BUG REPORT: User/Kernel Pointer bug in sys_poll

From: Sorav Bansal
Date: Wed Oct 27 2004 - 23:26:55 EST

Next message: Jeff Garzik: "Re: Linux 2.4.28-rc1"
Previous message: Jeff Garzik: "Re: [PATCH 2.4] the perils of kunmap_atomic"
Next in thread: Sorav Bansal: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Package: linux-kernel-src
Version: 2.4.27

Description: User/Kernel pointer bug/security holl in sys_poll

I think, there is a potential bug/security hole in the sys_poll system
call.

In sys_poll, the user pointer ufds (first arg to sys_poll) goes through
copy_from_user. Then __put_user is called on &ufds->revents.

Since copy_from_user is a read access and __put_user is a write access,
the first call does not verify write-access to ufds. This can be exploited
by a malicious user on a 386 machine (where write-protection in
kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef).

It seems that this bug can be corrected by replacing the two __put_user
calls in sys_poll by put_user. I am using the latest kernel from
kernel.org .i.e. linux-2.4.27

thanks,
Sorav

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: Linux 2.4.28-rc1"
Previous message: Jeff Garzik: "Re: [PATCH 2.4] the perils of kunmap_atomic"
Next in thread: Sorav Bansal: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]