88740 2005-04-11 09:07 0000 Kernel: sysfs_write_file() integer overflow (CAN-2005-0867) 2009-05-03 14:31:01 0000 1 1 1 Unclassified Gentoo Security Kernel unspecified All All RESOLVED FIXED [linux >=2.6 < 2.6.11] P2 normal --- 1 koon@gentoo.org security@gentoo.org kern-sec@gentoo.org koon@gentoo.org 2005-04-11 09:07:02 0000 From Ubuntu's latest: Alexander Nyberg discovered an integer overflow in the sysfs_write_file() function. A local attacker could exploit this to crash the kernel or possibly even execute arbitrary code with root privileges by writing to an user-writable file in /sys under certain low-memory conditions. However, there are very few cases where a user-writeable sysfs file actually exists. (CAN-2005-0867) plasmaroo@gentoo.org 2005-04-15 15:00:14 0000 Created an attachment (id=56386) Patch kumba@gentoo.org 2005-04-23 22:29:40 0000 mips-sources fixed. dsd@gentoo.org 2005-04-27 13:46:49 0000 gentoo-sources-2.6 unaffected r2d2@gentoo.org 2005-05-17 16:41:14 0000 Should be all fixed. http://kiss.gentoo.org/dev/viewBug.php?BugID=88740 plasmaroo@gentoo.org 2005-05-27 11:41:21 0000 All fixed, closing bug. 56386 2005-04-15 15:00 0000 Patch 88740.patch text/plain LS0tIDEuMjIvZnMvc3lzZnMvZmlsZS5jCTIwMDUtMDQtMTUgMTQ6NTg6NDQgLTA3OjAwCisrKyAx LjIzL2ZzL3N5c2ZzL2ZpbGUuYwkyMDA1LTA0LTE1IDE0OjU4OjQ0IC0wNzowMApAQCAtMjMxLDE1 ICsyMzEsMTYgQEAKIHN5c2ZzX3dyaXRlX2ZpbGUoc3RydWN0IGZpbGUgKmZpbGUsIGNvbnN0IGNo YXIgX191c2VyICpidWYsIHNpemVfdCBjb3VudCwgbG9mZl90ICpwcG9zKQogewogCXN0cnVjdCBz eXNmc19idWZmZXIgKiBidWZmZXIgPSBmaWxlLT5wcml2YXRlX2RhdGE7CisJc3NpemVfdCBsZW47 CiAKIAlkb3duKCZidWZmZXItPnNlbSk7Ci0JY291bnQgPSBmaWxsX3dyaXRlX2J1ZmZlcihidWZm ZXIsYnVmLGNvdW50KTsKLQlpZiAoY291bnQgPiAwKQotCQljb3VudCA9IGZsdXNoX3dyaXRlX2J1 ZmZlcihmaWxlLT5mX2RlbnRyeSxidWZmZXIsY291bnQpOwotCWlmIChjb3VudCA+IDApCi0JCSpw cG9zICs9IGNvdW50OworCWxlbiA9IGZpbGxfd3JpdGVfYnVmZmVyKGJ1ZmZlciwgYnVmLCBjb3Vu dCk7CisJaWYgKGxlbiA+IDApCisJCWxlbiA9IGZsdXNoX3dyaXRlX2J1ZmZlcihmaWxlLT5mX2Rl bnRyeSwgYnVmZmVyLCBsZW4pOworCWlmIChsZW4gPiAwKQorCQkqcHBvcyArPSBsZW47CiAJdXAo JmJ1ZmZlci0+c2VtKTsKLQlyZXR1cm4gY291bnQ7CisJcmV0dXJuIGxlbjsKIH0KIAogc3RhdGlj IGludCBjaGVja19wZXJtKHN0cnVjdCBpbm9kZSAqIGlub2RlLCBzdHJ1Y3QgZmlsZSAqIGZpbGUp Cg==