Revision 1fb844961818ce94e782acf6a96b92dc2303553b authored by Alexey Dobriyan on 26 January 2007, 08:57:16 UTC, committed by Linus Torvalds on 26 January 2007, 21:51:00 UTC
Proposed patch to fix #5 in http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt aka http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 To reproduce, do * grab poc at the end of advisory. * add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" where first "4096" is something equal to or greater than 4096. * ./poc /usr/bin/sudo && ls -l Here I get with 2.6.20-rc5: -rw------- 1 ad ad 102400 2007-01-15 19:17 core ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo Check for MAY_READ like binfmt_misc.c does. Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent c20086d
| File | Mode | Size |
|---|---|---|
| 802 | ||
| 8021q | ||
| appletalk | ||
| atm | ||
| ax25 | ||
| bluetooth | ||
| bridge | ||
| core | ||
| dccp | ||
| decnet | ||
| econet | ||
| ethernet | ||
| ieee80211 | ||
| ipv4 | ||
| ipv6 | ||
| ipx | ||
| irda | ||
| key | ||
| lapb | ||
| llc | ||
| netfilter | ||
| netlabel | ||
| netlink | ||
| netrom | ||
| packet | ||
| rose | ||
| rxrpc | ||
| sched | ||
| sctp | ||
| sunrpc | ||
| tipc | ||
| unix | ||
| wanrouter | ||
| x25 | ||
| xfrm | ||
| Kconfig | -rw-r--r-- | 8.0 KB |
| Makefile | -rw-r--r-- | 1.4 KB |
| TUNABLE | -rw-r--r-- | 2.2 KB |
| compat.c | -rw-r--r-- | 18.5 KB |
| nonet.c | -rw-r--r-- | 528 bytes |
| socket.c | -rw-r--r-- | 53.3 KB |
| sysctl_net.c | -rw-r--r-- | 947 bytes |
Computing file changes ...
