BUG REPORT: User/Kernel Pointer bug in sys_poll
From: Sorav Bansal
Date: Wed Oct 27 2004 - 23:26:55 EST
Package: linux-kernel-src
Version: 2.4.27
Description: User/Kernel pointer bug/security holl in sys_poll
I think, there is a potential bug/security hole in the sys_poll system
call.
In sys_poll, the user pointer ufds (first arg to sys_poll) goes through
copy_from_user. Then __put_user is called on &ufds->revents.
Since copy_from_user is a read access and __put_user is a write access,
the first call does not verify write-access to ufds. This can be exploited
by a malicious user on a 386 machine (where write-protection in
kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef).
It seems that this bug can be corrected by replacing the two __put_user
calls in sys_poll by put_user. I am using the latest kernel from
kernel.org .i.e. linux-2.4.27
thanks,
Sorav
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/