Re: BK2CVS problem

From: Scott Robert Ladd
Date: Wed Nov 05 2003 - 23:13:33 EST

Next message: steve: "Re: no DRQ after issuing WRITE"
Previous message: Fabio Coatti: "Re: test9 and bluetooth"
In reply to: Matthias Andree: "Re: BK2CVS problem"
Next in thread: bert hubert: "Re: BK2CVS problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Larry McVoy wrote:

On Wed, Nov 05, 2003 at 04:48:09PM -0600, Chad Kitching wrote:

From: Zwane Mwaikambo

+ if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+ retval = -EINVAL;

That looks odd

Setting current->uid to zero when options __WCLONE and __WALL are set? The retval is dead code because of the next line, but it looks like an attempt
to backdoor the kernel, does it not?

It sure does. Note "current->uid = 0", not "current->uid == 0". Good eyes, I missed that. This function is sys_wait4() so by passing in
__WCLONE|__WALL you are root. How nice.

In other words, the theoretical exploit was inserted by someone clever. Do we have any idea who?

BTW, good job catching the problem Larry.

--
Scott Robert Ladd
Coyote Gulch Productions (http://www.coyotegulch.com)
Software Invention for High-Performance Computing

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: steve: "Re: no DRQ after issuing WRITE"
Previous message: Fabio Coatti: "Re: test9 and bluetooth"
In reply to: Matthias Andree: "Re: BK2CVS problem"
Next in thread: bert hubert: "Re: BK2CVS problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]