Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll

To: submit@bugs.debian.org
Subject: Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll
From: Sorav Bansal <sbansal@stanford.edu>
Date: Wed, 27 Oct 2004 21:18:35 -0700 (PDT)
Message-id: <[🔎] Pine.GSO.4.44.0410272109260.22702-100000@elaine11.Stanford.EDU>
Reply-to: Sorav Bansal <sbansal@stanford.edu>, 278601@bugs.debian.org

Package: linux-kernel-src
Version: 2.4.27

Description: User/Kernel pointer bug/security holl in sys_poll

I think, there is a potential bug/security hole in the sys_poll system
call.

In sys_poll, the user pointer ufds (first arg to sys_poll) goes through
copy_from_user. Then __put_user is called on &ufds->revents.

Since copy_from_user is a read access and __put_user is a write access,
the first call does not verify write-access to ufds. This can be exploited
by a malicious user on a 386 machine (where write-protection in
kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef).

It seems that this bug can be corrected by replacing the two __put_user
calls in sys_poll by put_user. I am using the latest kernel from
kernel.org .i.e. linux-2.4.27

thanks,
Sorav

Reply to:

Follow-Ups:
- Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll
  - From: Horms <horms@debian.org>

Prev by Date: Processed: Re: kernel: 2.4.26 -> 2.4.27
Next by Date: Processed: Re: Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll
Previous by thread: Processed: Re: kernel: 2.4.26 -> 2.4.27
Next by thread: Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll
Index(es):
- Date
- Thread