Basically, it's a way to "trick" the kernel into sending SIGIO to any process.
fs/fcntl.c:161... (2.1.126)
case F_SETOWN:
err = 0;
filp->f_owner.pid = arg;
filp->f_owner.uid = current->uid;
filp->f_owner.euid = current->euid;
if (S_ISSOCK (filp->f_dentry->d_inode->i_mode))
err = sock_fcntl (filp, F_SETOWN, arg);
break;
Does no one else think that's just a little on the brain damaged side? No
sanity checks what-so-ever in handing a filedesc to an arbitrary process
number... no permissions check, no pid check, nothing.
include/asm/fcntl.h...
#define F_SETOWN 8 /* for sockets. */
#define F_GETOWN 9 /* for sockets. */
#define F_SETSIG 10 /* for sockets. */
#define F_GETSIG 11 /* for sockets. */
If they are "for sockets", then why isn't there any check to see that the
filp actually is a socket before screwing with it? In fact, why isn't it
in net/core/sock.c under sock_fcntl? And then why doesn't it set the uids
to match arg?
All very interesting questions.
--Ricky
"This business is like the tobacco business. I wouldn't smoke for love or money
but by god I'll sell the shit outa it..." -- Virgil Wall (re: Windows)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/