Hi, I have found one flaw in Linux procfs code that make the kernel disclose memory.
In the linux version 2.6.14.3, fs/proc/proc_misc.c:74 snip: ... if (len <= off+count) *eof = 1; *start = page + off; ... off is a off_t and count is a int. This flaw is not limited to procfs but is spread to other places: ./arch/ia64/kernel/palinfo.c: if (len <= off+count) *eof = 1; ./arch/ia64/kernel/salinfo.c: if (len <= off+count) *eof = 1; ./arch/ppc64/kernel/rtc.c: if (len <= off+count) *eof = 1; ./drivers/char/ds1286.c: if (len <= off+count) *eof = 1; ./drivers/char/efirtc.c: if (len <= off+count) *eof = 1; ./drivers/char/genrtc.c: if (len <= off+count) *eof = 1; ./drivers/char/ip27-rtc.c: if (len <= off+count) *eof = 1; ./drivers/input/misc/hp_sdc_rtc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/mca/mca-proc.c: if (len <= off+count) *eof = 1; ./drivers/net/wireless/atmel.c: if (len <= off+count) *eof = 1; ./drivers/telephony/ixj.c: if (len <= off+count) *eof = 1; ./fs/proc/proc_misc.c: if (len <= off+count) *eof = 1; However I think the procfs is the most important. I would like to greet dim,cmn and je. -- Karl Janmar [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
