[PATCH] Fix sysctl unregistration oops (CVE-2005-2709) You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode. So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: 330d57fb98a916fa8e1363846540dd420e99499a [log] [tgz]
author: Al Viro <viro@zeniv.linux.org.uk> Fri Nov 04 10:18:40 2005 +0000
committer: Linus Torvalds <torvalds@g5.osdl.org> Tue Nov 08 17:57:30 2005 -0800
tree: 841d5e5eeda46fd95ac03c36964919818a9bc3a6
parent: 8546df6f357dadf1989ad8da9309c9524fd56cdf [diff] [blame]
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index fc8e367..fc131d6 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h

@@ -24,6 +24,7 @@
 #include <linux/compiler.h>
 
 struct file;
+struct completion;
 
 #define CTL_MAXNAME 10		/* how many path components do we allow in a
 				   call to sysctl?   In other words, what is
@@ -925,6 +926,8 @@
 {
 	ctl_table *ctl_table;
 	struct list_head ctl_entry;
+	int used;
+	struct completion *unregistering;
 };
 
 struct ctl_table_header * register_sysctl_table(ctl_table * table,
commit	330d57fb98a916fa8e1363846540dd420e99499a	[log] [tgz]
author	Al Viro <viro@zeniv.linux.org.uk>	Fri Nov 04 10:18:40 2005 +0000
committer	Linus Torvalds <torvalds@g5.osdl.org>	Tue Nov 08 17:57:30 2005 -0800
tree	841d5e5eeda46fd95ac03c36964919818a9bc3a6
parent	8546df6f357dadf1989ad8da9309c9524fd56cdf [diff] [blame]