CVE-2004-2302

Vulnerability

A race condition exists in the sysfs_read_file and sysfs_write_file functions in the Linux kernel prior to version 2.6.10. This flaw occurs when multiple threads concurrently access sysfs files, leading to improper handling of offsets and buffer state. Affected versions include all kernels before 2.6.10, as well as 2.6.10-rc1-mm1 and earlier [2].

Exploitation

A local user can exploit this by opening a sysfs file and sending large offsets (beyond the buffer size) through pread() or pwrite() system calls. By racing two threads—one seeking to a large offset and another reading or writing—the user can trigger an out-of-bounds read or write, causing the kernel to read memory beyond the allocated buffer [2].

Impact

Successful exploitation allows a local attacker to read sensitive kernel memory (information disclosure) or cause a kernel crash (denial of service). The attacker can access arbitrary kernel memory locations, potentially revealing secrets or causing system instability [2].

Mitigation

The vulnerability is fixed in Linux kernel version 2.6.10. The patch, available as part of the 2.6.10-rc1-mm1 patchset, adds a semaphore in the sysfs_buffer structure and validates offsets before use [2]. Users should upgrade to kernel 2.6.10 or later. No workaround is documented for unpatched systems.