Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds

Linus Torvalds (torvalds@transmeta.com)
Tue, 4 Aug 1998 14:52:25 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David S. Miller: "Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds"
Previous message: Alan Cox: "Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds"

On Tue, 4 Aug 1998 dgaudet-list-linux-kernel@arctic.org wrote:
>
> libc is remapped by the patch so that the most significant byte of the
> addresses are 0. Thus you're able to form exactly one libc address for
> pretty much all string operations. That makes it a little more
> challenging to set up the stack.

Not really. You're attacking some known broken version of some specific
program anyway ("ftpd" or whatever - you need a point of contact), which
means that you're by no means limited to libc entrypoints.

I chose libc mainly because it's the obvious choice, but your example
makes it just all the more clear that the whole approach of the patch is
not to fix real problems, but to fix specific attacks that really should
have been fixed in the binary.

Linus

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html

Next message: David S. Miller: "Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds"
Previous message: Alan Cox: "Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds"