On Friday, December 16, 2011, Greg Smith wrote:

> On 12/16/2011 08:42 AM, Robert Haas wrote:
>> the proposed patch would potentially result - in the extremely unlikely
>> event of a
>> super-fast PID wraparound - in someone cancelling a query they
>> otherwise wouldn't have been able to cancel.
> So how might this get exploited?
> -Attach a debugger and put a breakpoint between the check and the kill

Once you've attached a debugger, you've already won. You can inject
arbitrary instructions at this point, no?

> -Fork processes to get close to your target
> -Wait for a process you want to mess with to appear at the PID you're
> waiting for.  If you miss it, repeat fork bomb and try again.
> -Resume the debugger to kill the other user's process
> If I had enough access to launch this sort of attack, I think I'd find
> mayhem elsewhere more a more profitable effort.  Crazy queries, work_mem
> abuse, massive temp file generation, trying to get the OOM killer involved;
> seems like there's bigger holes than this already.

"killall -9 postgres" is even easier.


Reply via email to