Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 757010f0 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

sysctl binary: Reorder the tests to process wild card entries first. 



A malicious user could have passed in a ctl_name of 0 and triggered
the well know ctl_name to procname mapping code, instead of the wild
card matching code.  This is a slight problem as wild card entries don't
have procnames, and because in some alternate universe a network device
might have ifindex 0.  So test for and handle wild card entries first.

Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent 63395b65

kernel/sysctl_binary.c

+7 −8
Original line number Diff line number Diff line
@@ -1269,17 +1269,12 @@ static const struct bin_table *get_sysctl(const int *name, int nlen, char *path) 
	for ( ; table->convert; table++) {

		int len = 0;



		/* Use the well known sysctl number to proc name mapping */

		if (ctl_name == table->ctl_name) {

			len = strlen(table->procname);

			memcpy(path, table->procname, len);

		}

#ifdef CONFIG_NET

		/*

		 * For a wild card entry map from ifindex to network

		 * device name.

		 */

		else if (!table->ctl_name) {

		if (!table->ctl_name) {

#ifdef CONFIG_NET

			struct net *net = current->nsproxy->net_ns;

			struct net_device *dev;

			dev = dev_get_by_index(net, ctl_name);
@@ -1288,8 +1283,12 @@ static const struct bin_table *get_sysctl(const int *name, int nlen, char *path) 
				memcpy(path, dev->name, len);

				dev_put(dev);

			}

		}

#endif

		/* Use the well known sysctl number to proc name mapping */

		} else if (ctl_name == table->ctl_name) {

			len = strlen(table->procname);

			memcpy(path, table->procname, len);

		}

		if (len) {

			path += len;

			if (table->child) {