VYPR
← All advisories
Unrated severityNVD Advisory· Published May 17, 2005· Updated Apr 16, 2026

CVE-2005-1264

CVE-2005-1264

Description

Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

30
  • Linux/Kernel30 versions
    cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*+ 29 more
    • cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test10:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test11:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test8:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test9:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.1:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.1:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.5:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.6:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.6:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.7:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.7:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs:*:*:*:*:*:*:*
    • (no CPE)range: 2.6.x

Patches

Vulnerability mechanics

Root cause

"The raw character device's ioctl handler calls `ioctl_by_bdev()`, which sets the kernel address space via `set_fs(KERNEL_DS)` before passing the ioctl to the block device, allowing user-space buffer pointers to be interpreted as kernel addresses."

Attack vector

An attacker with access to a raw character device can send an ioctl that gets passed through to the underlying block device. Because `ioctl_by_bdev()` calls `set_fs(KERNEL_DS)` before invoking the ioctl, user-space buffer pointers are treated as kernel-space addresses, allowing the attacker to read or write arbitrary kernel memory [ref_id=1]. This crosses security boundaries and makes kernel address space accessible from user space.

Affected code

The vulnerability is in `drivers/char/raw.c` in the `raw_ioctl()` function, which passes ioctls to the bound block device using `ioctl_by_bdev()`. The patch changes this call to `blkdev_ioctl()` and adds `EXPORT_SYMBOL_GPL(blkdev_ioctl)` in `drivers/block/ioctl.c` [ref_id=1].

What the fix does

The patch replaces `ioctl_by_bdev(bdev, command, arg)` with `blkdev_ioctl(bdev->bd_inode, filp, command, arg)` in `raw_ioctl()` [ref_id=1]. The function `blkdev_ioctl()` does not perform `set_fs(KERNEL_DS)`, so user-space buffer pointers remain in the user address space, preventing the privilege escalation. The patch also exports `blkdev_ioctl` as a GPL symbol so the raw driver can call it.

Preconditions

  • authAttacker must have access to a raw character device (e.g., /dev/raw/raw*).
  • configThe raw device must be bound to a block device.
  • inputAttacker must be able to issue ioctl() syscalls on the raw device file descriptor.

Reproduction

The referenced PoC at http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html is not included in the bundle, so reproduction steps cannot be provided.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.