[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#278601: PROBLEM: User/Kernel Pointer bug in sys_poll

On Wed, Oct 27, 2004 at 09:18:35PM -0700, Sorav Bansal wrote:
> 
> Package: linux-kernel-src
> Version: 2.4.27
> 
> Description: User/Kernel pointer bug/security holl in sys_poll
> 
> I think, there is a potential bug/security hole in the sys_poll system
> call.
> 
> In sys_poll, the user pointer ufds (first arg to sys_poll) goes through
> copy_from_user. Then __put_user is called on &ufds->revents.
> 
> Since copy_from_user is a read access and __put_user is a write access,
> the first call does not verify write-access to ufds. This can be exploited
> by a malicious user on a 386 machine (where write-protection in
> kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef).
> 
> It seems that this bug can be corrected by replacing the two __put_user
> calls in sys_poll by put_user. I am using the latest kernel from
> kernel.org .i.e. linux-2.4.27

Hi,

Thanks for the bug report. I checked up on the thread on lkml.
I am a bit reluctant to add a patch to the debian kernel if
the upstream maintainer's don't. Please let me know if there
are any developments in that direction, I will keep an eye on the
thread.

Ref for BTS: http://marc.theaimsgroup.com/?l=linux-kernel&m=109893769307124&w=2

Thanks

-- 
Horms
Reply to: