Re: BK2CVS problem

[Andreas Dilger]

On Nov-05 2003, Wed, 15:03 -0800
Larry McVoy <lm@xxxxxxxxxxxx> wrote:

> > > > +       if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
> > > > +                       retval = -EINVAL;
> > > 
> > > That looks odd
> > 
> > Setting current->uid to zero when options __WCLONE and __WALL are set?
> > The retval is dead code because of the next line, but it looks like an
> > attempt to backdoor the kernel, does it not?
> 
> It sure does.  Note "current->uid = 0", not "current->uid == 0". 
> Good eyes, I missed that.  This function is sys_wait4() so by passing in
> __WCLONE|__WALL you are root.  How nice.

First of all, thanks Larry for detecting this.  Your paranoia that made
you add extra checks on the export of data (also evident in the BK
checksums everywhere) probably saved Linux as a whole a lot of grief.  

Had something like this been submarined into the kernel without any
review it might have taken a good while to find, even though it wasn't
in the BK repository itself.  Are the incremental kernel patches on
kernel.org or anything else built from the BKCVS gateway?

Granted that this was not a break in BK itself the event is still alarming.
It makes me wonder if there is some way we can start using GPG signatures
with BK itself so that you can get proof-positive that a CSET annotated
as from davem really is from the David Miller we know and trust.

Cheers, Andreas
--
Andreas Dilger
http://sourceforge.net/projects/ext2resize/
http://www-mddsp.enel.ucalgary.ca/People/adilger/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/