Bug#278601: marked as done (PROBLEM: User/Kernel Pointer bug in sys_poll)

To: maximilian attems <max@stro.at>
Subject: Bug#278601: marked as done (PROBLEM: User/Kernel Pointer bug in sys_poll)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 28 Nov 2007 00:30:03 +0000
Message-id: <[🔎] handler.278601.D278601.11962096231632.ackdone@bugs.debian.org>
References: <20071128002615.GX14432@baikonur.stro.at> <Pine.GSO.4.44.0410272109260.22702-100000@elaine11.Stanford.EDU>

Your message dated Wed, 28 Nov 2007 01:26:15 +0100
with message-id <20071128002615.GX14432@baikonur.stro.at>
and subject line PROBLEM: User/Kernel Pointer bug in sys_poll
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: submit@bugs.debian.org
Subject: PROBLEM: User/Kernel Pointer bug in sys_poll
From: Sorav Bansal <sbansal@stanford.edu>
Date: Wed, 27 Oct 2004 21:18:35 -0700 (PDT)
Message-id: <Pine.GSO.4.44.0410272109260.22702-100000@elaine11.Stanford.EDU>

Package: linux-kernel-src
Version: 2.4.27

Description: User/Kernel pointer bug/security holl in sys_poll

I think, there is a potential bug/security hole in the sys_poll system
call.

In sys_poll, the user pointer ufds (first arg to sys_poll) goes through
copy_from_user. Then __put_user is called on &ufds->revents.

Since copy_from_user is a read access and __put_user is a write access,
the first call does not verify write-access to ufds. This can be exploited
by a malicious user on a 386 machine (where write-protection in
kernel mode is not enabled .i.e. CONFIG_X86_WP_WORKS_OK is undef).

It seems that this bug can be corrected by replacing the two __put_user
calls in sys_poll by put_user. I am using the latest kernel from
kernel.org .i.e. linux-2.4.27

thanks,
Sorav

--- End Message ---

--- Begin Message ---

To: 278601-done@bugs.debian.org

Subject: Re: PROBLEM: User/Kernel Pointer bug in sys_poll

From: maximilian attems <max@stro.at>

Date: Wed, 28 Nov 2007 01:26:15 +0100

Message-id: <20071128002615.GX14432@baikonur.stro.at>
2.4 only trouble and may only affect some very old 386
thus closing as irrelvant as bottom line is 486 anyway.

-- 
maks
--- End Message ---

Reply to:

Prev by Date: Bug#298581: marked as done (kernel is missing PCI ID 106b:0051 for Shasta (Sun GEM) Ethernet Controller of Apple)
Next by Date: Bug#280404: marked as done (cdrom: Changed API Cedega(winex) was dependant on, Diablo2 stoped finding CD.)
Previous by thread: Bug#298581: marked as done (kernel is missing PCI ID 106b:0051 for Shasta (Sun GEM) Ethernet Controller of Apple)
Next by thread: Bug#280404: marked as done (cdrom: Changed API Cedega(winex) was dependant on, Diablo2 stoped finding CD.)
Index(es):
- Date
- Thread