Linux FIOSETOWN ioctl hole

[marekm () i17linuxb ists pwr wroc pl (Marek Michalkiewicz)]

On Linux up to 1.2.11 (and probably 1.3.x too) the FIOSETOWN ioctl
on sockets allows sending a SIGURG to any process.  Before I post
a program to exploit it (yes, I have one) here is a kernel patch
to fix this:
----------
diff -urN v1.2.11/linux/net/inet/af_inet.c linux/net/inet/af_inet.c
--- v1.2.11/linux/net/inet/af_inet.c    Tue Jun 13 15:18:50 1995
+++ linux/net/inet/af_inet.c    Wed Jul  5 16:00:19 1995
@@ -1260,6 +1260,7 @@
 {
        struct sock *sk=(struct sock *)sock->data;
        int err;
+       int tmp;

        switch(cmd)
        {
@@ -1268,7 +1269,11 @@
                        err=verify_area(VERIFY_READ,(int *)arg,sizeof(long));
                        if(err)
                                return err;
-                       sk->proc = get_fs_long((int *) arg);
+                       tmp = get_fs_long((int *) arg);
+                       /* see inet_fcntl */
+                       if (current->pid != tmp && current->pgrp != -tmp && !suser())
+                               return -EPERM;
+                       sk->proc = tmp;
                        return(0);
                case FIOGETOWN:
                case SIOCGPGRP:
----------
This is against 1.2.11 but older versions should patch cleanly.  There was
a similar hole with the F_SETOWN fcntl, fixed long time ago, but no one
noticed the same problem with the FIOSETOWN ioctl even though both do the
same thing (set sk->proc which is the pid to send a SIGURG to when there
is some new TCP OOB data).

Exploit program coming soon - it wasn't really hard to write :)

Marek