Re: BK2CVS problem

From: Scott Robert Ladd
Date: Wed Nov 05 2003 - 23:13:33 EST


Larry McVoy wrote:
On Wed, Nov 05, 2003 at 04:48:09PM -0600, Chad Kitching wrote:

From: Zwane Mwaikambo

+ if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+ retval = -EINVAL;

That looks odd


Setting current->uid to zero when options __WCLONE and __WALL are set? The retval is dead code because of the next line, but it looks like an attempt
to backdoor the kernel, does it not?


It sure does. Note "current->uid = 0", not "current->uid == 0". Good eyes, I missed that. This function is sys_wait4() so by passing in
__WCLONE|__WALL you are root. How nice.

In other words, the theoretical exploit was inserted by someone clever. Do we have any idea who?

BTW, good job catching the problem Larry.


--
Scott Robert Ladd
Coyote Gulch Productions (http://www.coyotegulch.com)
Software Invention for High-Performance Computing

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/