Re: Potenitial security hole in the kernel
Kurt Roeckx (Q@ping.be)
Tue, 29 May 2001 01:30:30 +0200
On Tue, May 29, 2001 at 12:12:56AM +0100, Russell King wrote:
> On Mon, May 28, 2001 at 11:43:38PM +0200, Vadim Lebedev wrote:
> > Please correct me if i'm wrong but it seems to me that i've stumbled on
> > really BIG security hole in the signal handling code.
>
> I don't think there's problem, unless I'm missing something.
>
> > The problem IMO is that the signal handling code stores a processor context
> > on the user-mode stack frame which is active while
> > the signal handler is running.
>
> User context (defined by 'regs') is stored onto the user stack.
> However, when context is restored, certain checks are done, including
> making sure that the segment registers cs and ss are their user mode
> versions (or'd with 3), and the processor flags are non-privileged.
If that's what's happening, I have to agree with him that there
is a problem.
Why would he need to go back to kernel space at all? He can make
it point wherever he wants.
You should never "return" from userspace to kernelspace. The
only way to go from user space to kernel space should be by using
a system call.
Kurt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/