[2002] in bugtraq
Linux FIOSETOWN ioctl hole
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Sat Jul 8 04:15:35 1995
Date: Thu, 6 Jul 1995 14:38:20 +0200
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
X-To: bugtraq@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
On Linux up to 1.2.11 (and probably 1.3.x too) the FIOSETOWN ioctl
on sockets allows sending a SIGURG to any process. Before I post
a program to exploit it (yes, I have one) here is a kernel patch
to fix this:
----------
diff -urN v1.2.11/linux/net/inet/af_inet.c linux/net/inet/af_inet.c
--- v1.2.11/linux/net/inet/af_inet.c Tue Jun 13 15:18:50 1995
+++ linux/net/inet/af_inet.c Wed Jul 5 16:00:19 1995
@@ -1260,6 +1260,7 @@
{
struct sock *sk=(struct sock *)sock->data;
int err;
+ int tmp;
switch(cmd)
{
@@ -1268,7 +1269,11 @@
err=verify_area(VERIFY_READ,(int *)arg,sizeof(long));
if(err)
return err;
- sk->proc = get_fs_long((int *) arg);
+ tmp = get_fs_long((int *) arg);
+ /* see inet_fcntl */
+ if (current->pid != tmp && current->pgrp != -tmp && !suser())
+ return -EPERM;
+ sk->proc = tmp;
return(0);
case FIOGETOWN:
case SIOCGPGRP:
----------
This is against 1.2.11 but older versions should patch cleanly. There was
a similar hole with the F_SETOWN fcntl, fixed long time ago, but no one
noticed the same problem with the FIOSETOWN ioctl even though both do the
same thing (set sk->proc which is the pid to send a SIGURG to when there
is some new TCP OOB data).
Exploit program coming soon - it wasn't really hard to write :)
Marek
