Huh, I'm still baffled here. Just by changing uid, you don't suddenly
lose the privilege of reading your own memory. You don't need to
exploit a bug to read your own memory. Or am I misunderstanding
the bug? It was said:
> > > I checked out the behaviour of a read of /dev/full, and found it
> > > rather intriguing. It will return a successful read without modify
> > > the user-space buffer at all.
But isn't the "user-space buffer" just the "buffer" up above? Ie, not
some other process's memory, but your own memory.
The "setuid(getuid())" baffles me as well. If you had the extra
privilege, you could have just exploited that fact without changing
resetting the uid... And there is no such thing, really, as a
"privileged portion of the program", either the whole program is
setuid, or none of it is.