Date: Thu, 28 Oct 2004 02:48:39 -0700
From: Andrew Morton <akpm@osdl.org>
To: Sorav Bansal <sbansal@stanford.edu>
Cc: tacetan@yahoo.com, linux-kernel@vger.kernel.org
Subject: Re: BUG REPORT: User/Kernel Pointer bug in sys_poll
Message-Id: <20041028024839.6a1e1064.akpm@osdl.org>
In-Reply-To: <Pine.GSO.4.44.0410272246240.7124-100000@elaine9.Stanford.EDU>
References: <20041028052218.52478.qmail@web50207.mail.yahoo.com>
	<Pine.GSO.4.44.0410272246240.7124-100000@elaine9.Stanford.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1151
Lines: 29

Sorav Bansal <sbansal@stanford.edu> wrote:
>
> Older x86 architectures (386 and before) allow the kernel to write to any
>  user location regardless of the write-protect bits.
> 
>  Hence, with this bug, a user program could write to the write-protected
>  region of its address space by calling the sys_poll system call and
>  setting the address and data values appropriately.

Nope.  The only significant difference between copy_from_user() and
__put_user() here is that copy_from_user() checks that the address is not
in the 0xc0000000-0xffffffff range.  __put_user() skips that check.

So

	if (copy_from_user(kaddr, addr, n))
		fail();
	__put_user(42, addr);

is safe.  We know that the address is in the 0x00000000-0xbfffffff range by
the time we call __put_user().  And if the page at *addr it not writeable
the kernel will take a fault.

So I see no hole.  But I wouldn't have coded it that way...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/