dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Local root exploit with kmod and modutils > 2.1.121

Nov 13, 2000, 22:28 (0 Talkback[s])
(Other stories by Keith Owens)
Date: Mon, 13 Nov 2000 21:57:08 +1100
From: Keith Owens <kaos@ocs.com.au>
To: linux-kernel@vger.kernel.org
Subject: Local root exploit with kmod and modutils > 2.1.121

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii

A local root exploit has been found using kernels compiled with kmod
and modutils > 2.1.121.  Kernels without kmod and systems using
modutils 2.1.121 are not affected.

Patch against modutils 2.3.19, it should fit any 2.3 modutils.

Index: 19.7/util/meta_expand.c
- --- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
+++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
@@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST *
  */
 int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version)
 {
- -     FILE *fin;
- -     int len = 0;
- -     char *line = NULL;
        char *p;
        char tmpline[PATH_MAX + 1];
- -     char tmpcmd[PATH_MAX + 11];

        g->pathc = 0;
        g->pathv = NULL;
@@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g,
                /* Only "=" remaining, should be module options */
                split_line(g, pt, 0);
                return 0;
- -     }
- -
- -     /*
- -      * Last resort: Use "echo"
- -      */
- -     sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt);
- -     sprintf(tmpcmd, "/bin/echo %s", tmpline);
- -     if ((fin = popen(tmpcmd, "r")) == NULL) {
- -             error("Can't execute: %s", tmpcmd);
- -             return -1;
- -     }
- -     /* else */
- -
- -     /*
- -      * Collect the result
- -      */
- -     while (fgets(tmpcmd, PATH_MAX, fin) != NULL) {
- -             int l = strlen(tmpcmd);
- -
- -             line = (char *)xrealloc(line, len + l + 1);
- -             line[len] = '\0';
- -             strcat(line + len, tmpcmd);
- -             len += l;
- -     }
- -     pclose(fin);
- -
- -     if (line) {
- -             /* Ignore result if no expansion occurred */
- -             strcat(tmpline, "\n");
- -             if (strcmp(tmpline, line))
- -                     split_line(g, line, 0);
- -             free(line);
        }

        return 0;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: Exmh version 2.1.1 10/15/1999

iD8DBQE6D8kEi4UHNye0ZOoRAmVTAKCktbi9DI5t0sj8wd1/vjLtgwVW6QCgnO0L
mVbPskoIGSSyTE8I9K7FcAg=
=Z1/L
-----END PGP SIGNATURE-----