So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be. Proposed patch from Al Viro attached, suggest the usual day or two embargo for discussion here, so say public 20051108:1400UTC Thanks, Mark -- Mark J Cox / Red Hat Security Response Team
Created attachment 56472 [details] patch
dont know if it was applied yet, guess not... should be public now.
I don't think we want this patch in a security update, because it changes the procfs inode and hence the kernel ABI.
i have to agree. hmm, how do we approach this? or do we want to fix this at all?
I think this is a clear wontfix. How many users can trigger a module unload?
I can only think of myself pulling out the WLAN card... But then I am the console user and can damage the machine in other ways. Lets rest this issue with being fixed in STABLE and upcoming products.
CVE-2005-2709: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)