* linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privileged DoS
@ 2004-06-18 8:51 Vitaly V. Bursov
2004-06-18 11:35 ` Herbert Xu
0 siblings, 1 reply; 3+ messages in thread
From: Vitaly V. Bursov @ 2004-06-18 8:51 UTC (permalink / raw)
To: linux-kernel; +Cc: Alan Cox
[-- Attachment #1: Type: text/plain, Size: 1019 bytes --]
Hello,
there are multiple vulns in drivers/net/eql.c
====
static int eql_g_slave_cfg(struct net_device *dev, slave_config_t __user *scp)
{
...
if (copy_from_user(&sc, scp, sizeof (slave_config_t)))
return -EFAULT;
slave_dev = dev_get_by_name(sc.slave_name);
ret = -EINVAL;
spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
...
====
and
====
static int eql_s_slave_cfg(struct net_device *dev, slave_config_t __user *scp)
{
....
if (copy_from_user(&sc, scp, sizeof (slave_config_t)))
return -EFAULT;
eql = dev->priv;
slave_dev = dev_get_by_name(sc.slave_name);
ret = -EINVAL;
spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
====
if there is no such device, dev_get_by_name returns NULL and everything dies.
Exploiting this is trivial.
Hopefully somebody will check this file carefully and fix it.
I am not in a list.
--
Thanks,
Vitaly
GPG Key ID: F95A23B9
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privileged DoS
2004-06-18 8:51 linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privileged DoS Vitaly V. Bursov
@ 2004-06-18 11:35 ` Herbert Xu
2004-06-19 21:05 ` Jeff Garzik
0 siblings, 1 reply; 3+ messages in thread
From: Herbert Xu @ 2004-06-18 11:35 UTC (permalink / raw)
To: Vitaly V. Bursov; +Cc: linux-kernel, alan, davem, jgarzik, netdev
Vitaly V. Bursov <vitalyvb@ukr.net> wrote:
>
> there are multiple vulns in drivers/net/eql.c
>
> if there is no such device, dev_get_by_name returns NULL and everything dies.
> Exploiting this is trivial.
Thanks for the report. This patch should fix them.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
===== drivers/net/eql.c 1.13 vs edited =====
--- 1.13/drivers/net/eql.c 2004-06-05 01:50:36 +10:00
+++ edited/drivers/net/eql.c 2004-06-18 21:30:49 +10:00
@@ -497,6 +497,8 @@
slave_dev = dev_get_by_name(sc.slave_name);
ret = -EINVAL;
+ if (!slave_dev)
+ return ret;
spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
@@ -531,6 +533,8 @@
slave_dev = dev_get_by_name(sc.slave_name);
ret = -EINVAL;
+ if (!slave_dev)
+ return ret;
spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-06-19 21:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-18 8:51 linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privileged DoS Vitaly V. Bursov
2004-06-18 11:35 ` Herbert Xu
2004-06-19 21:05 ` Jeff Garzik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox