linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privilegedDoS

From: Vitaly V. Bursov
Date: Fri Jun 18 2004 - 04:14:08 EST

Next message: Jan-Benedict Glaw: "Re: Stop the Linux kernel madness"
Previous message: Helge Hafting: "Re: Stop the Linux kernel madness"
Next in thread: Herbert Xu: "Re: linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privileged DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

there are multiple vulns in drivers/net/eql.c

====
static int eql_g_slave_cfg(struct net_device *dev, slave_config_t __user *scp)
{
...
if (copy_from_user(&sc, scp, sizeof (slave_config_t)))
return -EFAULT;

slave_dev = dev_get_by_name(sc.slave_name);

ret = -EINVAL;

spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
...
====

and

====
static int eql_s_slave_cfg(struct net_device *dev, slave_config_t __user *scp)
{
....
if (copy_from_user(&sc, scp, sizeof (slave_config_t)))
return -EFAULT;

eql = dev->priv;
slave_dev = dev_get_by_name(sc.slave_name);

ret = -EINVAL;

spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
====

if there is no such device, dev_get_by_name returns NULL and everything dies.
Exploiting this is trivial.

Hopefully somebody will check this file carefully and fix it.

I am not in a list.
--
Thanks,
Vitaly
GPG Key ID: F95A23B9

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Jan-Benedict Glaw: "Re: Stop the Linux kernel madness"
Previous message: Helge Hafting: "Re: Stop the Linux kernel madness"
Next in thread: Herbert Xu: "Re: linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privileged DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]