Re: BUG REPORT: User/Kernel Pointer bug in sys_poll

From: Andrew Morton
Date: Thu Oct 28 2004 - 04:57:11 EST

Next message: Andrew Morton: "Re: 2.6.9 page allocation failure. order:0, mode:0x20"
Previous message: Paul Mackerras: "Re: [PATCH] Fix deadlocks on dpm_sem"
In reply to: Sorav Bansal: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Next in thread: Sorav Bansal: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorav Bansal <sbansal@xxxxxxxxxxxx> wrote:
>
> Older x86 architectures (386 and before) allow the kernel to write to any
> user location regardless of the write-protect bits.
>
> Hence, with this bug, a user program could write to the write-protected
> region of its address space by calling the sys_poll system call and
> setting the address and data values appropriately.

Nope. The only significant difference between copy_from_user() and
__put_user() here is that copy_from_user() checks that the address is not
in the 0xc0000000-0xffffffff range. __put_user() skips that check.

So

if (copy_from_user(kaddr, addr, n))
fail();
__put_user(42, addr);

is safe. We know that the address is in the 0x00000000-0xbfffffff range by
the time we call __put_user(). And if the page at *addr it not writeable
the kernel will take a fault.

So I see no hole. But I wouldn't have coded it that way...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: 2.6.9 page allocation failure. order:0, mode:0x20"
Previous message: Paul Mackerras: "Re: [PATCH] Fix deadlocks on dpm_sem"
In reply to: Sorav Bansal: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Next in thread: Sorav Bansal: "Re: BUG REPORT: User/Kernel Pointer bug in sys_poll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]