Re: What's wrong with this really simple function?

From: linux-os (Dick Johnson)
Date: Mon Nov 28 2005 - 08:09:14 EST

Next message: Jan-Benedict Glaw: "Re: Alternatives to serial console for oops."
Previous message: Steven Rostedt: "Re: [RT] read_tsc: ACK! TSC went backward! Unsynced TSCs?"
In reply to: Nikita Danilov: "Re: What's wrong with this really simple function?"
Next in thread: Robert Hancock: "Re: What's wrong with this really simple function?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 28 Nov 2005, Nikita Danilov wrote:

> Juergen Quade writes:
> > On Sun, Nov 27, 2005 at 12:57:47PM -0600, Mohamed El Dawy wrote:
> > > Hi,
> > > I have created this 5-liner system call, which basically opens a
> > > file, write "Hello World" to it, and then returns. That's all.
> > >
> > > Now, when I actually call it, it creates the file successfully but
> > > writes nothing to it. The file is created and is only zero bytes. So,
> > > either write didn't write, or close didn't close. Any help would be
> > > greatly appreciated.
> > > ...
> >
> > The following (module-) code will create and write a file from
> > inside a kernel. Ok -- you know -- you should not use it
> > without really good reasons ...
> >
> > Juergen.
> >
> > #include <linux/module.h>
> > #include <linux/moduleparam.h>
> > #include <linux/fs.h>
> > #include <asm/uaccess.h>
> >
> > static char filename[255];
> > module_param_string( filename, filename, sizeof(filename), 666 );
> > struct file *log_file;
> >
> > static int __init mod_init(void)
> > {
> > mm_segment_t oldfs;
> >
> > if( filename[0]=='\0' )
> > strncpy( filename, "/tmp/kernel_file", sizeof(filename) );
> > printk("opening filename: %s\n", filename);
> > log_file = filp_open( filename, O_WRONLY | O_CREAT, 0644 );
> > printk("log_file: %p\n", log_file );
> > if( IS_ERR( log_file ) )
> > return -EIO;
>
> This code is trivially exploitable: /tmp is usually a world-writable
> directory, and everybody can do
>
> $ ln -s /etc/shadow /tmp/kernel_file
>
> or even
>
> $ ln /etc/shadow /tmp/kernel_file
>
> provided that /tmp and /etc are on the same file system.
>
> Please do not use it.
>
> Nikita.

Also, this has become a FAQ. One needs a context with which to
associate file descriptors and even file buffers. Whose did he
steal? When he finds out, he will find the buffer that never
got written to the file.

Again, to read/write files from inside the kernel either create
a kernel thread, steal init's context, or don't.

Cheers,
Dick Johnson
Penguin : Linux version 2.6.13.4 on an i686 machine (5589.55 BogoMips).
Warning : 98.36% of all statistics are fiction.
.

****************************************************************
The information transmitted in this message is confidential and may be privileged. Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to DeliveryErrors@xxxxxxxxxxxx - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan-Benedict Glaw: "Re: Alternatives to serial console for oops."
Previous message: Steven Rostedt: "Re: [RT] read_tsc: ACK! TSC went backward! Unsynced TSCs?"
In reply to: Nikita Danilov: "Re: What's wrong with this really simple function?"
Next in thread: Robert Hancock: "Re: What's wrong with this really simple function?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]