On Wed, Jun 02, 2004 at 10:42:43PM +0200, Christoph Hellwig wrote: > On Wed, Jun 02, 2004 at 10:48:46PM +0200, Sven Luther wrote: > > Known security problems ? All known problems of 2.4.25 have been fixed > > and backported from later kernels, so i don't really see what we would > > gain by going to 2.4.26, apart from uniformity over all arches. > > I don't have the time right know, but from looking through the diffs > I'll surely be able to point you to a bunch of driver fixes that could > allow exploits but no one bothered enough to try and write up a big > bugtraq mail.
this was from 30 seconds looking at the diff, so I haven't checked whether it's actually coming from an an unprivilegued entry point. If it did we'd have a nice integer overflow and afterwards scrambling over random memory: diff -Nru a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c --- a/net/bluetooth/hci_conn.c 2004-06-02 22:48:10 +02:00 +++ b/net/bluetooth/hci_conn.c 2004-06-02 22:48:10 +02:00 @@ -358,21 +358,24 @@ struct hci_conn_info *ci; struct hci_dev *hdev; struct list_head *p; - int n = 0, size; + int n = 0, size, err; if (copy_from_user(&req, (void *) arg, sizeof(req))) return -EFAULT; - if (!(hdev = hci_dev_get(req.dev_id))) - return -ENODEV; - - size = req.conn_num * sizeof(struct hci_conn_info) + sizeof(req); + if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) + return -EINVAL; - if (verify_area(VERIFY_WRITE, (void *)arg, size)) - return -EFAULT; + size = sizeof(req) + req.conn_num * sizeof(*ci); if (!(cl = (void *) kmalloc(size, GFP_KERNEL))) return -ENOMEM;