From: Vinzent 'Gadget' Hoefler <ada.rocks@jlfencey.com>
Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel
Date: Wed, 12 Nov 2003 08:18:27 +0100
Date: 2003-11-12T08:18:27+01:00 [thread overview]
Message-ID: <bosmuu$1hui4o$1@ID-175126.news.uni-berlin.de> (raw)
In-Reply-To: pan.2003.11.12.05.13.39.401308@Smoke
J Cusick wrote:
>On Wed, 12 Nov 2003 04:26:44 +0000, Stephane Richard wrote:
>
>> For some reason, I can't open that link you posted here..
>
>The Register site seems to be down at the moment... The link is good.
>
>The article discusses the fact that someone tried to slide in a C line
>(actually 2 lines) that trashed the tcp stack allowing a negative offset
No. It is worse than that.
The interesting line in question is this one:
|if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
First this looks like a sanity check. But look closer. This single
line serves one single purpose: to give you root-privileges when you
just pass the right flags. Note the "current->uid = 0" instead of
"current->uid == 0". Who the hell had the fucking bad idea that
assignments could return values?
Let's stretch the example and imagine, it was just a simple typo of a
tired programmer who wrote the PIN-code checking routine for an ATM
and it slipped through the review...
Vinzent.
next prev parent reply other threads:[~2003-11-12 7:18 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-12 3:17 C's trikery semantic opens up backdoor in new Linux kernel Adrian Hoe
2003-11-12 4:26 ` Stephane Richard
2003-11-12 5:13 ` J Cusick
2003-11-12 7:18 ` Vinzent 'Gadget' Hoefler [this message]
2003-11-12 7:50 ` Duncan Sands
2003-11-12 12:08 ` Vinzent 'Gadget' Hoefler
2003-11-12 13:38 ` Duncan Sands
2003-11-12 14:09 ` Vinzent 'Gadget' Hoefler
2003-11-13 21:04 ` Craig Carey
2003-11-14 6:45 ` Freejack
2003-11-14 8:33 ` Erlo Haugen
2003-11-14 9:44 ` Vinzent 'Gadget' Hoefler
2003-11-14 10:16 ` Dmitry A. Kazakov
2003-11-25 10:06 ` Craig Carey
2003-11-25 11:20 ` Dmitry A. Kazakov
2003-11-14 15:31 ` Robert I. Eachus
2003-11-14 13:12 ` Georg Bauhaus
2003-11-14 13:31 ` Duncan Sands
2003-11-14 14:56 ` Vinzent 'Gadget' Hoefler
2003-11-14 15:08 ` Georg Bauhaus
2003-11-14 15:38 ` Duncan Sands
2003-11-14 17:57 ` Georg Bauhaus
2003-11-14 15:47 ` Robert I. Eachus
2003-11-14 16:38 ` Vinzent 'Gadget' Hoefler
2003-11-19 4:13 ` Dave Thompson
2003-11-21 15:34 ` Martin Krischik
2003-11-23 2:20 ` Hyman Rosen
2003-11-27 4:22 ` Dave Thompson
2003-11-28 14:01 ` Hyman Rosen
2003-11-12 17:37 ` tmoran
2003-11-12 18:03 ` Warren W. Gay VE3WWG
2003-11-12 8:51 ` Adrian Hoe
2003-11-12 12:32 ` Preben Randhol
2003-11-13 5:50 ` Chad R. Meiners
2003-11-12 22:59 ` Wes Groleau
2003-11-14 3:31 ` Adrian Hoe
2003-11-14 11:00 ` Dmytry Lavrov
2003-11-15 5:00 ` Adrian Hoe
2003-11-15 5:02 ` Adrian Hoe
2003-11-16 11:29 ` Dmytry Lavrov
2003-11-17 17:07 ` Warren W. Gay VE3WWG
2003-11-16 11:35 ` Dmytry Lavrov
2003-11-15 19:30 ` Wes Groleau
2003-11-12 8:52 ` Adrian Hoe
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox