[274] in linux-security and linux-alert archive
Any user can send a SIGURG to any process
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Thu Jul 6 16:17:18 1995
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 6 Jul 1995 17:09:47 +0200 (MET DST)
There is a security hole in the kernel (up to 1.2.11, probably 1.3.x too)
- any user can send a SIGURG to any process.
I wrote a program to exploit this - it wasn't really hard to write :) -
but I'm not sure if it is OK to post it here... See below for a fix.
Marek Michalkiewicz
----------
diff -urN v1.2.11/linux/net/inet/af_inet.c linux/net/inet/af_inet.c
--- v1.2.11/linux/net/inet/af_inet.c Tue Jun 13 15:18:50 1995
+++ linux/net/inet/af_inet.c Wed Jul 5 16:00:19 1995
@@ -1260,6 +1260,7 @@
{
struct sock *sk=(struct sock *)sock->data;
int err;
+ int tmp;
switch(cmd)
{
@@ -1268,7 +1269,11 @@
err=verify_area(VERIFY_READ,(int *)arg,sizeof(long));
if(err)
return err;
- sk->proc = get_fs_long((int *) arg);
+ tmp = get_fs_long((int *) arg);
+ /* see inet_fcntl */
+ if (current->pid != tmp && current->pgrp != -tmp && !suser())
+ return -EPERM;
+ sk->proc = tmp;
return(0);
case FIOGETOWN:
case SIOCGPGRP:
----------
