Re: VT switching (Was: SECURITY: Kill process when on console)

Peter Benie (pjb1008@cam.ac.uk)
Tue, 21 Apr 1998 12:35:17 +0100

Pavel Machek writes ("Re: VT switching (Was: SECURITY: Kill process when on console)"):
>
> > > Well, I'll happy to fix kernel side. X side is problem for me.
> >
> > At the end of the X-server initialisation routine, the X-server has:
> > a) chosen and opened a free VT or
> > opened the VT specified on the command line,
> > b) put the VT into VT_PROCESS mode,
> > c) arranged for a signal hadler to be called on VT changes, and
> > d) activated the VT.
> >
>
> Ook, I have some experimental code for you. It's kernel patch. (Sorry,
> I'm not pushing it into kernel until it proves usable).

[patch - snipped]

The patch is missing a change to vt_kern.h (addition of vt_uid to
struct vt_struct).

> /*
> + * This should obsolete VT_OPENQRY: as it allocates console, it
> + * avoids race. <pavel@ucw.cz>
> + */
> + case VT_OPENALLOC:
> + for (i = 0; i < MAX_NR_CONSOLES; ++i)
> + if (! VT_IS_IN_USE(i))
> + break;
> + ucval = i < MAX_NR_CONSOLES ? (i+1) : -1;
> + if (ucval != -1)
> + ucval = vc_allocate(ucval) ? -1 : ucval;
> + goto setint;
> +

This isn't quite right. ucval is an unsigned char. When ucval is
assigned -1, it becomes 255 (assuming 2's complement).
When it is compared with -1, it is extended to an integer first,
(ucval != -1) is always true, and it always allocates a VC.

Even if it did fail properly, the code then jumps to setint:, which
calls put_user(ucval, (int *)arg) to put (int)255 into *arg. The
X-server compares with with -1, decides that there wasn't an error,
and tries to open /dev/tty255.

-- 
Peter Benie, Unix Support, University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG  +44 1223 34728


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu