Your message dated Wed, 28 Nov 2007 01:26:15 +0100 with message-id <20071128002615.GX14432@baikonur.stro.at> and subject line PROBLEM: User/Kernel Pointer bug in sys_poll has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: PROBLEM: User/Kernel Pointer bug in sys_poll
- From: Sorav Bansal <sbansal@stanford.edu>
- Date: Wed, 27 Oct 2004 21:18:35 -0700 (PDT)
- Message-id: <Pine.GSO.4.44.0410272109260.22702-100000@elaine11.Stanford.EDU>
Package: linux-kernel-src Version: 2.4.27 Description: User/Kernel pointer bug/security holl in sys_poll I think, there is a potential bug/security hole in the sys_poll system call. In sys_poll, the user pointer ufds (first arg to sys_poll) goes through copy_from_user. Then __put_user is called on &ufds->revents. Since copy_from_user is a read access and __put_user is a write access, the first call does not verify write-access to ufds. This can be exploited by a malicious user on a 386 machine (where write-protection in kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef). It seems that this bug can be corrected by replacing the two __put_user calls in sys_poll by put_user. I am using the latest kernel from kernel.org .i.e. linux-2.4.27 thanks, Sorav
--- End Message ---
--- Begin Message ---
- To: 278601-done@bugs.debian.org
- Subject: Re: PROBLEM: User/Kernel Pointer bug in sys_poll
- From: maximilian attems <max@stro.at>
- Date: Wed, 28 Nov 2007 01:26:15 +0100
- Message-id: <20071128002615.GX14432@baikonur.stro.at>
2.4 only trouble and may only affect some very old 386 thus closing as irrelvant as bottom line is 486 anyway. -- maks
--- End Message ---