Re: BUG REPORT: User/Kernel Pointer bug in sys_poll

From: Sorav Bansal
Date: Thu Oct 28 2004 - 01:06:09 EST

Next message: Michael Clark: "Re: 2.6.9 page allocation failure. order:0, mode:0x20"
Previous message: dean gaudet: "Re: MAP_SHARED bizarrely slow"
In reply to: Sorav Bansal: "BUG REPORT: User/Kernel Pointer bug in sys_poll"
Next in thread: Andrew Morton: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Older x86 architectures (386 and before) allow the kernel to write to any
user location regardless of the write-protect bits.

Hence, with this bug, a user program could write to the write-protected
region of its address space by calling the sys_poll system call and
setting the address and data values appropriately.

An example where this could be exploited is an application running
third-party software. The application may want to write-protect its code
region but with this bug, the third party software will be able to
overwrite write-protected regions by calling sys_poll.

Sorav

On Wed, 27 Oct 2004, Tace wrote:

> sorry but I don't understand, why would it be a
> problem?
>
> --- Sorav Bansal <sbansal@xxxxxxxxxxxx> wrote:
>
> >
> > Package: linux-kernel-src
> > Version: 2.4.27
> >
> > Description: User/Kernel pointer bug/security holl
> > in sys_poll
> >
> > I think, there is a potential bug/security hole in
> > the sys_poll system
> > call.
> >
> > In sys_poll, the user pointer ufds (first arg to
> > sys_poll) goes through
> > copy_from_user. Then __put_user is called on
> > &ufds->revents.
> >
> > Since copy_from_user is a read access and __put_user
> > is a write access,
> > the first call does not verify write-access to ufds.
> > This can be exploited
> > by a malicious user on a 386 machine (where
> > write-protection in
> > kernel mode is not enabled .i.e.
> > CONFIG_X86_WP_WORKS_OK is undef).
> >
> > It seems that this bug can be corrected by replacing
> > the two __put_user
> > calls in sys_poll by put_user. I am using the latest
> > kernel from
> > kernel.org .i.e. linux-2.4.27
> >
> > thanks,
> > Sorav
> >
> > -
> > To unsubscribe from this list: send the line
> > "unsubscribe linux-kernel" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at
> > http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We finish.
> http://promotions.yahoo.com/new_mail
>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michael Clark: "Re: 2.6.9 page allocation failure. order:0, mode:0x20"
Previous message: dean gaudet: "Re: MAP_SHARED bizarrely slow"
In reply to: Sorav Bansal: "BUG REPORT: User/Kernel Pointer bug in sys_poll"
Next in thread: Andrew Morton: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]