[19117] in bugtraq
Re: Linux kernel sysctl() vulnerability
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sat Feb 10 14:24:00 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <tg3ddmanvi.fsf@mercury.rus.uni-stuttgart.de>
Date: Sat, 10 Feb 2001 10:28:01 +0100
Reply-To: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
From: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
X-To: Chris Evans <chris@SCARY.BEASTS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0102091259040.32418-100000@ferret.lmh.ox.ac.uk>
Chris Evans <chris@SCARY.BEASTS.ORG> writes:
> There exists a Linux system call sysctl() which is used to query and
> modify runtime system settings. Unprivileged users are permitted to query
> the value of many of these settings.
It appears that all current Linux kernel version (2.2.x and 2.4.x) are
vulnerable. Right?
Was it really necessary to release this stuff just before the weekend?
The following trivial patch should fix this issue. (I wonder how you
can audit code for such vulnerabilities. It's probably much easier to
rewrite it in Ada. ;-)
--- sysctl.c 2001/02/10 09:42:12 1.1
+++ sysctl.c 2001/02/10 09:42:26
@@ -1123,7 +1123,7 @@
void *oldval, size_t *oldlenp,
void *newval, size_t newlen, void **context)
{
- int l, len;
+ unsigned l, len;
if (!table->data || !table->maxlen)
return -ENOTDIR;
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
