It seems to me like we got a small security hole: when sitting on
console, you can send signal to newly created process (owned by
anyone). How?
Let's see:
case VT_SETMODE:
{
struct vt_mode tmp;
if (!perm)
return -EPERM;
if (copy_from_user(&tmp, (void*)arg, sizeof(struct
vt_mode)))
return -EFAULT;
if (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS)
return -EINVAL;
vt_cons[console]->vt_mode = tmp;
/* the frsig is ignored, so we set it to 0 */
vt_cons[console]->vt_mode.frsig = 0;
vt_cons[console]->vt_pid = current->pid;
/* no switch is required -- saw@shade.msu.ru */
vt_cons[console]->vt_newvt = -1;
return 0;
}
Ok. So we do process, which will VT_SETMODE and register its pid, and
register signal of our choice, then exit. Now, we'll wraps pid's
around. And now, we can force that signal to _our_ pid... Which is not
our any more! Only thing we have to do is switch consoles!
/*
* Send the signal as privileged - kill_proc() will
* tell us if the process has gone or something else
* is awry
*/
if (kill_proc(vt_cons[new_console]->vt_pid,
vt_cons[new_console]->vt_mode.acqsig,
1) != 0)
{
Pavel
-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu