linux-2.6.7 Equalizer Load-balancer. eql.c. local non-privilegedDoS
From: Vitaly V. Bursov
Date: Fri Jun 18 2004 - 04:14:08 EST
Hello,
there are multiple vulns in drivers/net/eql.c
====
static int eql_g_slave_cfg(struct net_device *dev, slave_config_t __user *scp)
{
...
if (copy_from_user(&sc, scp, sizeof (slave_config_t)))
return -EFAULT;
slave_dev = dev_get_by_name(sc.slave_name);
ret = -EINVAL;
spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
...
====
and
====
static int eql_s_slave_cfg(struct net_device *dev, slave_config_t __user *scp)
{
....
if (copy_from_user(&sc, scp, sizeof (slave_config_t)))
return -EFAULT;
eql = dev->priv;
slave_dev = dev_get_by_name(sc.slave_name);
ret = -EINVAL;
spin_lock_bh(&eql->queue.lock);
if (eql_is_slave(slave_dev)) {
====
if there is no such device, dev_get_by_name returns NULL and everything dies.
Exploiting this is trivial.
Hopefully somebody will check this file carefully and fix it.
I am not in a list.
--
Thanks,
Vitaly
GPG Key ID: F95A23B9
Attachment:
pgp00000.pgp
Description: PGP signature