Re: [Full-Disclosure] Linux kernel file offset pointer races

• Previous message: Gary E. Miller: "Re: FW: [Full-Disclosure] Question for DNS pros"
• In reply to: Paul Starzetz: "[Full-Disclosure] Linux kernel file offset pointer races"
• Next in thread: Pavel Kankovsky: "Re: [Full-Disclosure] Linux kernel file offset pointer races"
• Reply: Pavel Kankovsky: "Re: [Full-Disclosure] Linux kernel file offset pointer races"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security@isec.pl
Date: Wed, 4 Aug 2004 15:42:13 -0700

On 4 Aug 2004, at 03:22, Paul Starzetz wrote:
> Synopsis: Linux kernel file offset pointer handling
> Product: Linux kernel
> Version: 2.4 up to to and including 2.4.26, 2.6 up to to and
> including 2.6.7
> Vendor: http://www.kernel.org/
> URL: http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
> CVE: CAN-2004-0415
> Author: Paul Starzetz <ihaquer@isec.pl>
> Date: Aug 04, 2004
>

> Issue:
> ======
>
> A critical security vulnerability has been found in the Linux
> kernel
> code handling 64bit file offset pointers.
...

Even discounting the mangling in this posting, the code doesn't work
as advertised under 2.6.7. I've tried a number of different scenarios:
multiple machines, slow storage, fast storage, large files, small files
-
but _llseek(pfd, 0, 0, &off, SEEK_CUR) doesn't fail. Is this just
because
I'm stupid or because the code supplied is incorrect?

Furthermore, mtrr_read doesn't seem to exist anywhere in the Linux
kernel,
at least not by that name. The function in question would probably exist
in linux/arch/i386/kernel/cpu/mtrr/if.c, but there's nothing of the sort
in there. Heck, the kernel code shown isn't even VALID.

My fault or Paul's?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: Gary E. Miller: "Re: FW: [Full-Disclosure] Question for DNS pros"
• In reply to: Paul Starzetz: "[Full-Disclosure] Linux kernel file offset pointer races"
• Next in thread: Pavel Kankovsky: "Re: [Full-Disclosure] Linux kernel file offset pointer races"
• Reply: Pavel Kankovsky: "Re: [Full-Disclosure] Linux kernel file offset pointer races"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages 2.6.25-rc1 panics on boot ... unable to handle kernel NULL pointer dereference at 0000010c ... # Automatically generated make config: ... # Linux kernel version: 2.6.25-rc1 ... # PCI IDE chipsets support ... (Linux-Kernel) Re: 2.6.16 serious consequences / GPL_EXPORT_SYMBOL / USB drivers of major vendor excluded ... Only the kernel offers low latency and timeline processing ... using usbfs directly, no kernel driver needed. ... That seems _very_ large for a Linux kernel driver. ... release your code under this same license. ... (Linux-Kernel) OT: Linux Kernel: coupling and maintainability ... *Coupling and the Maintainability of the Linux Kernel ... Maintainability of the Linux Kernel* ... (comp.os.vms) Re: RT patch acceptance ... > If you gonna make usefull deterministic real-time in userspace you got to ... > change stuff in kernel space and implement stuff like priority ... this is why the RTAI project has an experimental branch called ... Linux kernel providing regular services and a specialized co-scheduler ... (Linux-Kernel) Re: 2.6.26-rc1-$sha1: RIP __d_lookup+0x8c/0x160 ... I presume that this version of the kernel has the fixes from this thread ... # Linux kernel version: 2.6.26-rc1-afa26be86b65a7183ceac29bdf1f51d6fc6932f0 ... # SCSI support type ... # Input Device Drivers ... (Linux-Kernel)