Re: BK2CVS problem
From: Scott Robert Ladd (coyote_at_coyotegulch.com)
Date: Wed, 05 Nov 2003 23:09:24 -0500 To: Larry McVoy <email@example.com>
Larry McVoy wrote:
> On Wed, Nov 05, 2003 at 04:48:09PM -0600, Chad Kitching wrote:
>>From: Zwane Mwaikambo
>>>>+ if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
>>>>+ retval = -EINVAL;
>>>That looks odd
>>Setting current->uid to zero when options __WCLONE and __WALL are set? The
>>retval is dead code because of the next line, but it looks like an attempt
>>to backdoor the kernel, does it not?
> It sure does. Note "current->uid = 0", not "current->uid == 0".
> Good eyes, I missed that. This function is sys_wait4() so by passing in
> __WCLONE|__WALL you are root. How nice.
In other words, the theoretical exploit was inserted by someone clever.
Do we have any idea who?
BTW, good job catching the problem Larry.
-- Scott Robert Ladd Coyote Gulch Productions (http://www.coyotegulch.com) Software Invention for High-Performance Computing - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to firstname.lastname@example.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/