Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll
Package: linux-kernel-src
Version: 2.4.27
Description: User/Kernel pointer bug/security holl in sys_poll
I think, there is a potential bug/security hole in the sys_poll system
call.
In sys_poll, the user pointer ufds (first arg to sys_poll) goes through
copy_from_user. Then __put_user is called on &ufds->revents.
Since copy_from_user is a read access and __put_user is a write access,
the first call does not verify write-access to ufds. This can be exploited
by a malicious user on a 386 machine (where write-protection in
kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef).
It seems that this bug can be corrected by replacing the two __put_user
calls in sys_poll by put_user. I am using the latest kernel from
kernel.org .i.e. linux-2.4.27
thanks,
Sorav
Reply to: