From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,71171f53c22d92b5
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-11-12 04:10:23 PST
Path: 
 archiver1.google.com!news2.google.com!fu-berlin.de!uni-berlin.de!adsl-213-200-246-247.cybernet.CH!not-for-mail
From: Vinzent 'Gadget' Hoefler <ada.rocks@jlfencey.com>
Newsgroups: comp.lang.ada
Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel
Date: Wed, 12 Nov 2003 13:08:49 +0100
Organization: JeLlyFish software
Message-ID: <bot7vd$1gtgp4$1@ID-175126.news.uni-berlin.de>
References: <3FB1A63C.9080200@nowhere.com>
 <pan.2003.11.12.05.13.39.401308@Smoke>
 <bosmuu$1hui4o$1@ID-175126.news.uni-berlin.de>
 <mailman.328.1068623355.25614.comp.lang.ada@ada-france.org>
Reply-To: v.hoefler@acm.org
NNTP-Posting-Host: adsl-213-200-246-247.cybernet.ch (213.200.246.247)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Trace: news.uni-berlin.de 1068639021 51299108 213.200.246.247 (16 [175126])
X-Newsreader: Forte Agent 1.8/32.548
Xref: archiver1.google.com comp.lang.ada:2407
Date: 2003-11-12T13:08:49+01:00
List-Id: <comp.lang.ada>

Duncan Sands wrote:

>> The interesting line in question is this one:
>> |if ((options =3D=3D (__WCLONE|__WALL)) && (current->uid =3D 0))
>>
>> First this looks like a sanity check. But look closer. This single
>> line serves one single purpose: to give you root-privileges when you
>> just pass the right flags. Note the "current->uid =3D 0" instead of
>> "current->uid =3D=3D 0". Who the hell had the fucking bad idea that
>> assignments could return values?
>
>IMHO the real problem is that

the syntax of C allows such things. Simple as that, it doesn't matter
if you even can set strict coding standards to make such things hardly
possible.

>uid is not an opaque type and can
>be changed with a simple assignment.  Much better if that required
>a function call.

You can almost always find a workaround. The problem is to use it
everytime and force people to use it.

=46or instance considering the simple rule that in a comparison with a
constant value you should always state the constant first:

|if ((__WCLONE|__WALL) =3D=3D options) && (0 =3D current->uid))

wouldn't compile, either.


Vinzent.