Re: What's wrong with this really simple function?

From: Nikita Danilov
Date: Mon Nov 28 2005 - 07:55:18 EST


Juergen Quade writes:
> On Sun, Nov 27, 2005 at 12:57:47PM -0600, Mohamed El Dawy wrote:
> > Hi,
> > I have created this 5-liner system call, which basically opens a
> > file, write "Hello World" to it, and then returns. That's all.
> >
> > Now, when I actually call it, it creates the file successfully but
> > writes nothing to it. The file is created and is only zero bytes. So,
> > either write didn't write, or close didn't close. Any help would be
> > greatly appreciated.
> > ...
>
> The following (module-) code will create and write a file from
> inside a kernel. Ok -- you know -- you should not use it
> without really good reasons ...
>
> Juergen.
>
> #include <linux/module.h>
> #include <linux/moduleparam.h>
> #include <linux/fs.h>
> #include <asm/uaccess.h>
>
> static char filename[255];
> module_param_string( filename, filename, sizeof(filename), 666 );
> struct file *log_file;
>
> static int __init mod_init(void)
> {
> mm_segment_t oldfs;
>
> if( filename[0]=='\0' )
> strncpy( filename, "/tmp/kernel_file", sizeof(filename) );
> printk("opening filename: %s\n", filename);
> log_file = filp_open( filename, O_WRONLY | O_CREAT, 0644 );
> printk("log_file: %p\n", log_file );
> if( IS_ERR( log_file ) )
> return -EIO;

This code is trivially exploitable: /tmp is usually a world-writable
directory, and everybody can do

$ ln -s /etc/shadow /tmp/kernel_file

or even

$ ln /etc/shadow /tmp/kernel_file

provided that /tmp and /etc are on the same file system.

Please do not use it.

Nikita.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/