"The process file system, or procfs, implements a view of the system process table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1)."
The Linus kernel procfs code does not validate its user provided variables, allowing local attackers to retrieve sensitive information from memory such as the root's password.
Credit:
The information has been provided by Karl Janmar.
Vulnerable Systems:
* Linux version 2.6.14.4 and prior
The /proc file system (procfs) is a special file system in the Linux kernel. It's a virtual file system: it is not associated with a block device but exists only in memory. The files in the procfs are there to allow users' programs access to certain information from the kernel (like process information in /proc/[0-9]+/), but also for debug purposes (like /proc/ksyms).
The function proc_calc_metrics does not properly validate variables, allowing attackers enter restricted memory and obtaining information that could not be gathered otherwise.
Vulnerable Code: fs/proc/proc_misc.c:
static int proc_calc_metrics(char *page, char **start, off_t off,
int count, int *eof, int len)
{
if (len <= off+count) *eof = 1;
*start = page + off;
len -= off;
if (len>count) len = count;
if (len<0) len = 0;
return len;
}
In the above code we can see that the values of 'off' and 'count' are not checked to see if they contain negative number.
An attacker can place a negative number, pointing the 'start' variable to a memory that may contain sensitive information.
